National Security Agency Director Gen. Paul Nakasone addressed the elephant in the room on Thursday during testimony on Capitol Hill: How could the U.S. government have missed SolarWinds and Microsoft Exchange Server hacking until after the malicious activity was already well underway?
“It’s not the fact that we can’t connect the dots — we can’t see all the dots,” Nakasone said, acknowledging that the U.S. government, including the NSA, does not have a view into foreign hacking campaigns when they exploit domestic internet infrastructure. “We have a difficulty as a government understanding the totality of the actual intrusion.”
The suspected Russian and Chinese hackers behind the SolarWinds supply chain attack and the hacking stemming from the Microsoft Exchange Server vulnerabilities, respectively, used U.S.-based computers and servers to launch their operations.
It’s an indication to some, including White House officials, that intruders deliberately sought to bypass detection by the U.S. intelligence community.
Private sector entities, not the U.S. government, revealed the existence of the hacking operations.
The NSA, the nation’s foreign signals intelligence agency, is typically barred from operating domestically, and lacks authority to track civilian private networks in the U.S.
“We have an inability to see everything,” Nakasone stressed, adding that the recent flurry of hacking is an indication that foreign spies are leveraging the apparent blind spot.
Concerned lawmakers on the Senate Armed Services Committee pressed Nakasone, who also leads the Department of Defense’s offensive cyber arm, Cyber Command, on the government’s lack of visibility into internet infrastructure that could have tipped the NSA to the hacking campaigns.
“Our adversaries understand that they can come into the U.S. and rapidly use an [internet service provider], come up and do their activities and take that down before a warrant can be issued, before we can have surveillance by a civilian authority in the U.S.,” he said.
Nakasone said something must be done to change the visibility the government has into domestic campaigns, though he did not suggest that the NSA or Cyber Command should take on those responsibilities.
“It’s not necessarily that it’s U.S. Cyber Command or the National Security Agency that needs to be doing this,” he said. “It’s just that the nation needs an ability to see what’s going on within the U.S.”
Adversaries have long used internet infrastructure in the U.S. as a means of avoiding tripping a wire that would alert U.S. authorities to their presence.
“What we’ve seen from both the SolarWinds and Microsoft intrusions is an increasing level of sophistication,” Nakasone said. “This is a scope, a scale, a level of sophistication we haven’t seen previously. This isn’t simply email phishing attempts.”
In a recent White House briefing, Anne Neuberger, the deputy national security advisor for cyber and emerging technology, said that both authorities and culture around breaches in the federal government will need to change. The Biden administration is currently considering security ratings for U.S. software, and Neuberger has also said the White House is preparing an executive order on supply chain matters.
Neither NSA nor the White House immediately returned requests for comment on the matter.
Part of being able to understand and better track adversarial hacking moving forward, even when it takes advantage of U.S. internet infrastructure, could rely on broader government and private sector information sharing.
“How do we take the best tools not only from the government but also from the private sector to look at what’s occurring and being able to shine that spotlight?” Nakasone said. “I think a lot of times we look and just say we’ll simply go ahead and downgrade that intelligence rapidly. Sometimes the better answer is, okay where are the other streams of information, how can we use that?”
Nakasone suggested that incentives for private sector could be introduced, adding that legislation could push private sector internet infrastructure companies to better understand who their customers are, as well.
In a recognition of the importance that information sharing between the public and private sector will play a role in responding to the flurry of Microsoft hacking, the Biden administration has convened an emergency cybersecurity incident response group at the National Security Council and invited private sector participation for the first time ever.