Thursday Reads

Boston Common, Park St. side, 1920

Good Morning!!

We’re in the midst of a big snowstorm here. My town has already gotten about 9 inches with more to come. The snow is coming down at a rate of 2-4 inches per hour. I don’t think I’ll be getting out anytime soon. Luckily I got a haircut and picked up groceries yesterday.

It looks like Mitch McConnell is finally going to allow the Senate to pass a paltry stimulus package. It includes $600.00 checks and $300.00 supplementary unemployment payments. Some Republicans are trying to make sure that people on unemployment don’t get the stingy checks. I don’t think this is going to be much help to millions of people who are about to be evicted from their homes and who can’t feed their families.

The New York Times: Staring Down Deadline, Congress Nears $900 Billion Stimulus Deal.

After months of stalemate, congressional leaders were on the verge on Wednesday of cementing a roughly $900 billion stimulus deal to deliver emergency aid to individuals and companies devastated by the toll of the worsening pandemic, racing to finish the details and stave off a government shutdown on Friday.

The measure, which has been under discussion for months as the coronavirus has ravaged the economy, is expected to provide a new round of direct payments to millions of Americans as well as additional unemployment benefits, food assistance and rental aid. It would prop up sputtering businesses with federally backed loans and provide funding for schools, hospitals and the distribution of a just-approved vaccine.

It looks like the package won’t include help for struggling state governments.

But even as lawmakers moved toward striking an elusive deal, the package pointed to troubles on the horizon for President-elect Joseph R. Biden Jr., who had pressed for at least some compromise on emergency pandemic aid before year’s end. To break the logjam, Democrats appeared to have dropped their demand for a dedicated funding stream for states and cities that are facing fiscal ruin, guaranteeing that Mr. Biden will have to act early in his tenure to try to bolster them and take additional action to prop up the economy.

“The stimulus package is encouraging,” Mr. Biden said Wednesday at an event in Wilmington, Del. “But it’s a down payment — an important down payment on what’s going to have to be done beginning the end of January into February. But it’s very important to get done.”

Gloucester Roofs, Edward Hopper, 1928

The only reason McConnell is allowing this much help for desperate Americans is that he’s afraid of losing control of the Senate.

Greg Sargent at The Washington Post: Mitch McConnell gives away the game: ‘Kelly and David are getting hammered’

If Democrats don’t win those two seats in Georgia, it’s pretty clear that Moscow Mitch won’t allow any more help for struggling Americans. 

The basic question before us right now, as we look ahead to runoffs that will settle who controls the Senate next year, is this: What would continued Republican control mean, and what would it mean if Democrats took control instead?

We have long known the answer: Continued Republican control means almost no chance at anything close to what we’ll need in new stimulus spending and economic assistance next year, when the economic damage and resulting misery could, if anything, spiral into something much worse.

In Central Park, New York, ca. 1900, by Byron, Detroit Publishing Co., via Library of Congress.

Meanwhile, Russia has successfully hacked most of the U.S. Government and hundreds of American businesses. 

Trump’s former Homeland Security chief Thomas Bossert has a frightening op-ed about it in today’s New York Times: I Was the Homeland Security Adviser to Trump. We’re Being Hacked.

At the worst possible time, when the United States is at its most vulnerable — during a presidential transition and a devastating public health crisis — the networks of the federal government and much of corporate America are compromised by a foreign nation. We need to understand the scale and significance of what is happening.

Last week, the cybersecurity firm FireEye said it had been hacked and that its clients, which include the United States government, had been placed at risk. This week, we learned that SolarWinds, a publicly traded company that provides software to tens of thousands of government and corporate customers, was also hacked.

The attackers gained access to SolarWinds software before updates of that software were made available to its customers. Unsuspecting customers then downloaded a corrupted version of the software, which included a hidden back door that gave hackers access to the victim’s network.

This is what is called a supply-chain attack, meaning the pathway into the target networks relies on access to a supplier. Supply-chain attacks require significant resources and sometimes years to execute. They are almost always the product of a nation-state. Evidence in the SolarWinds attack points to the Russian intelligence agency known as the S.V.R., whose tradecraft is among the most advanced in the world.

