- Multiple government agencies including the Department of Homeland Security, the Department of State, and parts of the Pentagon have been hacked in a far-reaching attack widely believed to be led by Russia.
- Experts have said the attack was highly advanced, and while the damage is unclear, more agencies are expected to be hit.
- The hack was first discovered last week by the cybersecurity firm FireEye, which later found the attackers had entered government servers undetected this spring, giving them free rein for much of the past year.
- The hackers first infiltrated the systems of the firm SolarWinds, which makes network-management software used by many government agencies and large companies. They later gained access to SolarWinds’ clients by infecting software updates the company sent its customers with malware.
- While the motive is currently unknown, experts have said the recent hack is classic espionage.
Federal Agencies Hacked
At least half a dozen U.S. federal agencies — including several national security-related departments — have been the victims of a highly advanced suspected Russian hack.
The attacks were first reported Sunday when Trump administration officials at the Treasury and Commerce departments confirmed that key networks had been breached and that the hackers had free range of their email systems.
On Monday, officials in the Homeland Security and State departments, the National Institutes of Health, and parts of the Pentagon also told reporters that they had been hit.
Currently, the extent of the hacks and the damage they have done is unknown, but people close to the matter have said that the number of federal agencies that were attacked is expected to grow.
While the knowledge of these attacks comes at the close of a tumultuous election season, cybersecurity experts involved in the matter have said that the systems were infiltrated months ago. Top U.S. intelligence agencies did not detect the hacks until they were informed of the breaches by FireEye, a third-party cybersecurity company that had also been a target.
FireEye, which is contracted by intelligence agencies and other federal departments to find and patch security holes in networks that could be vulnerable to hackers, reported last week that hackers from a then-unidentified nation-state had entered their systems and stolen their anti-hacking tools.
The company soon found out that the attack expanded far beyond their own systems. In a statement released Sunday, FireEye described a global campaign of victims that included “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East.”
FireEye described the hack as incredibly sophisticated and “some of the best operational security” that they had ever seen in a cyberattack. It also noted that the hackers used at least one piece of malware that has never been previously detected.
The cybersecurity firm said that all of the involved organizations had been hit through a supply-chain attack, where cybercriminals infiltrate a target organization by hacking outside companies supplying products to the intended target that are then introduced into computer networks.
In this case, FireEye found that the supply chain attack started with an Austin-based company called SolarWinds that makes and supplies a widely-used network-management software called Orion.
The attackers hacked SolarWind and manipulated the software updates that the company sends out to their clients whenever there is an upgrade to Orion — much like the notifications your phone or computer sends when it has a software update.
When SolarWinds sent those infected updates to their clients, the hackers were able to gain access to these organizations when they downloaded the Orion update. Very notably, FireEye also said those software updates were delivered to customers between March and May, meaning that these hackers had free reign over these systems undetected for the better part of a year.
As for how many agencies or companies were impacted, right now, it is not entirely clear. In a federal securities filing Monday, SolarWinds reported that of its more than 300,000 clients, only 33,000 use Orion. Of those 33,000, fewer than 18,000 of its customers may have installed the corrupted software, the company said, though it also added it did not yet know how many systems were actually hacked.
However, other experts say the number is actually much, much lower.
“We think the number who were actually compromised were in the dozens,” Charles Carmakal, a senior vice president at FireEye told The New York Times. “But they were all the highest-value targets.”
In addition to the other government agencies that have said they were impacted, SolarWinds also contracts with all five branches of the military, the Executive Offices of the President, the Centers for Disease Control and Prevention, and the National Security Agency — which is the world’s top electronic spy agency.
SolarWinds also has other clients all around the world. According to reports, its services are used by almost all Fortune 500 companies, major defense contractors such as Boeing, and the Los Alamos National Laboratory where nuclear weapons are designed.
While it is unclear how many of those organizations used Orion, experts say that might not matter. As The Times reported, investigators have said that the hackers “used multiple entry points in addition to the compromised Orion software update, and that this may be only the beginning of what they find.”
In fact, in its Monday filing, SolarWinds even explicitly said that Microsoft’s Office 365 email may have also been “an attack vector” used by the attackers. In a blog post Sunday, Microsoft said that it has not found any product vulnerabilities in its own investigation of the hacks.
Suspected Russian Involvement
Neither SolarWinds nor FireEye specifically named the Russians, but numerous officials close to the matter have said that their investigation has pointed to a top Russian foreign intelligence agency known as the SVR, often called Cozy Bear or A.P.T. 29.
While the SVR is known as a traditional collector of intelligence, specializing in digital spying, it is not known for the kind of disinformation campaigns that we saw the Russians running in the 2016 election.
As a result, experts have said that this hack was not a campaign intended to undermine the election like last time, but rather to spy on the highest levels of the government.
