A Government Accountability Office (GAO) report has described the federal response to two high-profile cybersecurity incidents that affected the U.S. government.
Beginning as early as January 2019, a threat actor breached the computing networks at SolarWinds—a Texas-based network management software company, according to the company’s Chief Executive Officer. The federal government later confirmed the threat actor to be the Russian Foreign Intelligence Service. Since the company’s software, SolarWinds Orion, was widely used in the federal government to monitor network activity and manage network devices on federal systems, this incident allowed the threat actor to breach several federal agencies’ networks that used the software.
While the response and investigation into the SolarWinds breach were still ongoing, Microsoft reported in March 2021 the exploitation or misuse of vulnerabilities used to gain access to several versions of Microsoft Exchange Server. This included versions that federal agencies hosted and used on their premises. According to a White House statement, based on a high degree of confidence, malicious cyber actors affiliated with the People’s Republic of China’s Ministry of State Security conducted operations utilizing these Microsoft Exchange vulnerabilities. The vulnerabilities initially allowed threat actors to make authenticated connections to Microsoft Exchange Servers from unauthorized external sources. Once the threat actor made a connection, the actor then could leverage other vulnerabilities to escalate account privileges and install web shells that enabled the actor to remotely access a Microsoft Exchange Server. This in turn allowed for persistent malicious operations even after the vulnerabilities were patched.
GAO reports that federal agencies took several steps to coordinate and respond to the SolarWinds and Microsoft Exchange incidents including forming two Cyber Unified Coordination Groups (UCG), one for the SolarWinds incident and one for the Microsoft Exchange incident. Both UCGs consisted of the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Office of the Director of National Intelligence (ODNI), with support from the National Security Agency (NSA). According to UCG agencies, the Microsoft Exchange UCG also integrated several private sector partners in a more robust manner than their involvement in past UCGs.
According to CISA, the potential exploitation from both incidents posed an unacceptable risk to federal civilian executive branch agencies because of the likelihood of vulnerabilities being exploited and the prevalence of affected software.
The watchdog found that CISA issued emergency directives to inform federal agencies of the vulnerabilities and describe what actions to take in response to the incidents. To aid agencies in conducting their own investigations and securing their networks, UCG agencies also provided guidance through advisories, alerts, and tools. For example, the Department of Homeland Security (DHS), including CISA, the FBI, and NSA released advisories for each incident providing information on the threat actor’s cyber tools, targets, techniques, and capabilities. GAO adds that CISA and certain agencies affected by the incidents have taken steps and continue to work together to respond to the SolarWinds incident. Agencies have completed steps to respond to the Microsoft Exchange incident.
Agencies also identified multiple lessons from these incidents. For instance,
- coordinating with the private sector led to greater efficiencies in agency incident response efforts;
- providing a centralized forum for interagency and private sector discussions led to improved coordination among agencies and with the private sector;
- sharing of information among agencies was often slow, difficult, and time consuming and;
- collecting evidence was limited due to varying levels of data preservation at agencies.
In addition to the actions taken by the UCGs, in May 2021, the President issued Executive Order 14028 Improving the Nation’s Cybersecurity that was prompted, in part, by the compromise of the SolarWinds software supply chain. The executive order identifies a broad range of cybersecurity areas in need of improvement across the federal government and addresses, among other things, short and mid-term challenges highlighted by the incident.
The executive order also directed the Secretary of Homeland Security, in consultation with the Attorney General, to establish a Cyber Safety Review Board to review and assess the threat activity, vulnerabilities, and mitigation activities of, and agency responses to, significant cyber incidents. The board’s initial review is to be focused on the compromise of SolarWinds and is to include recommendations to the Secretary of Homeland Security for improving cybersecurity and incident response practices. The executive order does not provide a timeline for when the board should be established after an incident. As of December 2021, a board had not yet been established. However, DHS was collaborating with federal interagency partners to establish the board and nominate appointees.
The executive order includes a provision for the Secretary of Homeland Security to develop a standard set of operational procedures or playbook to be used in planning and responding to cybersecurity vulnerabilities and incidents. An official from CISA’s Cybersecurity Division told GAO that the agency published the document in November 2021. The document contains two playbooks, one for incident response and one for vulnerability response and provides federal agencies with a set of procedures to identify, coordinate, remediate, recover, and track successful mitigations from incidents and vulnerabilities affecting federal systems, data, and networks.
To address software supply chain security, the executive order directed, among other things, the Director of the National Institute of Standards and Technology (NIST) to publish guidelines that include criteria to evaluate the security practices of developers and suppliers of software, and guidance that identifies practices that enhance the security of the software supply chain. In July 2021, NIST, in consultation with NSA, issued guidelines on the recommended minimum standards for vendors’ testing of their software source code. In accordance with the executive order, the guidelines recommend minimum standards for vendors’ testing of their software source code. Further, in July 2021, NIST issued the guidance outlining security measures for critical software use after consulting with CISA and the Office of Management and Budget.
The executive order also addresses the challenges of sharing threat information between the federal government and IT service providers. As of October 2021, an official from CISA’s Cybersecurity Division told GAO that the agency had made recommendations to the Federal Acquisition Regulatory Council to remove contractual barriers to information sharing from federal contractors that included proposed standardized contract language for appropriate cybersecurity requirements. Further, the official noted that CISA created standard operating procedures to share contractors’ reported information appropriately among agencies.
The risks to information technology systems supporting the federal government and the nation’s critical infrastructure are increasing. GAO says effective implementation of the executive order could assist with efforts aimed at improving information sharing and evidence collection, among others.
While GAO’s report was largely positive, some shortcomings were noted. For example, officials from two UCG agencies stated that sharing information among agencies and private sector partners was a challenge and a slow process due to restrictions on sharing information. Specifically, an official from ODNI’s Cyber Executive Office told GAO that information sharing among law enforcement, private sector, and intelligence groups was difficult and time consuming, as there were different classification levels for information. In addition, a Senior Technical Director from CISA’s Cybersecurity Division told the watchdog that sharing data received from law enforcement with other agencies and the private sector was challenging. Both officials said that it would have been beneficial to have a shared channel (outside of email) to share information among federal agencies, as well as private sector partners.