Reports last week that a Russian government hacking operation compromised multiple U.S. government computer networks provides the first glimpse into a dangerous new type of cyberattack: using America’s software supply chain against us.
It is the “perfect storm” of two distinct vulnerabilities – supply chain risk and cyber risk – coming together to form a threat that is much greater than either threat alone.
Supply chain risk – the first element – has been largely discussed in the context of COVID-19, namely, that the U.S. is vulnerable when other nations control or manipulate key parts of our supply chain, whether it be pharmaceuticals made in China or sensitive electronic components that could not be produced due to the pandemic.
Supply chain risk is often thought of as distinct from the second element, the cyber hackers’ ability to covertly insert malicious code into a sensitive computer network. But in the SolarWinds case, these two threats merged.
Russian intelligence operatives launched the Trojan Horse-style attack through SolarWinds’ Orion IT monitoring platform. Hackers added compromised code to standard software updates in the Orion program, creating a backdoor to some federal agencies as early as Spring 2020. The U.S. government itself downloaded the software because software updates are part of standard cyber protocols.
The suspected originator of the attack is linked to APT29 (“advanced persistent threat 29”), which is associated with Russia’s SVR. The SVR is Russia’s CIA, its foreign intelligence agency. It is a successor to the KGB. In other words, it appears the Kremlin directed this attack to conduct cyber espionage against the U.S.
This global intrusion campaign is far more advanced than previous Russian cyberattacks. In the 2016 cyberattack on the U.S. presidential election, Russia utilized a targeted phishing campaign that required user error — people clicking on links or being tricked to enter their login credentials. With SolarWinds, user error may have played a role, but the attack went far beyond that.
We need to act quickly to mitigate these threats in the future.
First, Congress should enact the 2021 National Defense Authorization Act (NDAA) to ensure that the federal government is prepared to coordinate its response to this type of attack. Specifically, several of the Cyberspace Solarium Commission (CSC) recommendations were incorporated by Congress in the NDAA and will increase the cyber resiliency of the nation. For example, the NDAA establishes a national cyber director to advise the president and coordinate cyber efforts across agencies. Agencies across the federal government have unique cyber priorities. A national cyber director provides the necessary consolidation of efforts.
President TrumpDonald TrumpCheney says a lot of GOP lawmakers have privately encouraged her fight against Trump Republicans criticizing Afghan refugees face risks DeVos says 'principles have been overtaken by personalities' in GOP MORE is threatening to veto the NDAA. If he does, Congress should swiftly override his veto.
Second, agencies should immediately conduct a damage assessment of the SolarWinds hack. The Department of Homeland Security (DHS) Cyberspace and Infrastructure Security Agency (CISA) has taken the appropriate first step by executing Emergency Directive 21-01. This step will stop the bleeding, but more investigation will be needed to determine precisely what information was compromised. These findings must be reported to the appropriate congressional oversight committees and the newly appointed national cyber director. We need to know what the Russians know and when they knew it.
Third, federal agencies need a new approach to address the perfect storm of cyberattacks on our software supply chain. The incoming Biden team should establish a new paradigm within the Department of Defense and the intelligence community to address the vulnerability across the tens of thousands of companies that provide goods and services to the military and intelligence components. Each group within these agencies have independent vendor guidelines, and some efforts have been made at the department level, but this information is not effectively shared and acted upon across all federal programs. It is time to establish agency level war rooms, leveraging sophisticated technical systems, dedicated to tracking cyber disruptions across the U.S. supply chain.
Cyber threats are not going anywhere. If the United States is going to effectively defend against future adversaries, immediate collaborative action to secure our supply chains must start now.
Jeremy Bash is managing director at Beacon Global Strategies, a consulting firm, and the former chief of staff at the CIA and the Department of Defense under President Obama. Michael Steed is founder and managing partner at Paladin Capital Group, which invests in cybersecurity companies.