Experts said the likely Russian-led campaign — which hacked fewer than 10 federal agencies including the Justice, Homeland Security, and Treasury departments as well as the companies around the globe who were also clients of network management company SolarWinds — shows defenses aren’t improving faster than the adversaries are innovating.
“How it is that seven years after the [Office of Personnel Management] attack the U.S. government’s systems are still not able to identify and protect itself against sophisticated … hackers is unfathomable,” says Norma Krayem, vice president and chair of the cybersecurity and data privacy practice at the Van Scoyoc Associates law firm. “Ten months sitting in U.S. networks with unfettered access would give anyone the keys to the kingdom.”
The SolarWinds campaign appeared to begin in March. It took months before researchers discovered the SolarWinds breach, triggering a law enforcement investigation. “It’s hard to decide which is worse: the insecurity of not knowing what Russia took or the catastrophe thinking about what they might have right now,” Krayem said.
Defense will always be harder than offense, several experts noted.
“The hard truth is that cyber offense always, always, always has the advantage over cyber defense,” said Mark Weatherford, a chief strategy officer at the National Cybersecurity Center and a former DHS cybersecurity official.
“While our tools and techniques have certainly improved and we have increased our capabilities to address sophisticated Russian hackers, SolarWinds demonstrates that we are not good enough. We were prepared for tactics we knew, but we were unprepared for the innovation of the adversary and the novel tools used,” said Kiersten Todt, president and managing partner of Liberty Group Ventures and former executive director of the Presidential Commission on Enhancing National Cybersecurity.
Money plays a factor, too. “Compare the offensive budget and head count of the [National Security Agency] and Cyber Command to the defensive budget of DHS, [the Cybersecurity and Infrastructure Security Agency],” said Jeff Moss, founder of the BlackHat and DEFCon Cybersecurity conferences. “Can we expect defensive superiority on such a shoestring?”
And money belies the priorities, some experts noted. “The U.S. government has failed to budget for defensive cybersecurity in any way proportional to its investment in offensive security,” said Tarah Wheeler, a cybersecurity policy fellow at the New America think tank. “If you’re not spending 10 times your offensive budget on the core [defensive areas] … your priorities are misaligned to the reality of cyberspace.”
President Trump’s reluctance to hold Russia accountable for its behavior in cyberspace made the United States more vulnerable, some argued.
“While in many government agencies there has been an improvement in cybersecurity, the current administration for four years has consistently tried to downplay Russia as a threat,” said John Pescatore, director of emerging security trends at the SANS Institute. “Security has to be risk-focused, and denying that Russia is a major risk means our limited resources don’t get applied correctly.”
In another Network survey last month, a majority of our experts said that Trump led the nation in the wrong direction on cybersecurity. The president, who originally cast doubt on the idea that Russia was behind SolarWinds, has yet to acknowledge the findings from his intelligence and security officials that it was the likely culprit. And he previously dismissed conclusions from intel officials that Russia interfered in the 2016 and 2020 elections.
Trump’s gutting of cybersecurity leadership also hurt U.S. defenses, experts said.
The Trump administration eliminated a White House cyber coordinator role in 2018 and fired or dismissed several senior officials at CISA in recent weeks, including former director Chris Krebs, who defended the integrity of the 2020 election.
A change in leadership could help turn the tide, experts say. “The biggest step to recovery and resilience is for the president and Congress to admit we have a problem,” said Moss. “Organizations take seriously what their leadership takes seriously.”
President-elect Joe Biden slammed Trump for failing to prioritize cybersecurity and has vowed to make cybersecurity a top priority once he takes office. The United States will “respond in kind” to Russia for the SolarWinds hack, he said.
“A National Cybersecurity Director in the White House, with the right team with a mix of cyber operations, law, international Law, and political savvy expertise could help drive us in the right direction,” said Tony Cole, chief technology officer at Attivo Networks. “Without changes, many agencies in the federal space will continue to have their responses sputter when attacked.”
A 37 percent minority said that the U.S. government’s ability to protect itself against Russia has improved.
“That conclusion may seem difficult to believe in light of the SolarWinds compromise, but in fact, the U.S. government has been making incremental improvements to its cybersecurity over the last few years,” said Michael Daniel, president and CEO of the Cyber Threat Alliance and former Obama cybersecurity czar. “…We are never going to be able to achieve 100 percent protection against adversaries as sophisticated as the Russian intelligence services, so we have to be prepared to deal with intrusions upon occasion.”
Credit where credit’s due: “CISA with the intelligence community seems to have systematically built up a capacity to protect the critical information infrastructure, including detecting irregularities,” says Liisa Past, the former Estonian government cyber official. “That does not make it easy, though, as the state-backed attacker is opportunistic as well as patient and resourceful, so they invest heavily in avoiding detection, laying low, unlike criminals who are more likely to grab and run.”
Past adds: “CISA deserves credit for the actionable element in the SolarWinds alert, offering clear instructions for action is not always the case.”
Daniel, however, stressed that by making it a lower priority, the Trump administration has slowed the rate of improvement in federal network cybersecurity. “The general degradation in coordination capability hinders the U.S. government’s ability to respond to major intrusions when they happen,” Daniel added. “Firing senior leaders at CISA has made a difficult situation even worse.”
There were other caveats: “The U.S. government is actually a little better at defending itself than it was five years ago,” said Stewart Baker, a former NSA general counsel. “But it was never a match for sophisticated Russian SVR and GRU hackers, and that’s still true.”