“This is classic espionage,” Thomas Rid, a political science professor at the Johns Hopkins School of Advanced International Studies who specializes in cybersecurity issues told The Washington Post. “It’s done in a highly sophisticated way…. But this is a stealthy operation.”
“This so far appears to be classic digital spying of the sort that major nations, including the United States, engage in every day to gain geopolitical edges of various sorts,” The Post added.
“That’s a nine-month stretch that included — to name just a few of the important events that would have created computer files interesting to spies — the worst of the coronavirus pandemic, the historically fast development of vaccines using novel technology, and the U.S. presidential and congressional elections.”
As expected, Russian officials have denied any involvement. In a statement Sunday, the Russian Embassy in Washington called the reports “baseless” and said that Russia “does not conduct offensive operations in the cyber domain.”
Despite this claim, the U.S. intelligence community has extensively documented and verified numerous successful and attempted cyberattacks by Russia in the last several years.
See what others are saying: (The Washington Post) (The New York Times) (Reuters)
Amazon Backs GOP Bill to Legalize Marijuana in Effort to Ramp Up Lobbying
The proposal is the first Republican-sponsored marijuana bill Amazon has backed since the company first began lobbying for legalization last summer.
Amazon Endorses States Reform Act
Amazon announced Tuesday that it is endorsing a Republican-backed proposal to legalize marijuana.
The move comes as the e-commerce giant has ramped up its efforts to legalize cannabis on the federal level since it came out in support of the idea last summer. Amazon argues that the move would remove hiring barriers — which disproportionately impact people of color — and, in turn, could increase the company’s application pool and boost employee retention.
The company has previously backed similar proposals by forward by Democrats, but Tuesday’s announcement marks the first time Amazon has put its support behind a Republican-sponsored bill aimed at addressing the issue.
The legislation, called the States Reform Act, was authored by Rep. Nancy Mace (R-S.C.). Among other measures, it would remove cannabis as a Schedule I substance, allow states to create their own laws, impose an excise tax, and regulate the drug in a similar fashion to alcohol.
While Mace’s bill is fundamentally very similar to others put forth by Democrats, by proposing it herself, the Republican hopes to rally other members of her party around the idea that legalization is pro-business, pro-state’s rights, and anti-big government.
The measure has already received support from the highly influential conservative group, American’s for Prosperity, which is funded by the Koch brothers.
Mace and Amazon have painted the company’s endorsement as a game-changer for garnering more support — both from other large corporations and politicians on either side of the aisle. Mace specifically told reporters she believes Amazon’s decision will push other companies to do the same. If more major corporations like Amazon back the effort, other Republicans may be more persuaded to jump on board.
That sentiment was echoed by Brian Huseman, Amazon’s vice president of public policy, who said in an interview with The Washington Post that the company was “particularly excited by Congresswoman Mace’s bill” because “it shows that there’s bipartisan support for this issue.”
Huseman also emphasized that, as part of its decision to back her bill, Amazon will use its powerful influence in Washington to try and drum up bipartisan support.
“We are talking with members of both parties, including Republicans, about why we think this is the right thing to do, especially from the standpoint of a major employer and what this means for our business and our employees and broadening the employee base,” he continued.
See what others are saying: (The Washington Post) (Forbes) (Marijuana Moment)
CDC Data Shows Booster Shots Provide Effective Protection Against Omicron
Public health experts have encouraged Americans to get boosted to protect themselves against the omicron variant, but less than 40% of fully vaccinated people who are eligible for their third shot have received it.
A First Glimpse of Official Data on Boosters and Omicron
COVID-19 booster shots are effective at preventing Americans from contracting omicron and protecting those who do become infected from severe illness, according to three reports from the Centers for Disease Control and Prevention (CDC) published Friday.
The reports mark the first real-world data regarding the highly infectious variant and how it has impacted the U.S.
One of the CDC reports, which studied data from 25 state and local health departments, found that there were 149 cases per 100,000 people among those had been boosted on average each week.
In comparison, the figure was 255 cases per 100,000 people in Americans who had only received two shots.
Another study that looked at nearly 88,000 hospitalizations in 10 states found that the third doses were 90% effective at preventing hospitalization.
By contrast, those who received just two shots were only 57% protected against hospitalization by the time they were eligible for a booster six months after their second dose.
Additionally, the same report also found that the boosters were 82% effective at preventing visits to emergency rooms and urgent care centers, a marked increase from the 38% efficacy for those who were six months out from their two-shot regime and had not yet received a third.
Low Booster Shot Vaccination Rates
Public health officials hope that the new data will urge more Americans to get their booster shots.
Since the emergence of omicron, experts and leading political figures have renewed their efforts to encourage people to get their third shots, arguing they are the best form of protection.
