The SolarWinds hack, one of the largest cybersecurity incidents in U.S. history, may have been deterred or minimized if basic security measures had been put in place, a top government official acknowledged earlier this month.
In a June 3 letter to Sen. Ron WydenRonald (Ron) Lee WydenSenate parliamentarian looms over White House spending bill Democrats push tax credits to bolster clean energy Five reasons for concern about Democrats' drug price control plan MORE (D-Ore.) provided to The Hill on Monday, Cybersecurity and Infrastructure Security Agency (CISA) acting Director Brandon Wales agreed with Wyden’s question over whether firewalls placed in victim agency systems could have helped block the malware virus used in the SolarWinds attack.
“CISA agrees that a firewall blocking all outgoing connections to the internet would have neutralized the malware,” Wales wrote.
He stressed, however, that while the agency “did observe victim networks with this configuration that successfully blocked connection attempts and had no follow-on exploitation, the effectiveness of this preventative measure is not applicable to all types of intrusions and may not be feasible given operational requirements for some agencies.”
Wales said that CISA does not have numbers on how many federal agencies were segmenting and segregating their networks, a key security guideline the agency has long recommended as a way to prevent hackers from moving through sensitive networks.
He also emphasized that CISA is making “urgent improvements” to increase its understanding of cyber threats to federal networks, including using some of the $650 million included in the American Rescue Plan Act to move security protections inside of agency networks instead of just guarding the perimeters.
“We must ensure the development of a modern cybersecurity governance structure and capabilities,” Wales wrote. “We need cybersecurity tools and services that provide us a better chance of detecting the most sophisticated attacks. And we need to rethink our approach to managing cybersecurity across 101 Federal Civilian Executive Branch agencies.”
Reuters first reported the letter and its findings Monday.
The response comes six months after the SolarWinds hack was discovered in December after it was ongoing for most of last year. The hack, which U.S. intelligence agencies assessed earlier this year was likely Russian-government backed, led to the compromise of nine federal agencies and around 100 private sector organizations.
President BidenJoe BidenMan sentenced to nearly four years for running scam Trump, Biden PACs Dole in final column: 'Too many of us have sacrificed too much' Meadows says Trump's blood oxygen level was dangerously low when he had COVID-19 MORE issued a sweeping set of sanctions against Russia in April in retaliation for the hack and raised the incident with Russian President Vladimir PutinVladimir Vladimirovich PutinThe Memo: Biden, bruised by Afghanistan, faces a critical test in Ukraine Biden holds call with European leaders to talk Russia Overnight Defense & National Security — Preparing for the Biden-Putin call MORE during their recent in-person summit in Switzerland.
The letter from CISA was sent months after Wyden wrote to the agency expressing concerns around what he described as “the U.S. government’s inability to detect and prevent a major Russian hacking campaign.”
Wyden also questioned SolarWinds CEO Sudhakar Ramakrishna about concerns around internet connectivity and a lack of firewall during a Senate Intelligence Committee hearing on the incident in February.
“It is true that the Orion platform software does not need connectivity to the internet to perform its regular duties, which could be network monitoring, system monitoring, application monitoring on premises of our customers,” Ramakrishna testified in response to Wyden’s question.
But the leaders of top cybersecurity groups FireEye and CrowdStrike pushed back against the idea that a firewall could fully have prevented this attack or others.
“We do over 600 red teams a year, and firewalls never stopped one of them,” FireEye CEO Kevin Mandia testified at the same hearing in February. “A firewall is like having a gate guard outside a New York City apartment building, and they can recognize if you live there or not, but some attackers are perfectly disguised as someone who lives in the building and walks right by the gate guard.”
“In theory, it’s a sound thing, but it’s academic, in practice, it’s operationally cumbersome,” Mandia said.
CrowdStrike President and CEO George Kurtz agreed, testifying that “firewalls help, but they are insufficient,” and noting that “they are a speed bump on the information superhighway for the bad guys.”
Wyden at the hearing stood firm in noting that more could be done to strengthen the nation’s cybersecurity.
“The bottom line for me is that multiple agencies were still breached under your watch by hackers employing techniques that experts have warned about for years,” Wyden said.