The SolarWinds cyberattack on U.S. government agencies and private organizations was and is frightening in its scale and success. It proved no match for the government agencies charged with defending against such things, and brought into sharp focus the fact that the government’s current model for responding to cyberthreats is lacking.
The Senate Intelligence Committee hosted some of the main players in the SolarWinds saga Tuesday for some soul-searching on how the government and private tech companies should work together to stop future attacks. Some of the main themes discussed in the hearing are likely to end up in new cybersecurity legislation this year, a Congressional source told me.
SolarWinds is the name of the Texas-based company whose IT management software is used by many government agencies and Fortune 500 companies. Back in March 2020, the attackers—widely thought to be employed by Russia’s Foreign Intelligence Service—first planted malware in the SolarWinds system that sends out updates to SolarWinds’ Orion software. When the company’s clients—18,000 of them—installed the update, they also installed the malware. The attack was finally reported in December 2020 by the private security firm FireEye, and then only because the firm discovered its own systems had been infected.
The SolarWinds attack was novel, in that it targeted both government and private-sector entities, and for its use of a government supplier (SolarWinds) as a Trojan horse to gain access to government agency systems. The white hats (security good guys) were not ready for this roundabout way of attacking.
During the hearing, SolarWinds CEO Sudhakar Ramakrishna said the security community knows how to defend against direct attacks on networks and spear-phishing attacks in which hackers pose as a trusted party and try to trick employees of the target company into giving up their network credentials. Security experts have less experience with attacks that exploit a private-sector supplier of software to the government to gain entry. It’s hard for the eventual target organization—in this case government agencies and corporations—to see that kind of attack coming.
The attackers are thought to have penetrated the systems of 100 private companies and 11 government agencies, including the Departments of State, Energy, Homeland Security, and Treasury, and the National Nuclear Security Administration. Private companies such as Microsoft, Cisco, and Intel were also hit.
And SolarWinds may not have been the only private supplier through which the attackers found their way into government systems. In fact, The Wall Street Journal’s Robert McMillan and Dustin Volz reported that as many as 30% of the known victim organizations were not SolarWinds customers. This may mean that other government IT suppliers were used as Trojan horses.
In a sense, the SolarWinds attack seemed designed to exploit lack of communication and cooperation between government and private-sector security experts.
Evidence of the attack showed up in traces across the networks of numerous private companies and public entities. The attackers cast their net wide and didn’t focus too much on any one entry point. Brad Smith, president of Microsoft, told the committee his company believes 80% of the 60 entities hit by the SolarWinds attack are located outside the U.S. He added that the attackers may have been targeting overseas organizations that employ people who work on projects with the U.S. government and have network access.
That made the attack harder to detect. Various security people around the world may have glimpsed something odd on their network, but they may not have seen the whole picture. That is, until FireEye spoke up.
“I think there was a lot of activity that out of context nobody could [use to] put their finger on the larger problem,” FireEye CEO Kevin Mandia said. “The minute we found the [malware] implant, and the minute we disclosed what happened, it connected a lot of dots for a lot of folks.”
One result of the hearing may be legislation that sets up a central federal cyberthreat information clearinghouse where both government entities and private companies can report evidence of threats or attacks. “We do need to enhance the sharing of cyberthreat intelligence,” Microsoft’s Smith said. “Our basic thought today is that too often that information exists in silos. . . . It doesn’t come together.”
And effective sharing may need to be more than voluntary. “I think it is time not only to talk about but to find a way to . . . impose in an appropriate manner some kind of notification obligation on entities in the private sector,” Smith said.
The problem is, companies that have been attacked have some good reasons for not reporting it. They may fear the bad publicity or the legal exposure. Therefore, a cyberthreat reporting clearinghouse may have to be confidential. Committee chairman Mark Warner, Democratic senator of Virginia, said there may be interest in offering such companies some form of liability protection in exchange for being forthright with the government on the details of an attack.
Something’s not right
The U.S. Cyber Command, under the National Security Agency, is supposed to be the front line of defense against attacks on government networks. But it was “blindsided” by the SolarWinds attack, The New York Times’s David Sanger, Nicole Perlroth, and Eric Schmitt reported.
Two months after the SolarWinds attack was discovered, the government still doesn’t know what hit it, or even if the attack has concluded.
That leaves the FBI to investigate cyberattacks within the networks of private companies, and then only after the fact.
The U.S. Cyber Command wasn’t present at the Senate Intel hearing, nor was Amazon. Several senators on the committee voiced frustration over Amazon’s no-show.
“We had extended an invitation to Amazon to participate. The operation we’ll be discussing today uses their infrastructure [and], at least in part, required it to be successful,” said Republican Senator Marco Rubio of Florida. “Apparently they were too busy to discuss that here with us today, and I hope they’ll reconsider that in the future.”
Republican Senator Susan Collins of Maine and committee chairman Warner wondered aloud why Amazon wasn’t there.
It’s now been more than two months since the SolarWinds attack was discovered, and the government still doesn’t know what hit it, or even if the attack has concluded.
“We have had a number of hypotheses over the last couple of months working with our investigation partners,” SolarWinds’ Ramakrishna said. “We’ve been able to narrow them down now to about three, which we are hoping to conclude down to one.
“We are still sifting through terabytes of data,” he added.
When the investigation is over and the government has a clearer understanding of the attackers and their likely motives, all eyes will be on the Biden administration to decide how to respond. The response to past cyberattacks has usually involved sanctions on some state actor such as China, North Korea, or Iran. But the SolarWinds attack was so large, and the government data it targeted so sensitive, mere sanctions may not be enough.