Challenges face the US government amid an increasingly turbulent threat landscape foreshadowed by the December 2020 SolarWinds supply chain attack.1 But to categorize SolarWinds as merely a hack is a disservice, as it is now understood to be a major cybercampaign involving an estimated 1,000 nation-state actors.2
As a retired service member who has had the privilege of serving as a US Navy sailor and member of the US intelligence community, I truly appreciate and commend the efforts of former colleagues who still protect US government networks, fulfill cyber-first response duties or shape strategy and workforces to combat future threats. Collectively, there are countless analysts among the US military, law enforcement and intelligence agencies that share a quest to learn all they can about what happened and why. In Washington DC, USA, lawmakers are busy holding hearings that may, ultimately, serve to shape public policy and improve cybersecurity legislation.
The US Senate Select Committee on Intelligence recently held a hearing on the SolarWinds attack.3 US congressional hearings are often lengthy, and this one was no different at approximately 2.5 hours long. The 4 parties testifying that day included CrowdStrike, FireEye, Microsoft and SolarWinds. The contrasting perspectives between software providers Microsoft and SolarWinds4 and first responders CrowdStrike and FireEye were apparent—and to be expected.
The US Senate Committee on Homeland Security and Governmental Affairs also conducted its own hearing.5 Unlike the Intelligence committee’s hearing, this hearing was focused on the US governmental perspective and included testimony from the US Office of Management and Budget (OMB), the US Cybersecurity and Infrastructure Security Agency and the US Federal Bureau of Investigation (FBI).
Admittedly, US lawmakers have staunch critics when it comes to matters involving technology and privacy. Each hearing was very different, which could be attributed to the fact that 1 involved the private sector and the other entailed the public sector. But the hearings partially restored my confidence as some committee members appeared to have a better understanding of the subject at hand, which made for thoughtful questions and meaningful dialog.
The Homeland Security and Governmental Affairs hearing included multiple references—and praise by agency officials—to lawmakers for passing the US American Rescue Plan Act of 2021, which authorizes US$1 billion for technology modernization and another US$650 million to the Cybersecurity and Infrastructure Agency for cyberrisk mitigation.6 US taxpayers may have been glad to see ranking member US Senator Rob Portman point out the persistent lack of accountability to date. Concerns over leadership by committee are well founded, yet it is the US Congress that often enables this, thanks to iterations of governmental restructuring over the years. Nonetheless, the testimony reinforced why US Senate Select Intelligence Committee Chair Mark Warner expressed concerns about the Cybersecurity and Infrastructure Security Agency.
Despite those glimmers of hope throughout the hearing, references to zero trust and the US National Institute of Standards and Technology (NIST) seemed to be merely mistimed buzzwords. Similarly, there remains naivety among government officials that they could counter decades of bad practices, upskill an aging workforce or make sound technology acquisitions with any urgency. The Homeland Security and Governmental Affairs committee deserves credit for its willingness to require adjustments to EINSTEIN prior to reauthorizing the program upon its current expiration in 2022.7
EINSTEIN originated as an intrusion detection system (IDS) and, although it has been enhanced significantly since 2003, it falls short when attacks originate within US-based infrastructure, as was the case with SolarWinds. Traffic is encrypted, which is currently very common. Increasing endpoint security capabilities is logical, but money alone will not help overcome longstanding acquisition challenges among and between US federal departments. The former is further exasperated because legal authorities render the intelligence community useless when attacks that originate within US infrastructure occur—a fact that malicious actors know all too well.
“Increasing endpoint security capabilities is logical, but money alone will not help overcome longstanding acquisition challenges between and among federal departments.”
Of interest is an apparent appetite for cyberspace norms (e.g., making patching off-limits to threat actors). Microsoft’s president made this a point of personal emphasis, highlighting the Global Commission on the Stability of Cyberspace (GCSC) proposed Rules of the Road.8 While interesting, this alone cannot prevent cyberattacks for the simple reason that malicious actors ignore laws.
The last point to highlight is the appetite for increased information sharing. Always the skeptic, I have little faith this can mature within the US federal space without real accountability and a cultural shift. With regard to threat intelligence, centers already exist in the form of Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs).9, 10 As the testimony revealed, it is a generally held belief that the US government wants corporate reporting, but does a poor job reciprocating—likely a by-product of governmental data classification programs. Either way, no governmental mandate can resolve longstanding trust issues surrounding information sharing.
Conclusion
The public policy dilemma facing lawmakers is worth examining. Industry is routinely called upon to help the government; however, in the case of SolarWinds, the US government is rightfully frustrated because despite many investments in cybersecurity, it was unaware of the activity occurring. Important to this conversation is the vulnerability that public affiliations pose. In the case of SolarWinds, it proudly posted its clientele on a customer listing page, which likely made the platform highly appealing to hackers. Although it was taken down, the archived page persists.
Bureaucracy of any kind can be frustrating, but it is readily apparent that throwing money at problems and systems without accountability often provides no net gain. Additionally, competing priorities and overlapping jurisdictions can hinder progress. Within the US Senate alone, SolarWinds falls under the purview of at least 3 Senate committees: Homeland Security and Governmental Affairs, Judiciary and Intelligence. Within the US House of Representatives, there is interest from at least the Oversights and Reform and Homeland Security committees.
The cycle of conducting hearings after hacks occur, followed by writing laws and spending money, is exhausting. In short, doing the same things yet expecting different results is senseless. Lawmakers must accept the fact, known universally by security practitioners, that all digital devices are vulnerable—they always have been and always will be. Cybersecurity is a technical risk and, for the foreseeable future, the goal must be to make cyberattacks costly for malicious actors.
Endnotes
1 Canales, K.; I. Jibilian; “Here's a Simple Explanation of How the Massive SolarWinds Hack Happened and Why It's Such a Big Deal,” Business Insider, 25 February 2021
2 C-SPAN, “Senate Intelligence Hearing on SolarWinds Hacking,” 23 February 2021, USA
3 Ibid.
4 Amazon was invited but did not participate and while their reasons are unknown, the optics of declining the opportunity to educate US lawmakers and do its part to advance US national strategy and potential legislation are terrible.
5 United States Senate Committee Hearing Channels, “Understanding and Responding to the SolarWinds Supply Chain Attack: The Federal Perspective,” 18 March 2021
6 Congress.gov, H.R.1319 - American Rescue Plan Act of 2021
7 The EINSTEIN system detects and blocks cyberattacks from compromising US federal agencies and provides the Cybersecurity and Infrastructure Security Agency with situational awareness to use threat information detected in 1 agency to protect other agencies and help the private sector. See http://www.cisa.gov/einstein.
8 Global Commission on the Stability of Cyberspace
9 National Council of ISACs, About ISACs, 2020
10 Information Sharing and Analysis Organization Standards Organization, About Us
Jonathan Brandt, CISM, CDPSE, CCISO, CISSP, CPI, CSA+, PMP
Is a senior information security practice manager in ISACA’s Content Development department. In this role, he contributes thought leadership by generating ideas and deliverables relevant to ISACA’s constituents. He serves ISACA® departments as a subject matter expert on information security projects and leads author management teams whenever external resources are necessary. Brandt is a highly accomplished US Navy veteran with more than 25 years of experience spanning multidisciplinary security, cyberoperations and technical workforce development. Prior to joining ISACA, Brandt was a project manager for classified critical infrastructure projects across the globe.