A number of years ago, while working at Bell Labs I asked myself what would happen if a hacker or terrorist or hostile nation were to break into the United States Federal Reserve. I then asked myself a second more interesting question. How would I do it? The result of those two questions is my high-tech crime thriller, Satan’s Gold.
The first question, unfortunately, isn’t fiction any longe. The recent hack of SolarWinds proved that our financial networks are as vulnerable as I imagined they might be.
SolarWinds, is network monitoring company used to connect and monitor worldwide corporations, individuals, and government agencies, including the US Treasury Department. Tools like SolarWinds allow organizations to proactively monitor their computer infrastructure so that, if there is a problem, they can learn about it quickly.
When money’s involved, it’s important to fix a small problem becomes a bigger one. Companies would much rather be proactive than reactive. They would rather be the bowling ball than the bowling pin.
The Solar Winds hack was so big that it was impossible to ignore.
Unfortunately, data intrusion has gotten so prevalent in our lives that no one really notices when sites temporarily go offline. Credit card companies have gotten so used to their customer’s data being stolen, for example, that the theft has simply become a part of doing business. The customer calls a phone number, reports fraudulent charges, and the credit card company issues them a new card. In short order the customer can then continue spending like the problem never happened.
A Bad Joke Turned Into an Expensive Lesson
The first time I had my information stolen was after my wife and I went into a David’s Bridal to buy something for a wedding. I had never been in a place like that before and jokingly told the salesclerk that if estrogen had a scent, it would smell like the store.
My joke went over like a lead balloon and a week later, probably as payback for my suspect sense of humor, my checking account was overdrawn by almost forty-thousand dollars. Someone had used my debit card number to purchase and overnight thirty-two wedding dresses to Florida where they were put on a container ship to Africa! Even after I had closed my account, the charges kept coming. I drove to the bank while praying I had enough gas to make it there. With my credit cards locked up, I couldn’t buy gas or anything else.
At the bank, I demanded to know how it was possible that such an astronomical sum of money could have been spent without me being any the wiser. The bank said it was because the purchases had been preapproved.
“By who?” I demanded.
By someone who’d impersonated me on the phone.
The Solar Winds Hack
The difference between the hack of my bank account and the hack of SolarWinds was the scope and goal of the intrusion. The SolarWinds hackers specifically went after targets that would give them access to the government. They weren’t after credit card numbers or bank accounts. They didn’t buy and ship dresses. They wanted information.
So how did it happen? The answer is surprisingly simple. Our world is based on trust. For computers to work, they must work together, and the only way that happens is if they trust each other.
How I Used The Idea of “Trust” in Fiction
In my book, Satan’s Gold, two of the character discuss “trust” and what it means in the world of global computer automation:
Wilkens lifted his homely face. For the first time, Jackson saw worry in the old man’s eyes. “We’ve known for years that Daemon’s wanted to go after the financial district. Think about the kinds of numbers that go through those systems. Billions of dollars cross those networks every day. Computer automation has gotten so tightly integrated into our lives that a computer hiccup can easily become a global disaster at mainframe speeds. A butterfly beating its wings on Wall Street really can start a financial hurricane in China. I don’t even want to think about what would happen if he were to gain access.”
Jackson started to protest, but Wilkens held up a veined hand. “The financial markets are built on trust every bit as much as actual currency. For automated, high-speed systems to work, you and I and everyone else must trust the automation that allows it to work. Billions of electronic transactions happen every day—all of it networked through tens of thousands of routers and switches pushing packets across electronic highways. Our networks have gotten so sophisticated and reliable that moving currency has become routine—so routine in fact that no one thinks about it anymore.”
Wilkens held up his phone. “With this, I can walk into a store and instantly purchase anything. With nothing more than a few electrons, I can buy a new car or even a house. Think about the trust, Jackson. Then think about what would happen if it stops.”
What Does “Trust” Have to Do With Computers?
So what exactly does “trust” mean in our connected world?
Very rarely are computers isolated islands. They are connected to networks. Those networks allow machines to communicate. For machines to work together, they have to “trust” each other. Trust is exactly like it sounds. When machines trust each other, it allows them to share files and data quickly and efficiently. When a user logs into their bank using their phone, for example, they are trusting their phone, the bank, and the software and networks that make it all possible. This happens billions of times every day on everything from the Android device in your pocket to the government supercomputers that have tens of thousands of processors.
The best way to hack into a network like the Fed is to not attack individual machines, but to exploit the underlying trust that allows machines to work together. Find a machine or network or application that is trusted by others, and then exploit that trust. What other machines work with this machine? Where else can the hacker go from here? What else can they see and exploit?
SolarWinds Was a Vulnerable Hub
In the case of SolarWinds, their network software is used by thousands of companies, governments, and individuals around the world. The hackers got onto their network and placed exploits into the patches they sent to their customers. The patches were pushed to their customers, and the customers “trusted” the patches and installed them. The patches, once installed, gave the hackers access to the customer machines. This allowed the hackers to access all the machines that trusted those machines. On and on it went—FOR MONTHS.
This is similar what I wrote in my book, Satan’s Gold. In the book, the antagonist of the book gains access to the Federal Reserve’s trusted network. He adds himself as a trusted node. Once he was trusted, he could then exploit that trust.
Where Do We Go From Here?
Moving on from the SolarWinds’ hack won’t be easy, but we have no choice. Machines still need to work together. Invoices must be sent, bills need to be paid, and no one wants to go back to how things were before automation made our world so much faster.
There will always be issues. This isn’t a one-time exploit. Hacking will never stop. There will be other backdoors hidden in networks that no one knows about yet. Multi-factor authentication, encryption, https, sftp and ssh only go so far to keep the bad guys out. Hackers need only wait for customers to start trusting again. Then, they can use that trust to worm their way back into our networks and our lives.
As for me, now that SolarWinds has been hacked, I need to check the balance on my checking account. Maybe one of the hackers is feeling romantic and wants to use my debit card to buy his girlfriend a wedding dress—thirty-two times.