Mar 15 2021

Cybersecurity Officials Call for Network Visibility, Software Assurance After Russian Hack

Top government cybersecurity officials say recovering from the breach will be a long-term effort.

Even as the federal government confronts a newly disclosed cybersecurity breach reportedly from a Chinese-backed hacking group, it is still sorting through an earlier breach suspected to have come from Russia.

Top government cybersecurity officials are continuing to assess the fallout from the Russian breach, widely known as the SolarWinds breach, since a malicious update to the company’s Orion software was used as a vector for the attack. The investigation extends beyond that avenue, however, because about 30 percent of the private sector and government victims linked to the attack were not using SolarWinds software, Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA), told The Wall Street Journal.

Anne Neuberger, deputy national security advisor for cyber and emerging technology, said in February that nine federal agencies and about 100 private sector companies were compromised in the attack, although about 18,000 entities had downloaded malicious software through the Orion updates, as MeriTalk reports.

It will take the U.S. government a year to 18 months to fully recover from the Russian attack, Wales tells MIT Technology Review.

“I wouldn’t call this simple,” Wales says. “There are two phases for response to this incident. There is the short-term remediation effort, where we look to remove the adversary from the network, shutting down accounts they control, and shutting down entry points the adversary used to access networks. But given the amount of time they were inside these networks — months — strategic recovery will take time.”

Both Neuberger and Wales have said the government needs to fortify its cybersecurity defenses. That includes increasing network visibility and improving software assurance.

How Will the Government Respond to the SolarWinds Hack?

The government is contemplating several steps in its response to the Russian attack. In a White House briefing in February, Neuberger said a key goal is to find and expel the malicious actors.

“We’re working closely with daily conversations with our private sector partners. They have visibility and technology that is key to understanding the scope and scale of compromise,” she said. “There are legal barriers and disincentives to the private sector sharing information with the government. That is something we need to overcome.”

Neuberger noted that the Russian attack was the work of a “sophisticated actor who did their best to hide their tracks” and that the government believes it “took them months to plan and execute this compromise. It’ll take us some time to uncover this, layer by layer.”

The government will also modernize its cybersecurity defenses, she said, which will involve having greater visibility into federal networks and IT systems. “We’re absolutely committed to reducing the risk this happens again,” she said. “If you can’t see a network, you can’t defend a network. And federal networks’ cybersecurity needs investment and more of an integrated approach to detect and block such threats.”

Wales also suggested in February that CISA would enhance the way it monitors federal networks. FCW reports:

Wales said CISA is exploring ways to monitor activities internally for “anomalous activities” such as a network management system communicating through an encrypted channel to an entity outside the network.

The government also must enhance its software assurance and ensure that government contracts have requirements on software supply chain security.

“What made SolarWinds so devastating was that SolarWinds devices are normally configured to have broad administrative rights on a network,” Wales said, according to FCW. “If a system is like that, if it has broad administrative rights, then it requires further hardening inside of your network.”

The attack may have far-reaching consequences for federal IT systems and require large-scale restructuring of networks and IT systems. MIT Technology Review reports:

When the hackers have succeeded so thoroughly and for so long, the answer sometimes can be a complete rebuild from scratch. The hackers made a point of undermining trust in targeted networks, stealing identities, and gaining the ability to impersonate or create seemingly legitimate users in order to freely access victims’ Microsoft 365 and Azure accounts. By taking control of trust and identity, the hackers become that much harder to track.

“Most of the agencies going through that level of rebuilding will take in the neighborhood of 12 to 18 months to make sure they’re putting in the appropriate protections,” Wales tells MIT Technology Review.

DIVE DEEPER: What role will the new National Cyber Director play in the cybersecurity response? 

Quardia/Getty Images