Kiersten Todt, a veteran cybersecurity policy leader, says the SolarWinds cyber attack demands a policy response beyond one-off retaliation against a foreign aggressor, and provides an opportunity for the incoming Biden administration to launch a collaboration with global allies on how to respond to attacks on critical infrastructure.
“The impact of the attack is equal on industry and government, and it is significant,” Todt told Inside Cybersecurity as policymakers inside and outside the U.S. government sort through damage from an attack officials are privately attributing to Russia. The attack allowed adversaries to infiltrate government and private-sector systems using tech company SolarWinds’ Orion software products
The Cybersecurity and Infrastructure Security Agency on Sunday issued Emergency Directive 21-01 requiring federal agencies to identify and disconnect SolarWinds Orion products from their systems.
Todt, who leads the Cyber Readiness Institute and was executive director for the 2016 Commission on Enhancing National Cybersecurity, said the attack highlights CISA’s need for greater resources, given its wide-ranging responsibilities including securing federal systems and collaborating with critical-infrastructure operators.
But it also creates an opening “to look at how we consider this kind of attack, it’s a tremendous opportunity to work collaboratively and cooperatively with allies on how to respond to this kind of attack on critical infrastructure,” Todt said. “There absolutely has to be a response, we can’t say ‘it’s just espionage.’ That doesn’t mean ‘retaliation,’ it means we have to ‘confront.’”
Todt called for “a joint collaborative threat assessment, across countries, to come up with a framework for action.”
She said U.S. allies are “very eager” to work on these issues with the United States.
“There are a lot of lessons in this breach,” Todt said, including the need for an empowered position within the White House to ensure intelligence, defense and security agencies are effectively sharing information and collaborating, as called for in the fiscal 2021 National Defense Authorization Act. The White House on Tuesday reiterated President Trump’s intention to veto the NDAA bill, which has cleared Congress.
Lack of deterrence, lost trust
Other observers also weighed in on implications of the attack.
James Lewis of the Center for Strategic and International Studies commented Tuesday via Twitter: “Russians have pulled off some astounding coups: ShadowBrokers, election interference, exploiting Snowden, and now SolarWinds. Hopefully we have some big wins on our side to compensate, but the public narrative favors them.” He added sarcastically, “PS: another triumph for American cyber deterrence.”
Former White House official and current IronNet senior vice president Jamil Jaffer noted, “This incident highlights the increasingly important national security role of a diverse set of agencies like the Departments of Treasury and Commerce and the increased threat of nation-state attacks targeting such agencies.”
For instance, Chris Howell, CTO and cofounder of Wickr, pointed to “the purposeful targeting” of the National Telecommunications and Information Administration “to gain access to critical communications.”
Howell said, “This is becoming increasingly common and demonstrates the value of that data versus digging for PII. Because NTIA helps manage critical issues like telecommunications and 5G policy, carrying out a successful attack against the organization could deliver great geo-political and/or commercial value to foreign governments and state-run enterprises. Accessing data from communications systems can be just as effective for foreign adversaries as planting bugs, and fear of the future disclosure of communications can have a very chilling effect on collaboration in general.”
Howell, whose firm provides an end-to-end encrypted collaboration platform to the Defense Department and private-sector clients, said, “Speaking as a security professional and not a shaper of foreign policy, I’d say the best deterrence policy is securing data better and changing the risk/reward calculation for the attacker. This can be done by focusing more on reducing impact rather than reducing likelihood of attack. If it’s not worth attacking, or it does you no good to steal it, then it’s not worth the risk of getting caught trying.”
David Simpson, former homeland security chief at the Federal Communications Commission, said damage from the attack is likely extensive and regaining trust is going to be a long-term endeavor.
“The SolarWinds attack is bad. An attack like this will take months to years to get an adversary out of large complex networks,” Simpson said. “It looks like the Russian actors were in from March to December of this year. In that timeframe they would have worked to spread laterally, well beyond the SolarWinds application.”
And, he said, the attackers “would have planned for the day in which the original compromise was discovered and used the access they gained to establish credentials as an authorized user, then worked to elevate those privileges to attain system administration permissions. They would have planned at every step for the eventuality that moves would be discovered and built in quiescent agents to reactivate controls from the inside after the victim organization thinks they’ve purged adversary access.”
Historically, Simpson said, “regaining full confidence in complex networks will require a dedicated team and significant coordination across an enterprise. Where organizations have established higher level trust relationships, this can take even longer.”
He noted that “Sophisticated cyber defense organizations will have planned for this day and have a head start on the forensics and coordination required for full recovery. For organizations with less organized cybersecurity operations the expensive cost of full remediation will cause some to cut corners or only focus on the obvious signs of compromise. The uncertainty across industry sectors will negatively impact trust for some time to come.” — Charlie Mitchell (email@example.com)