The federal government is prioritizing cooperation with the private sector — the “partnership has to be a core part of national cyber defense” — in order to fix the massive SolarWinds hack and beef up cyber infrastructure to better protect the country in the future, the White House cybersecurity chief said this week.
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger previously served as the National Security Agency’s director of cybersecurity and led the agency’s election security operations. She told reporters at Wednesday’s White House press briefing that nine federal agencies and “about 100 private sector companies” were compromised.
“So the scale of potential access far exceeded the number of known compromises,” she said. “Many of the private sector compromises are technology companies, including networks of companies whose products could be used to launch additional intrusions… the techniques that were used lead us to believe that any files or emails on a compromised network were likely to be compromised.”
In December, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an emergency directive “in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors,” calling on “all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”
Through breaching the SolarWinds Orion products, an attacker was able “to gain access to network traffic management systems,” the directive said, stressing that “disconnecting affected devices… is the only known mitigation measure currently available.” About 18,000 entities downloaded the malicious update.
Neuberger said the intelligence community is still investigating the hack and “until that study is complete I’ll use the language we previously used, which was to say an advanced persistent threat actor, likely of Russian origin, was responsible.”
“The actor was a sophisticated advanced persistent threat. Advanced: Because the level of knowledge they showed about the technology and the way they compromised it truly was sophisticated. Persistent: They focused on the identity part of the network, which is the hardest to clean up. And threat: The scope and scale to networks, to information, makes this more than an isolated case of espionage,” she said.
“And then, us: There’s a lack of domestic visibility, so as a country, we choose to have both privacy and security. So the intelligence community largely has no visibility into private sector networks. The hackers launched the hack from inside the United States, which further made it difficult for the U.S. government to observe their activity. Even within federal networks, a culture and authorities inhibit visibility, which is something we need to address.”
Neuberger said priorities in responding to the hack are “first, finding and expelling the adversary; second, building back better to modernize federal defenses and reduce the risk of this happening again; and finally, potential response options to the perpetrators.” That operation is occurring in a measured pace “to ensure we lock down networks and really think through how to ensure this doesn’t happen again in the future,” and is estimated to take “several months… we certainly don’t have years.”
The National Security Council announced directly after the hack that, pursuant to a 2016 presidential policy directive, a Cyber Unified Coordination Group (UCG) was established in response to the breach “to ensure continued unity of effort across the United States Government in response to a significant cyber incident.” Neuberger said NSC coordination of the interagency response includes working with Capitol Hill and private-sector partners.
“This is challenging,” she added. “This is a sophisticated actor who did their best to hide their tracks. We believe it took them months to plan and execute this compromise. It’ll take us some time to uncover this, layer by layer.”
Neuberger stressed that the administration is “absolutely committed to reducing the risk this happens again” and an upcoming executive action will close some of the gaps identified during the NSC review of the hack.
“If you can’t see a network, you can’t defend a network,” she said. “And federal networks’ cybersecurity needs investment and more of an integrated approach to detect and block such threats.”
As far as how the U.S. government might punish the hackers, “discussions are underway.”
“I know some of you will want to know what kind of options are being contemplated,” Neuberger said. “What I will share with you is how I frame this in my own mind: This isn’t the only case of malicious cyber activity of likely Russian origin, either for us or for our allies and partners. So as we contemplate future response options, we’re considering holistically what those activities were.”
Asked how much the hack will end up costing the U.S. government, Neuberger said the incident “really highlighted the investments we need to make in cybersecurity to have the visibility to block these attacks in the future,” but there is also a national security cost in the “scale of the information that was potentially compromised and the impact of how that information could be used in the hands of a malicious actor.”
“…When there is a compromise of this scope and scale, both across government and across the U.S. technology sector to lead to follow-on intrusions, it is more than a single incident of espionage; it’s fundamentally of concern for the ability for this to become disruptive.”
Neuberger told reporters that “due to the sophistication of the techniques that were used, we believe we’re in the beginning stages of understanding the scope and scale, and we may find additional compromises, particularly given the technology companies that were compromised.”
“And, no, we have not ruled out potential additional activity, but we’re very focused on carefully taking this step-by-step to understand the broad implications,” she added.