Even the experts who thought security was better said improvements must still be made. “As software becomes further embedded into everything we do, the gap between offense and defense will continue to grow unless we take actions to secure the cyber ecosystem,” said said Rep. Jim Langevin (D-R.I.), co-chair of the Cyberspace Solarium Commission. “We will need to make it a top priority in the next Congress to better understand and address supply-chain security.”
They also pointed to a need for a suite of experienced professionals at the top. “The U.S. ability to protect itself will certainly improve under the Biden administration which will fill these roles with professionals experienced in cyber and government, such as Alejandro Mayorkas at DHS,” said Jason Healey, senior research scholar at Columbia University’s School for International and Public Affairs.
Some were optimistic that the massive breach would spur even further change. “The SolarWinds breach is likely to be a watershed moment,” said Jake Williams, founder and president of Rendition Infosec and former NSA official. “We’ve known what’s needed to detect advanced adversaries for some time, but it is costly and resource intensive. The SolarWinds breach provides the cost justification the U.S. government so sorely needed to move the needle.”
The network
More responses to The Network survey on whether the U.S. government’s ability to defend against Russian hackers is getting better or worse:
- BETTER: “The next administration has an opportunity to continue innovating and make cybersecurity a national priority. It’ll take a nationwide effort that extends far beyond Washington to win this silent war.” — Jay Kaplan, chief executive of cybersecurity firm Synack
- WORSE: “Opponents, Russian or otherwise, are indeed becoming more skilled, but the number of avenues of attack available to them is growing faster still. As long as the rate of change in complexity is allowed to accelerate, cyber defense will be a failure.” — Dan Geer, chief information security officer at In-Q-Tel
- WORSE: “The Russia experts need to come together with the cyber experts and mission experts in individual departments and agencies across government, and ideally key private sector players, to fully assess the risk to ‘essential functions’ and to ‘nationally critical functions… Once the risk is assessed, this same interagency team needs to develop ways to reduce the damage that a breach could accomplish, e.g., find ways to operate that are less dependent on vulnerable IT.” — Suzanne Spaulding, Center for Strategic and International Studies and former Obama cybersecurity official
- WORSE: “The U.S. government’s investment in its own capabilities remains out of sync. Additional spend on technology and human capital continues to favor DoD, leaving the organizations that have appropriate authority to engage the private sector with insufficient resources to do so. The consequences are manifold.” — Megan Stifel, the Global Cyber Alliance and former Obama White House cybersecurity official
- WORSE: “Though progress has been made, cybersecurity has not been the priority it needs to be, given adequate resources or coordinated from the top. Trump’s lax statements on Russia only encourage more malicious activity and some in the military’s recent statements of bravado contrasted with the scope of this latest intrusion show we are not as good as we think we are.” — Chris Painter, former State Department cyber coordinator
- WORSE: “Offense beats defense as long as it has enough time to do it, and there’s nothing we can do to STOP the offender’s attack. The most we can do is to retaliate in some way after they have done their dirty work — and revenge doesn’t count as protection.” — Herb Lin, senior research scholar for cyber policy and security at Stanford University
The keys
Ex-CISA chief Chris Krebs will join SolarWinds as a consultant.
Krebs recently formed a new consulting business with Alex Stamos, former chief security officer at Facebook and director of Stanford’s Internet Observatory, Joseph Menn reports. SolarWinds also contracted cybersecurity firm CrowdStrike in the wake of a massive breach.
The practice will focus on recommended security practices and combating coordinated misinformation.
“There have been successful leaders that embrace cybersecurity but also the community and engagement, and they tend to not just survive in this environment, but thrive,” Krebs told Reuters “We want to help executives become those leaders.”
Multiple electronic items were stolen from senators’ offices yesterday, U.S. officials confirmed.
The extent of the damage is still unknown, Michael Sherwin, acting U.S. attorney for the District of Columbia said in a call with reporters, CNN’s Brian Fung reports.
“This is probably going to take several days to flesh out exactly what happened, what was stolen, what wasn’t,” he said. The stolen electronics and documents “could have potential national security equities,” he said.
The exact number of devices is still unknown. Sen. Jeff Merkley (D-Ore.) confirmed yesterday a laptop had been taken from his office. His office did not respond to a request for comment.
House administrators remotely locked laptops and shut down wired network access, Eric Geller reported. IT hasn’t identified any breaches so far, a memo sent to members said.
Rep. Anna G. Eshoo (D-Calif.) asked the top House Administrator to conduct a full assessment of the threats posed, Protocol reported.
The State Department will set up a cybersecurity bureau in Mike Pompeo’s final weeks.
Secretary Pompeo has approved the creation of a cybersecurity and emerging technologies bureau for the State Department, according to a news release. The announcement comes at the heels of the SolarWinds attack and just weeks before Pompeo exits his post.
“The Secretary’s decision to establish CSET will permit the Department to posture itself appropriately and engage as effectively as possible with partners and allies on these pressing national security concerns,” the news release states.
Pompeo attempted to establish the office in the summer, but Rep. Eliot L. Engel (D-N.Y.), the chairman of the House Foreign Affairs Committee pressed pause on the initiative for being too narrow.
Rep. Gregory W. Meeks, chairman of the House Committee on Foreign Affairs, excoriated Pompeo’s plans, calling them “ill-suited” for the department’s needs. He criticized Pompeo for blocking the bipartisan Cyber Diplomacy Act in 2018, which would have created a cyber office for the agency.
“Congress has repeatedly tried to work with the Department to address any specific concerns it has with the Cyber Diplomacy Act, but the Department refused to work with us, preferring instead to ram through its poorly considered and ineffective plan just days before Pompeo leaves office,” Meeks said in a statement.
Chris Painter had this to say:
Daybook
Secure log off
Who wants to join our book club?
