Discover more from Weapons and Strategy
The Washington Post and the Wall Street Journal reported on July 12, 2023 that Microsoft's cloud computing system was hacked by a Chinese group called Storm-0558. The attacks were described as impressive and stealthy. The Microsoft cloud platform hosts commercial and government clients, including the US Defense Department.
According to what we know so far, which admittedly isn't much, Chinese hackers got into the Microsoft cloud system in April and were able to operate there undetected until mid-June. In other words, for at least six weeks the Chinese spies had a free lunch at the expense of American security.
Chinese hacking of American cyber assets is nothing new. So far, despite strong efforts, the Defense Department and other government organizations (particularly the Department of Energy which is in charge of nuclear weapons) have been routinely hacked.
A clear example is that some 50 gigabytes of sensitive information on the F-35 stealth jet fighter was vacuumed up by China, making it far easier for them to design their J-20 stealth jet.
Unfortunately, what we know about is only the tip of the iceberg. It is difficult to discover hacking in the best of circumstances. Cloud and network operators also don't want to know they have been hacked because they face losing billions of dollars in business. And the US government also does not want the public to know it has lost billions of investment dollars paid for by US taxpayers. Worst of all, US security always takes a hit when computer networks, including the cloud, are compromised
It is important to know that the latest compromise was completely predictable. Back in 2018 I served on a panel of experts at Hudson Institute. Our panel discussed the Pentagon's then-plan to put all DOD data on a single cloud platform run by Amazon's Jeff Bezos. In part thanks to the serious questions we raised at the time, the Pentagon finally backed off a single cloud data repository and opted for breaking up DOD's cloud computing into a number of separate cloud contracts.
That decision helped, a little, in spreading around the risk, but it also introduced other problems.
For example consider that the Microsoft platform combines commercial with government data. Consider also that because the government data, in this case apparently emails, were not classified, stringent security rules requiring cleared personnel, did not apply.
The government's division between classified and unclassified computing is phoney baloney. Lots of sensitive technology, for example, is unclassified. If that information gets into the hands of a bad actor, such as China, US national security is compromised.
DOD has come up with a new category called "Sensitive But Not Classified (SBU)." The idea behind it is to apply stricter disclosure rules for SBU information.
Unfortunately there is no rulebook that says how to identify SBU information. When it comes to emails that are ostensibly unclassified, there are no rules whatsoever.
If you apply this to cloud computing, it means that Defense Department information in the cloud, even SBU, is not any better protected than commercial information.
The problem with commercially operated cloud systems is the personnel working on them are, very often, foreigners. American high tech companies hire thousands of foreign employees, bringing them to the United States under a special visa waiver program known as H1-B.
The problem is bigger than foreign workers. Auditing for security, something DOD is supposed to perform for its computers, does not apply to commercial platforms that are not under DOD control.
In 2018 we pointed out that the hardware used in both DOD and commercial computers mostly came from Asia. That, we warned, created a risk that entry points for hackers could come because of compromised hardware. At that time we were aware that many commercial network routers had backdoors in them because they were made in China, or used Chinese components where dangerous microcode could be inserted at the point of manufacture. We also pointed out that the Defense Department used commercial hardware across the spectrum of DOD operations including deployed military systems.'
Today it has even grown worse. The head of Raytheon recently said that the company depended on critical parts from Asia, including China, for its sensitive defense products. What is true for Raytheon no doubt applies to all US defense manufacturers and many foreign producers too.
Whether we will actually get a full report on what hacker group Storm-0558 depends on whether forensics can piece together the whole story on the one hand, and whether the government and Microsoft really want to reveal what happened?
Meanwhile Microsoft says that it has "mitigated" the hacking intrusion after it was discovered. Microsoft also says that 25 organizations, including "governments" had been hacked. The hack extended to unnamed European government agencies. The Microsoft hack was not discovered by the company but by the government. The government says "We continue to hold the procurement providers of the U.S. Government to a high security threshold."
But even if the full damage is not revealed, or whether the compromise is somehow swept under the rug, the fact remains that national security information is as much at risk in 2023 as it was in 2018 and many years before that.
It would be a good idea to get the best brains together to figure out a better way to protect US National Security. That would take real leadership and a willingness to have skeptics in the mix in any major initiative. Unfortunately in the past, these reviews involved government officials with a vested interest in not changing anything, and industry mostly interested in collecting on government contracts. Surely we can do better.
The truth is we need to redefine how we protect cloud networks and expand security coverage if the government wants to support commercial cloud computing.
The US Defence Department funded/invented internet, cables were stretched. A useful tool for collecting other countries' civilian and governmental data. (At my office, across the Atlantic, simple software like MS W10, Teams, Outlook, Skydrive etc. and Chrome as browser still ensure that everything I type is stored somewhere in the US long before I click "Post".)
20 years ago, the US was in forefront technologically, and the internet-in-our-pocket could still be controlled.
The table is now turned, and it can prove difficult to put this genie back where it belongs.
Have you played chinese checkers? If you do a good, fast opening you also make it easier for the opponent to advance, using your marbles as a ladder, at the same time with but one or two of his marbles block or delay further advances from your side of the board.
We may easily end up losing.
maybe a better idea would be for nsa to fix the security leaks, but then they wouldn't have a big bad boogie man for cia and friends to go after..