Russia has long been viewed as a threat in cyberspace. But after one of the most successful cyber intrusion campaigns in U.S. history, questions are being raised over how the federal government was so completely blindsided by an attack many experts have seen coming.
The successful hacking of multiple federal agencies and tens of thousands of individual federal and private entities — widely presumed to be a Russian intrusion and which federal officials warn is ongoing — managed to subvert sophisticated protections by targeting third-party software contractor SolarWinds.
“We shouldn’t have been surprised, the Russians are very sophisticated, they are very dedicated and relentless, and this appeared to be a soft target they were able to exploit,” Christopher Painter, the former State Department cybersecurity coordinator under both the Trump and Obama administrations, told The Hill on Friday.
Russia, alongside China, North Korea and Iran, is considered one of the pressing threats to the U.S. in multiple fields.
Following the 2016 presidential election, when Russian agents launched a sweeping and sophisticated campaign designed to sway the election toward now-President TrumpDonald TrumpTrump signs bill to keep government open amid relief talks US to close two Russia consulates ‘Guardians of the Galaxy’ trends on social media following new Space Force name MORE, top federal agencies began a four-year process designed to shore up the election and ensure this type of attack could never happen again.
These officials, led by the two-year-old Cybersecurity and Infrastructure Security Agency (CISA), largely succeeded, with Election Day seeing few security incidents.
However, some say the U.S. may have turned attention away from other attack vectors used by Russia.
As of Friday, agencies including the Department of Energy and its National Nuclear Security Administration, the Department of Homeland Security, the State Department, and the Treasury Department had reportedly been breached as part of the espionage incident. SolarWinds has reported it believes at least 18,000 of its customers were compromised by the hack.
The hackers accessed systems as early as March, and questions have mounted over how much they took or were able to access.
“This is the most significant cyberattack in the history of the United States,” Tom Kellermann, a former member of an Obama administration cybersecurity commission and current head of cybersecurity at VMWare CarbonBlack, told The Hill. “It’s unprecedented in the 22 years I’ve been in the business.”
Kellermann said he and his team believed that Russia had stepped up its cyberattacks against the U.S. in retaliation for the success of securing the 2020 elections and following the disruption of international botnet group “TrickBot” that targeted U.S. critical infrastructure with ransomware viruses.
He noted that ransomware attacks on hospitals over the fall “should have been a signal and a red line that dramatic escalation is occurring.”
Key details are emerging of overlooked vulnerabilities.
“It’s important to focus-in on this nuance that there is a small set of actions that can help prevent incidents like this in the future and that, could have, potentially discovered it earlier,” said David Springer, who has served at the National Counterterrorism Center and the Defense Intelligence Agency and is currently at the law firm Bracewell.
“The penetration of SolarWinds appears to be the product of poor cyber hygiene at the company,” said Mark Montgomery, a senior fellow at the Foundation for Defense of Democracies. “And let’s not undersell the skill sets of the perpetrators. The Russian intelligence services – SVR – are capable adversaries.”
The idea of strengthening cybersecurity defenses and zeroing on critical supply chains for federal agencies is not a new issue on Capitol Hill, with both gaining wide bipartisan support. However, partisan gridlock on other issues has made it increasingly difficult for legislation to move through Congress, slowing down cyber priorities.
One item that has gained bipartisan support is the 2021 National Defense Authorization Act (NDAA), which includes the widest range of federal cybersecurity improvements in years, including provisions establishing a White House cyber czar and strengthening CISA’s powers.
President Trump has announced his intention to veto the bill over other concerns, drawing bipartisan backlash, and has not yet commented on the breach, despite being reportedly briefed on the topic.
“This cyber attack likely perpetrated by the Russians spotlights the glaring vulnerabilities of our federal cybersecurity system,” Sen. Susan CollinsSusan Margaret CollinsLawmakers call for Trump to take action on massive government hack Sen. Alexander plays Christmas carols in Senate office building No, Biden hasn’t won yet — one more nightmare scenario MORE (R-Maine), a member of the Senate Select Committee on Intelligence, tweeted Friday.
“The President should immediately sign the NDAA not only to keep our military strong but also because it contains significant cyber security provisions that would help thwart future attacks,” she added.
The leaders of the Senate Armed Services Committee put out a statement Thursday night describing the NDAA as “must-pass legislation” in light of the breach. Sens. Rob PortmanRobert (Rob) Jones PortmanHillicon Valley: Lawmakers ask whether massive hack amounted to act of war | Microsoft says systems were exposed in massive SolarWinds hack | Senators push to keep tech liability shield out of UK trade agreement Senators push to keep tech liability shield out of UK trade agreement The ‘Biden Team’ is risk-averse, but capable and ready MORE (R-Ohio) and Gary PetersGary PetersKrebs emphasizes security of election as senators butt heads Hillicon Valley: Facebook ad freeze lifted for Georgia runoffs | More branches hit in massive cyberattack | Krebs to testify on election security Krebs to testify during Senate hearing on election security this week MORE (D-Mich.), the incoming leaders of the Senate Homeland Security and Governmental Affairs Committee, vowed Friday to produce “bipartisan comprehensive legislation” next year to ensure this type of attack never happened again.
National security officials are challenged by how to respond to foreign cyber espionage, resistant to imposing high costs that could be inflicted on the U.S. over its own intelligence gathering.
Officials have taken action when espionage activities have risen to the level of threatening national security, such as the Trump administration’s closure of the Chinese consulate in Houston in July over what it said were espionage activities that went beyond intelligence gathering.
Singer, the former federal counterterrorism official, said the information available on the SolarWinds attack points to traditional espionage, but is worrying over what national security infrastructure is compromised.
“Based on the very early days, limited information we have so far, it appears that this was mostly traditional intelligence gathering, but I think it’s a real concern that the same access to these critical targets and systems could easily be used for another purpose, in the future, had it not been discovered,” he said.
John BoltonJohn BoltonLawmakers call for Trump to take action on massive government hack Biden vows to make cybersecurity ‘imperative’ following massive hack Trump faces bipartisan, international pushback on Western Sahara recognition MORE, Trump’s former national security advisor, said the response from the U.S. needs to be at least three times more than the cost of the attack that was incurred, during an interview with MSNBC.
“The top priority has got to be, if we determine it’s the Russians, that’s where the information tends to point, what the retaliation is going to be,” he said. “And I think it ought to be, whatever we assess what the cost we incur to be — plus, plus, plus. That’s how you reestablish deterrence.”