For a moment it seemed like we might get to end 2020 on a relative high note for cybersecurity. The November election went off largely without a technical hitch, suggesting that the tireless efforts of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency had succeeded in ramping up election security (even if the agency’s success ultimately cost its director his job).
But December has brought a landslide of bad cybersecurity news. First came reports that the cybersecurity firm FireEye had been breached and many of its security tools stolen. Then came the bigger revelation: that several pieces of the federal government, including the Treasury and Commerce departments, had been infiltrated by Russian hackers via the SolarWinds Orion software that many organizations use for monitoring their systems and network. It’s still not clear exactly which government agencies were infiltrated during that period. Initial reports indicated it might be only Commerce and Treasury, but more recent reports suggest DHS and the State Department were also affected, as was the National Institutes of Health, and the Justice and Defense departments are also customers of SolarWinds. (Update, Dec. 17, 2020, at 5:30 p.m.: It now also appears that the Energy Department and National Nuclear Security Administration were compromised.)
There’s still a lot we don’t know about the government breaches. Many of the technical details we have on how the intruders penetrated these systems come from a Microsoft blog post, though CISA also issued an emergency directive ordering federal agencies to stop using SolarWinds Orion. The intrusion appears to have been initiated through malware attached to software updates provided by SolarWinds for its Orion products. In other words, when SolarWinds released legitimate updates to its products earlier this year, some of those updates were tampered with by the outside hackers to include malicious code that was then downloaded on the systems of SolarWinds customers as part of the supposedly routine updates. According to a report by FireEye, multiple SolarWinds updates were “trojanized” in this manner (i.e., a trojan backdoor was inserted into the legitimate update code), digitally signed with SolarWinds certificates, and posted to SolarWinds’ own updates websites between March and May 2020.
Beyond the government, SolarWinds has many private sector clients, and it’s still not clear whether any of those were breached as well. A SolarWinds filing with the Securities and Exchange Commission indicates that as of Monday the company believed only about 18,000 of its 300,000 customers were exposed to the malicious code that masqueraded as legitimate updates to the firm’s security software.
Sorting out all the details and victims of this incident will probably take a while, and to some extent that’s to be expected. After all, SolarWinds is a big company with a lot of customers, and replacing or repairing all the affected systems will take time—hence CISA’s emergency order directing government agencies to stop using Orion. But even though the full investigation and remediation of the incident may require time, there are some things the federal government should be able to do relatively quickly—namely, identify which of their systems were affected and what was taken from those networks.
So far, most of the reports of the incident have focused on the intruders monitoring internal email accounts at the Commerce and Treasury departments. The Commerce Department has even been able to narrow that down to the National Telecommunications and Information Administration office, which is a promising sign that it’s been able to track more precisely what was stolen and whose accounts were being monitored. At the same time, though, the reports that more government agencies than just Commerce and Treasury may have been affected suggest that the government is still scrambling to figure out exactly what happened and who was targeted.
Those should be the questions that the federal government is best equipped to answer immediately. At least, that would be the case if the government learned anything from the 2015 compromise of the Office of Personnel Management, when it took months to piece together what had actually been stolen. Ideally, the government would have taken away from that experience a strong sense of the importance of keeping detailed logs of all new software installed on its systems, all remote login attempts to secure systems, and all outbound information sent from its computer systems. This should enable relatively rapid tracing of which systems were infiltrated via the compromised SolarWinds updates and what types of information, specifically, the intruders were after. But it’s not clear whether all of the affected departments of the federal government had these capabilities in place or how effectively they’ve been able to trace what was taken.
Already we can see some signs of which branches of the government are best equipped to make these determinations—for instance, in the Commerce Department’s ability to single out NTIA as the target of the espionage campaign. But the lack of further information about what was targeted is concerning, as is the fact that neither the government itself nor SolarWinds was apparently able to detect this incident alone. Instead, FireEye appears to have discovered it in the course of investigating its own breach.
A major breach of government computer systems is always frustrating, in part because it can undermine policymakers’ ability to give guidance to or set standards for private sector security. However, if the federal government can respond to this incident rapidly and well—by making public more information about how this happened and who was behind it, by ramping up its security measures and monitoring, and by demonstrating that it has in place sufficient logging capabilities to pinpoint what was targeted and taken from its systems—then it may yet be able to demonstrate how much progress it has made on cybersecurity in the past few years. On the other hand, if it continues to be unable to make those determinations and lets private companies like Microsoft and FireEye take the lead on publicizing the incident, it runs the risk of further perpetuating the belief that the private sector has much more expertise and credibility than the government when it comes to cybersecurity.