Jolted by a sweeping hack that may have exposed Russia’s government and corporate secrets, U.S. officials fail to improve the cyber protections of the country and accept that an organization established two years ago to protect the networks and facilities of America lacks the funds, expertise and authority to fight such advanced threats.
The violation, which hijacked commonly used software from SolarWinds Inc., headquartered in Texas, has revealed the deep insecurity of civil government networks and the shortcomings of threat detection efforts.
A surge of investment on infrastructure modernization and cybersecurity is also likely to be unleashed.
“The investments we need to make in cybersecurity are really highlighted in order to have the visibility to block these attacks in the future,” Anne Neuberger, the recently named Deputy National Cyber and Emergency Technology Security Advisor, said at a White House briefing on Wednesday.
The answer represents the seriousness of a hack that was only exposed in December. The hackers, previously anonymous but characterized as “likely Russian” by authorities, had unrestricted access to the documents and communications of at least nine U.S. government departments and over 100 private businesses, with the full scope of the deal still undisclosed. And while this incident seems to be targeted at stealing information, concerns were heightened that potential hackers, such as power grids or water supplies, could damage sensitive infrastructure.
President Joe Biden expects to issue an executive order shortly that Neuberger said would contain about eight steps to fix the hack’s revealed security holes. The administration has also suggested raising the U.S. budget by 30 percent. Owing to the SolarWinds hack, the Surveillance and Infrastructure Department, or CISA, is a little-known body currently under intense scrutiny.
On Friday at the Munich Security Conference, Biden made his first major foreign statement, saying that coping with “Russian recklessness and hacking into computer networks in the United States and across Europe and the world has become critical to protecting our collective security.”
Republicans and Democrats in Congress have advocated on the agency, a subsidiary of the Department of Homeland Security, to increase its scale and function. It was founded in November 2018 in the midst of a feeling that U.S. critics were steadily attacking civilian government and business networks as well as “critical” infrastructure, such as the increasingly fragile electric grid in a wired environment.
Speaking at a recent cybersecurity hearing, Rep. John Katko, a New York Republican, encouraged his peers to urgently “find a legislative vehicle to provide CISA with the resources it needs to respond fully and protect us.”
In cooperation with the General Services Administration, Biden’s COVID-19 relief program requested $690 million more for CISA, as well as supplying the department with $9 billion to modernize IT across the state.
That was pulled from the new edition of the bill because a connection to the pandemic was not noticed by certain lawmakers. But Rep. Jim Langevin, co-chair of the Congressional Cybersecurity Caucus, said that with bipartisan interest of pending bills, possibly an infrastructure package, new funding for CISA is likely to reemerge.
“Langevin, a Rhode Island Democrat, said in an interview, “Our cyber infrastructure is every bit as critical as our roads and bridges. For our economy, that’s critical. Protecting human lives is critical, and we need to be sure that we have a modern and robust cyber infrastructure.
CISA runs a method of vulnerability monitoring known as “Einstein” that could not detect the violation of SolarWinds. Brandon Wales, the acting director of CISA, said it was because the violation was withheld from its clients in a legal SolarWinds software upgrade. The machine was able to search federal networks and identify certain government victims after it could identify the malicious operation. “It was designed to work within the agencies in concert with other security programs,” he said.
This month, former CISA director Christopher Krebs told the House Homeland Security Committee that the U.S. should raise funding for the department, in part so that it can issue grants to state and local governments to strengthen their cybersecurity and speed up federal government IT automation, which is part of the Biden proposal.
Can we stop any attack? Oh, no. But we will take care of the most prevalent risks and make it much harder for the bad guys to work and limit their success,” said Krebs, who was ousted after the election by then-President Donald Trump and now co-owns a consulting firm whose customers include SolarWinds.
In early December, the violation was found by the private security company FireEye, a matter of alarm for some authorities.
“It was quite alarming that, as opposed to being able to detect it ourselves to begin with, we found out about it through a private company,” Avril Haines, director of national intelligence, said at her January confirmation hearing.
The Treasury Department bypassed its usual competitive bidding procedure to employ the private security company CrowdStrike, U.S. procurement documents show, immediately after the hack was revealed. The office declined to comment. Sen. Ron Wyden, D-Ore., has said that thousands of senior agency executives’ email addresses were compromised.
In order to conduct an impartial forensic review of the network logs, the Social Security Administration hired FireEye. Like other SolarWinds clients, the department had a “backdoor code” installed, but “there were no indicators suggesting we were targeted or that a future attack occurred beyond the initial installation of software,” said spokesperson Mark Hinkle.
A Virginia Democrat who chairs the Senate Intelligence Committee, Sen. Mark Warner, said the hack exposed many federal-level deficiencies, though not generally a lack of public-sector employee skills. Still, “I doubt we’ll ever have all the in-house capacity we’d need,” he said.
In recent months, several new cybersecurity steps have been taken. Legislators established a national cybersecurity chief in the defense policy bill passed in January, filling a role at the White House that had been eliminated under Trump, and gave CISA the authority to grant administrative subpoenas as part of its attempts to recognize compromised networks and alert operators.
The law also provided CISA with increased power to hunt for risks through civilian government department networks, something Langevin said they were only allowed to do before when invited.
“In practical terms, what that meant is that because no department or agency wants to look bad, they were not invited in,” he said. You remember what was going on, then? They were all sticking their heads in the sand, pretending that the cyber attacks would go down.