Jolted by a sweeping hack that may have revealed Russia’s government and corporate secrets, U.S. officials struggle to strengthen the cyber defences of the nation and acknowledge that an agency created two years ago to protect the networks and infrastructure of America lacks the money, resources and authority to counter such sophisticated threats.
The violation, which hijacked widely used software from SolarWinds Inc., based in Texas, has exposed the deep vulnerability of civil government networks and the limitations of threat detection efforts.
A wave of spending on technology modernization and cybersecurity is also likely to be unleashed.
“The investments we need to make in cybersecurity are really highlighted in order to have the visibility to block these attacks in the future,” Anne Neuberger, the newly appointed Deputy National Cyber and Emergency Technology Security Advisor, said at a White House briefing on Wednesday.
The response represents the severity of a hack that was only revealed in December. The hackers, previously unidentified but described as “likely Russian” by officials, had unrestricted access to the information and emails of at least nine U.S. government agencies and about 100 private companies, with the full extent of the agreement still unknown. And while this incident seemed to be aimed at stealing information, fears were heightened that future hackers, such as electricity grids or water systems, could damage critical infrastructure.
President Joe Biden plans to release an executive order soon that Neuberger said will include about eight measures to address the hack’s exposed security gaps. The administration has also proposed expanding the U.S. budget by 30 percent. Due to the SolarWinds breach, the Cybersecurity and Infrastructure Agency, or CISA, is a little-known entity now under intense scrutiny.
On Friday at the Munich Security Conference, Biden made his first major international speech, saying that dealing with “Russian recklessness and hacking into computer networks in the United States and across Europe and the world has become critical to protecting our collective security.”
Republicans and Democrats in Congress have called for the agency, a component of the Department of Homeland Security, to expand its size and role. It was established in November 2018 in the midst of a feeling that U.S. opponents were increasingly targeting civilian government and corporate networks as well as “critical” infrastructure, such as the increasingly vulnerable energy grid in a wired world.
Speaking at a recent cybersecurity hearing, Rep. John Katko, a New York Republican, urged his peers to quickly “find a legislative vehicle to provide CISA with the resources it needs to respond fully and protect us.”
In collaboration with the General Services Administration, Biden’s COVID-19 relief package demanded $690 million more for CISA, as well as providing the agency with $9 billion to modernise IT across the state.
That was pulled from the current version of the bill because a connection to the pandemic was not seen by some lawmakers. But Rep. Jim Langevin, co-chair of the Congressional Cybersecurity Caucus, said that with bipartisan support in pending legislation, perhaps an infrastructure bill, new funding for CISA is likely to reemerge.
“Langevin, a Rhode Island Democrat, said in an interview, “Our cyber infrastructure is every bit as critical as our roads and bridges. For our economy, that’s critical. Protecting human lives is critical, and we need to make sure that we have a modern and robust cyber infrastructure.
CISA runs a method of threat detection known as “Einstein” that could not detect the violation of SolarWinds. Brandon Wales, the acting director of CISA, said it was because the violation was hidden from its customers in a legal SolarWinds software update. The machine was able to search federal networks and identify several government victims after it could identify the malicious activity. “It was designed to work within the agencies in concert with other security programmes,” he said.
This month, former CISA chief Christopher Krebs told the House Homeland Security Committee that the U.S. should raise funding for the agency, in part so that it can issue grants to state and local governments to strengthen their cybersecurity and speed up federal government IT modernization, which is part of the Biden proposal.
Can we stop any attack? Oh, no. But we can take care of the most common risks and make it much harder for the bad guys to work and limit their success,” said Krebs, who was ousted after the election by then-President Donald Trump and now co-owns a consulting firm whose customers include SolarWinds.
In early December, the violation was discovered by the private security company FireEye, a cause of concern for some officials.
“It was quite alarming that, as opposed to being able to detect it ourselves to begin with, we found out about it through a private company,” Avril Haines, director of national intelligence, said at her January confirmation hearing.
The Treasury Department bypassed its usual competitive bidding procedure to employ the private security company CrowdStrike, U.S. contract documents show, right after the hack was revealed. The office declined to comment. Sen. Ron Wyden, D-Ore., has said that hundreds of top agency officials’ email accounts were compromised.
In order to conduct an independent forensic review of its network logs, the Social Security Administration hired FireEye. Like other SolarWinds customers, the agency had a “backdoor code” installed, but “there were no indicators suggesting we were targeted or that a future attack occurred beyond the initial installation of software,” said spokesperson Mark Hinkle.
A Virginia Democrat who chairs the Senate Intelligence Committee, Sen. Mark Warner, said the hack exposed many federal-level deficiencies, though not generally a lack of public-sector employee skills. Still, “I doubt we’ll ever have all the in-house capacity we’d need,” he said.
In recent months, several new cybersecurity steps have been taken. Legislators established a national cybersecurity director in the defence policy bill passed in January, replacing a role at the White House that had been eliminated under Trump, and gave CISA the power to issue administrative subpoenas as part of its efforts to recognise compromised systems and alert operators.
The law also provided CISA with increased authority to hunt for threats through civilian government agency networks, something Langevin said they were only able to do before when invited.
“In practical terms, what that meant is that because no department or agency wants to look bad, they were not invited in,” he said. You remember what was going on, then? They were all sticking their heads in the sand, hoping that the cyber attacks would go away.