On December 17, the Cybersecurity and Infrastructure Security Agency (CISA) released a statement warning that a sophisticated and ongoing cyber breach posed a “grave risk” to government, critical infrastructure, and private sector organizations. Officials, lawmakers, and cybersecurity experts believe that Russia—many have specifically pointed to Moscow’s Foreign Intelligence Service (SVR)—is behind the hack that compromised the Departments of State, Treasury, Energy, and Homeland Security, among other government entities, as well as more than four hundred Fortune 500 companies. Despite these revelations, the full scale of the operation and networks compromised by it remains unclear. As former Homeland Security Advisor Thomas Bossert argues, “the magnitude of this ongoing attack is hard to overstate.”
At present, the hack appears to be a case of intrusion for espionage rather than interference; although, the full picture of the operation is still emerging. In any case, the success of the effort reveals three vulnerabilities that threaten the United States’ ability to defend itself against foreign interference in cyberspace: weaknesses in detection, supply-chain security, and prevention.
Vulnerability 1: Detection
Throughout the months-long operation, Russian hackers were able to penetrate numerous government and private entities, accessing and potentially stealing information undetected. Despite the scale of this activity, government authorities were not the first to discover and expose the operation; instead, the private cybersecurity firm FireEye identified the breach and alerted federal agencies.
Even after investing in a $6 billion cyber-intrusion detection system known as Einstein, the U.S. government found itself ill-equipped to identify the type of novel malware used by the hackers, who took extensive measures to cover their tracks. In recent days, federal authorities have struggled to grasp the reach of Russia’s intrusion. CISA stated in an alert that the threat actor likely has additional “access vectors and tactics, techniques, and procedures that have not yet been discovered.”
This failure of detection suggests the United States might be vulnerable to future interference operations that could employ novel tactics to breach government, critical infrastructure, and private industry targets. While the goal of the SolarWinds hacks appears to have been espionage and not interference, data theft of this kind could quickly be transitioned into a hack-and-leak campaign that could undermine confidence in election security or in government itself.
The circumvention of the U.S. government’s Einstein system suggests that adversaries may be adapting faster than the United States’ defenses. To stay ahead of the innovation curve, CISA and other federal agencies should increase coordination with and recruitment from the private sector, including by establishing temporary exchange programs to bring technical expertise into government. Detecting the last cyber operation will not be enough to defend against future campaigns, as malign actors have proven capable of innovating quickly.
Vulnerability 2: Digital Supply Chains
The SolarWinds hack also highlights vulnerabilities in the confidentiality and integrity of the government’s digital supply chain, underscoring the need to implement stronger security standards for technology procurement. Unfortunately, this threat is not new. Last year, CISA reportedly catalogued more than 180 different threats and vulnerabilities that posed risks to the government’s technology supply chains, while a December 2020 report by the Government Accountability Office found that 14 of 23 federal agencies failed to implement any of the “foundational practices” to secure technology supply chains that were measured in the report. None of the 23 agencies implemented all of those practices.
Russian hackers reportedly took advantage of that vulnerability by inserting malicious code into updates for a network management system made by SolarWinds, a firm whose clients include nearly every federal agency, state and local governments, Fortune 500 companies, and parts of the energy sector. This exploit provided an opening for the hackers to compromise vast and varied networks of information, all through the guise of a trusted vendor.
The federal government must urgently reform its technology supply-chain management and should establish and enforce stricter security standards for technology acquisition. As the SolarWinds operation revealed, Russian hackers have developed the capability to exploit supply chain vulnerabilities in ways that threaten U.S. national security and critical infrastructure, and other malign actors are likely to follow suit. State and local governments should undertake similar efforts to shore up vulnerabilities in their supply chains. While they were not the primary focus of this intrusion, state and local governments present vulnerable and enticing targets.
Vulnerability 3: Prevention
In the lead up to the 2020 election, the U.S. Cyber Command took an aggressive posture against potential cyber threats, launching “hunt forward” operations abroad to identify and learn about the networks, tools, and tactics employed by malign actors. The goal of these operations was to disrupt malign cyber activity at its source and “to stop threats before they reach their targets.” The effort was primarily focused on identifying and disrupting potential threats to the 2020 election, but its failure to identify a cyber operation of this scale from an actor known for its breaches of U.S. agencies and political organizations was a concerning failure that poses significant questions for the hunt or defend forward concept.
As Director of the Stanford Internet Observatory Alex Stamos has noted, the United States resources and prioritizes offensive cyber efforts on a much higher level than defensive efforts. In order to close off vulnerabilities to future interference operations in cyberspace, the U.S. government will need to place a much greater emphasis on cyber defense—including at state and local levels where resources are even thinner. As Stamos points out, an important starting point will be boosting the funding and resources provided to CISA, which lags behind offensive cyber agencies in size and capacity. He also argues that cyber defenses would be further strengthened by the creation of an independent agency that tracks malign cyber operations across all sectors, investigates their root causes, and issues public reports that outline their findings and recommendations to prevent future intrusions.
U.S. failures to detect and prevent the SolarWinds operation have exposed weaknesses in the country’s ability to mitigate cyber interference. Policymakers should take these lessons to heart and act quickly to improve detection capabilities, strengthen supply chain security, and resource for cyber defense.