A cyber attack that penetrated systems at the departments of Homeland Security, Commerce and Treasury raises questions over the adequacy of coordination and visibility into systems, and an ongoing inability to deter nation-state aggression, cyber leaders said after revelation of breaches compromising SolarWinds Orion services used by federal agencies and the private sector alike.
There are significant unknowns around the attack, including on scope and duration, as cyber policy veterans begin sorting through the damage to assess policy implications.
“If reports are true and agencies are having a hard time knowing where the products are in their respective systems, then we have a larger problem than even we know at the moment,” commented Norma Krayem, a former senior official at several federal departments. “Situational awareness across networks for where products are used and how they are secured is cyber 101.”
The Cybersecurity and Infrastructure Security Agency on Sunday issued Emergency Directive 21-01 requiring federal agencies to identify and disconnect SolarWinds Orion products from their systems after discovering an apparent nation state-orchestrated attack. The breaches affected DHS, the Treasury Department, the Commerce Department’s National Telecommunications and Information Administration and others.
“We can confirm there has been a breach in one of our bureaus. We have asked CISA and the FBI to investigate, and we cannot comment further at this time," a Commerce spokesperson said.
DHS did not publicly acknowledge a breach on its systems, but Assistant Secretary for Public Affairs Alexei Woltornist said Monday afternoon: “The Department of Homeland Security is aware of cyber breaches across the federal government and working closely with our partners in the public and private sector on the federal response. As the federal lead for cyber breaches of civilian federal agencies, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has already issued Emergency Directive 21-01 to the federal government to address compromises related to SolarWinds.”
DHS leads on cybersecurity efforts across the civilian government and on collaborating with industry and states. NTIA plays a central role in the federal government’s supply-chain security efforts and is also a focal point of collaboration between the government and private sector, particularly in the information and communications technology area. Treasury is also part of supply-chain security efforts as well as administering sanctions on Russia and other countries for past cyber activities.
The attack was first reported by Reuters and multiple outlets have reported that officials are privately attributing it to Russia, though their has been no public attribution and Russian officials have denied any role.
SolarWinds issued a security advisory Sunday afternoon.
Phil Reitinger, a former top cybersecurity official at DHS, cautioned, “Based on what I've read, this is a very sophisticated attack that is extremely hard to prevent and detect once initial access is gained. It doesn't seem to me, based on what I know now, that the incident is anything but an illustration of a basic truth: If a sophisticated actor devotes enough time and resources, you will be compromised.”
Along those lines, Kim Peretti of Alston and Bird said, “The adversaries used the stealthiest of technical measures -- such as a two-week dormancy, steganography, masquerading as legitimate activity, minimizing malware use -- to gain access and maintain persistence in the victims’ environment. This attack involved an A-plus game of a truly unprecedented nature.”
Reitinger added, “It is essential that we use the power of software and cloud services to address the manifold cybersecurity issues we face. But our need to use software and services also makes them even more critical and targets for state-sponsored attacks. If we are serious about solving cybersecurity problems at scale, we need a much deeper focus on the parts of the ecosystem that make cybersecurity possible, including IT management software and services.”
Suzanne Spaulding, a former top cyber and infrastructure official at DHS, said, “I wonder if part of the problem here isn't that IT, including IT security, is still pretty decentralized in most departments and agencies. The CIOs are not fully empowered to have visibility or even to impose requirements in many instances. This makes it hard for one place in the department to have a complete inventory of relevant third-party vendors.”
And, she said, “This goes to the importance of continuing to work on identifying ‘high value targets’" within systems. “That can't be done by the cyber experts. You need to bring in the country experts and red-team ‘where would I target to get what I want.’"
Further, she said, “Supply chain and third-party risks have been looming ever larger for some time. They have been priorities for CISA and I am confident they are priorities for the incoming Biden team.”
Spaulding also emphasized imposing consequences on attackers, an issue she and James Lewis of the Center for Strategic and International Studies stressed at a recent event. She said there’s no reason to refrain from punishing nation states for such hacks under the concept of international norms allowing countries to undertake intelligence gathering.
“The idea that you don't impose consequences for espionage is odd,” Spaulding said. “Granted, we can't get up on our moral high horse about something we also do, but when actual adversary spies were discovered in the U.S. there were usually consequences. People were kicked out of the country, demarches were issued, and, depending on the nature of the activity, relations were impacted.”
Krayem, vice president and chair of the Cybersecurity, Privacy & Digital Innovation Practice at Van Scoyoc Associates, added that, “While we know that the incoming Biden administration takes cybersecurity very seriously both for the .gov world and critical infrastructure sectors, focusing on what needs to be done early in 2021, news of the SolarWinds compromise this far into key executive branch agencies should be the last straw. Agencies are at a full stop and have been told to unplug systems and we have an ‘all hands on deck’ exercise with CISA, NSA and others.”
She said, “Worse yet, these agencies are ‘honey pots’ of mission critical U.S. government information, but add Treasury as a core regulator with sensitive business information. Commerce has a host of national security information ranging from BIS and the ICT rulemaking to NOAA with sensitive satellite information and more. This should also be an area of concern for the private sector, it was bad enough to hear that FireEye was hit, now many companies regulators have been hit as well.” -- Charlie Mitchell (email@example.com)