Ex-NSA top lawyer: Here's how to block next SolarWinds mega hack

Writing in Politico on Monday, Glenn Gerstell, who served as NSA general counsel, said that if a specific US “government agency had that legal power," they could prevent the next attack.

THE SOLARWINDS logo is seen outside its headquarters in Austin, Texas, in December. (photo credit: REUTERS/SERGIO FLORES)
THE SOLARWINDS logo is seen outside its headquarters in Austin, Texas, in December.
(photo credit: REUTERS/SERGIO FLORES)
The best way to block the next SolarWinds mega hack of the US is to grant new powers to American intelligence agencies regarding the abuse of US-based computers by foreign agents, the National Security Agency’s (NSA) former top lawyer says.
Writing in Politico on Monday, Glenn Gerstell, who served as NSA general counsel from 2015 to 2020, said that if a specific US “government agency had that legal power, then it could...quickly check out a domestic IP address after an alert from the NSA that the address was communicating with a suspicious overseas server.”
Further, “If that IP address showed questionable activity, the government and the private sector jointly could take steps to reconfigure firewalls or otherwise curtail the hack.”
Though Gerstell admitted that this wouldn’t prevent all hacks, he added the remarkable observation that “the reality is that most large-scale hacks by foreign countries rely on already known software imperfections and hardware deficiencies.”
As background, the former top NSA official wrote that, “the foreign hackers behind the massive cybersecurity failures dominating recent headlines had one critical strategy in common – they leased computers in the United States to burrow into their victim’s networks.”
He explained that, “Because US cybersecurity systems don’t regard domestic connections as inherently suspect, the attackers were able to hide in plain sight.”
Moreover, he said that, “Like secretive investors deploying a series of shell companies...to mask true ownership, Russia, China and other sophisticated nations effect cyber-maliciousness through a series of intermediary, innocuous-looking internet servers.”
Top Israel National Cyber Directorate lawyer Amit Ashkenazi said, “the issue is also relevant in Israel – there is a need in the legal context to empower the INCD to take defensive cyber actions to prevent attacks, while in the context of checks and balances.”
Meanwhile, Gerstell noted in the Politico article that last week’s hearings before the US Congress intelligence oversight committees made clear that “using a US server is a calculated strategy that takes full advantage of a gap in the US cyber surveillance system.”
In frustration, he described that, “No government agency – even our powerful spy agencies – currently has a sufficiently agile legal authority to catch foreign cyber malefactors in the act of co-opting US computer networks.”

Stay updated with the latest news!

Subscribe to The Jerusalem Post Newsletter


Getting specific, he stated that the NSA “is allowed to surveil only foreign actors; pursuing them on the home front is the job of the FBI.”
However, he said that, “by the time the NSA notices suspicious foreign activity and hands the case off to the FBI, it’s often too late…the FBI investigation simply confirms that now-dormant internet servers in the US were used by foreigners to stage their attacks.”
The biggest problem to date with introducing the above solutions, noted Gerstell, has been the US legal architecture which was “designed to protect the civil liberties guaranteed to Americans by the US Constitution,” but is now “deliberately exploited by sophisticated foreign cyber adversaries.”
A corollary of the need for a new approach is that “Information sharing isn’t enough; it would be hamstrung from the start if the government cannot seamlessly and quickly track malicious cyber activity from its foreign source to its intended domestic victims.”
So the second piece of Gerstell’s proposal to tackle future mega hacks is how to adjust the US system, while maintaining its basic constitutional balance.
To do that, he said, “Any domestic inspection or monitoring would be expressly limited by the type of both [the] target and information collected.”
This means it “would be restricted to specifically identified IP addresses or other communications equipment located in the United States that was linked (by the US intelligence community or the FBI) to a foreign person or country suspected of specific cyber wrongdoing.”
Bulk or indiscriminate collection of data and viewing information not expressly related to the defined cybersecurity threat would still be illegal.
Detailing what the government could do, he said, “The activity might be limited to simply a traffic analysis – seeing which US or foreign IP addresses were communicating with the target – or examining its logbook to look at historic connections.”
Next, he wrote that a “senior official certifying the underlying facts as to why the domestic inspection was required,” would need to show, for example, “evidence that a server known to be controlled by a foreign nation was communicating with a US IP address, or that certain malware or techniques that the intelligence community knew were unique to foreign cyber malefactors were being tracked to US internet servers.”
Gerstell suggested granting the new legal authorities to the FBI, as opposed to the NSA.
Though he said that countries like the United Kingdom, Australia, Canada and New Zealand, “have all placed their domestic cyber monitoring authorities within their foreign signals intelligence agencies (or in new affiliates)…the political reality is that this would be problematic,” in the American context.
He noted that while less robust than the NSA, the FBI “already investigates malicious foreign cyber activity,” and “seems like a logical and acceptable alternative.”
Another component would be limiting the monitoring to around 72 hours, absent a verified need for a limited extension.
Gerstell recommended significant and multiple reporting requirements regarding use of these new authorities to the attorney-general or to the Foreign Intelligence Surveillance Court.
Finally, instead of being able to just shut down suspect accounts, he said more will be required of the private sector in cooperating with authorities regarding information connected to those accounts.