According to SolarWinds S.E.C. filings, the malware was on the software from March to June. The number of organizations that downloaded the corrupted update could be as many as 18,000, which includes most federal government unclassified networks and more than 425 Fortune 500 companies.

Trump has given a huge gift to Putin and left a ghastly mess for Biden to clean up.

The magnitude of this ongoing attack is hard to overstate.

The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian S.V.R. will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call “persistent access,” meaning the ability to infiltrate and control networks in a way that is hard to detect or remove.

Turner, Martin William; Houses and Roofs in the Snow; King’s College London.

While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy.

The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated. But it is unclear what the Russians intend to do next. The access the Russians now enjoy could be used for far more than simply spying.

The actual and perceived control of so many important networks could easily be used to undermine public and consumer trust in data, written communications and services. In the networks that the Russians control, they have the power to destroy or alter data, and impersonate legitimate people. Domestic and geopolitical tensions could escalate quite easily if they use their access for malign influence and misinformation — both hallmarks of Russian behavior.

Read the rest at the NYT.

Natasha Bertrand and Andrew Disiderio at Politico: How suspected Russian hackers outed their massive cyberattack.

Foreign hackers who pulled off a stealthy breach of at least a dozen federal agencies got caught after successfully logging in to a top cybersecurity firm’s network, tipping the company off to a broader hacking campaign targeting the U.S. government, according to officials from the firm and congressional aides briefed on the issue.

The suspicious log-in prompted the firm, FireEye, to begin investigating what it ultimately determined to be a highly damaging vulnerability in software used across the government and by many Fortune 500 companies.

It’s not clear how long it took FireEye to notice that it had been hacked, in a scheme that U.S. officials have linked to Russian intelligence. But the vulnerability, found in IT management software developed by a company called SolarWinds, had given the hackers months of access to internal email accounts in at least a dozen U.S. federal agencies, including the Treasury, Homeland Security and Commerce departments.

Two congressional staffers briefed on the intrusion said FireEye representatives, who met with multiple lawmakers and their staffers this week to discuss the hack, disclosed a potentially embarrassing detail: that the hackers had exploited a security feature called two-factor authentication to gain access to FireEye’s network by duping an employee into revealing his or her credentials.\In a 2016 blog post, FireEye laid out how such an attack might be carried out, noting that while “two-factor authentication is a best practice for securing remote access, it is also a Holy Grail for a motivated red team” — a reference to security professionals hired to find clients’ weak points — who can “use the most straightforward method to acquire the credentials we need: ask the victim to enter them for us. The perfect trap happens to be the simplest to set.”

FireEye is denying this explanation. Read all about it at Politico.

Boston Circa 1910s. Horse-drawn sleigh for hauling goods, market district. Image courtesy of the Boston Public Library, Leslie Jones Collection

David Sanger, Nicole Perlroth, and Julian Barnes at The New York Times: Billions Spent on U.S. Defenses Failed to Detect Giant Russian Hack.

Over the past few years, the United States government has spent tens of billions of dollars on cyberoffensive abilities, building a giant war room at Fort Meade, Md., for United States Cyber Command, while installing defensive sensors all around the country — a system named Einstein to give it an air of genius — to deter the nation’s enemies from picking its networks clean, again.

It now is clear that the broad Russian espionage attack on the United States government and private companies, underway since spring and detected by the private sector only a few weeks ago, ranks among the greatest intelligence failures of modern times.

Einstein missed it — because the Russian hackers brilliantly designed their attack to avoid setting it off. The National Security Agency and the Department of Homeland Security were looking elsewhere, understandably focused on protecting the 2020 election.

The new American strategy of “defend forward” — essentially, putting American “beacons” into the networks of its adversaries that would warn of oncoming attacks and provide a platform for counterstrikes — provided little to no deterrence for the Russians, who have upped their game significantly since the 1990s, when they launched an attack on the Defense Department called Moonlight Maze.

Something else has not changed, either: an allergy inside the United States government to coming clean on what happened.