The CDC currently recommends that everyone 12 and older get a booster shot five months after their second shot of Pfizer and Moderna or two months after receiving the single-dose Johnson & Johnson vaccine. Still, in the U.S., less than 40% of fully vaccinated individuals eligible for a third shot have gotten one.
While COVID cases in the country have begun to drop over the past several days from their peak of over 800,000 average daily infections, the figures are still nearly triple those seen in the largest previous surges.
Hospitalizations have also slowly begun to level out over the last week in places that were hit first, such as New York City and Boston, but medical resources still remain strained in many parts of the country that experienced later surges and have not yet seen cases slow.
Some experts predict that the U.S. will see a sharp decline in omicron cases, as experienced in South Africa and Britain. Still, they urge American’s to get boosted to ensure their continued protection from the variant, as well as other strains that will emerge.
See what others are saying: (The Washington Post) (CNN) (The New York Times)
California Bill Would Allow Kids 12 and Up to Get Vaccinated Without Parental Consent
Nearly one million California teens and preteens between the ages of 12 and 17 are not vaccinated against COVID-19.
State Senator Proposes Legislation
Legislation proposed in California on Thursday would allow children age 12 and up to get vaccinated without parental consent.
State Sen. Scott Wiener (D-San Francisco) introduced Bill 866 in the hope it could boost vaccination rates among teenagers. According to Wiener, nearly one million kids aged 12- to 17-years old remain unvaccinated against COVID-19 in the state of California.
“Unvaccinated teens are at risk, put others at risk & make schools less safe,” Wiener tweeted. “They often can’t work, participate in sports, or go to friends’ homes.”
“Many want to get vaccinated but parents won’t let them or aren’t making the time to take them. Teens shouldn’t have to rely on parents’ views & availability to protect themselves from a deadly virus.”
Currently, teens in California can receive vaccines for human papillomavirus and hepatitis B without parental consent. They can also make other reproductive or mental healthcare choices without a guardian signing off. Wiener argues that their medical autonomy should expand to all vaccines, especially during a pandemic that has already killed roughly 78,000 Californians.
Vaccine Consent Across the U.S.
“Teens shouldn’t have to plot, scheme or fight with their parents to get a vaccine,” he said. “They should simply be able to walk in & get vaccinated like anyone else.”
Bill 866 would allow any kids ages 12 and up to receive any vaccine approved or granted emergency use authorization by the Food and Drug Administration and recommended by the Centers for Disease Control and Prevention. Currently, Pfizer’s COVID vaccine has been fully approved by the FDA for those 16 and older. It has received emergency authorization for ages five through 15.
Across the United States, vaccine consent ages vary. While the vast majority of states require parental approval for minors to be vaccinated against COVID-19, kids as young as 11 can get the jab on their own in Washington, D.C. In Alabama, kids can receive it without parental consent at 14, in Oregon at 15, and in Rhode Island and South Carolina at 16. According to the Kaiser Family Foundation, providers can waive consent in certain cases in Arkansas, Idaho, Washington, and Tennesee.
In October, California became the first state to announce plans to require that students receive the COVID-19 vaccine to attend class. The mandate has yet to take effect, but under the guidelines, students will be “required to be vaccinated for in person learning starting the term following FDA full approval of the vaccine for their grade span.”
In other words, once the FDA gives a vaccine full approval for those aged 12 and up, it will be required the following session for kids in grades 7-12. Once it does so for kids as young as five, the same process will happen for children in kindergarten through sixth grade. There will also be room for exemptions from the mandate.
The Fight to Vaccinate California
This week, a group of California state legislators formed a Vaccine Work Group in order to boost public health policies in the state. Wiener is among the several members who are “examining data, hearing from experts, and engaging stakeholders to determine the best approaches to promote vaccines that have been proven to reduce serious illness, hospitalization and death from COVID-19.”
“Vaccines protect not only individuals but also whole communities when almost everyone is vaccinated at schools, workplaces and businesses, and safe and effective COVID-19 vaccines have already prevented the deaths of hundreds of thousands of Americans,” Sen. Dr. Richard Pan (D-Sacramento) said in a press release. “Public safety is a paramount duty of government, and I am proud to join a talented group of legislators in the pro-science Vaccine Work Group who want to end this disastrous pandemic and protect Californians from death and disability by preventable diseases.”
While vaccine policies have been a divisive subject nationwide, including in California, state politicians and leaders are hopeful public health initiatives will prevail.
“If we allow disinformation to drive our state policy making we will not only see more Americans needlessly suffer and die, but we will sacrifice the long term stability of our society having effectively abandoned the idea that we all must work together to protect each other in times of crisis.” Catherine Flores Martin, the Executive Director of the California Immunization Coalition, added.