The U.S. government was subject to one of the largest cyberattacks on record for months before software company SolarWinds discovered in December their information technology program Orion — used by government agencies — had been compromised.
The Cybersecurity and Infrastructure Security Agency (CISA) announced in a Dec. 17 statement that the breach “poses a grave risk to the federal government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”
The intelligence community formally blamed Russia for the attack in a statement Tuesday, stating that hackers had been launching attacks on federal networks for nearly nine months before first being detected. (RELATED: Trump Says Things Are ‘Under Control’ After Latest US Government Hack. Just How Bad Is It?)
SolarWinds said 33,000 of its customers used the program and around half downloaded the malicious code, according to The New York Times.
— Cybersecurity and Infrastructure Security Agency (@CISAgov) December 17, 2020
Multiple government entities — including the Homeland Security Department, Treasury Department and Commerce Department — reported in late December that emails had been monitored or stolen. The Justice Department announced Wednesday some of its email accounts were also compromised in the hack.
The federal government’s failure to effectively respond to the hack is notable given that the federal budget appropriates billions of dollars annually to stopping such attacks. The Trump administration’s fiscal year 2021 budget requested $18.8 billion for cybersecurity initiatives across federal departments and agencies.
Roughly $18.7 billion in federal spending was allocated for cybersecurity initiatives in fiscal year 2020, according to data group Deltek. Almost half of spending went to the Pentagon and agencies under its oversight such as the Defense Intelligence Agency and the National Security Agency (NSA).
Defense Department entities like U.S. Cyber Command and the NSA generally have classified budgets but overall receive considerably more funding than non-Pentagon agencies performing similar operations, according to data reported by national security blog Lawfare.
The fiscal year 2021 budget proposes nearly $10 billion for the Pentagon cybersecurity budget, far greater than the $1.47 billion budget proposed for CISA — which is nominally in charge of federal cybersecurity — and the combined $2.21 billion budgets proposed for other agencies within the Homeland Security Department (DHS) and Justice Department.
One critical distinction in the federal government’s cyber operations is between offensive and defensive capabilities. The Trump administration, like its predecessors, emphasized the importance of both in the 2018 National Cyber Strategy.
But the Defense Department’s 2018 Cyber Strategy outlined an alternative concept of persistent engagement to deter cyber attacks. The Pentagon stated this approach centers on “exposing, disrupting, and degrading cyber activity threatening U.S. interests.”
The shift towards offensive operations may also explain why Defense Department priorities receive the bulk of funding as opposed to DHS and federal law enforcement priorities, according to Lawfare.
The federal government’s primary agency for defensive operations is the National Cybersecurity and Communications Integration Center (NCCIC), housed under the CISA and DHS. But the NCCIC only received 10% of the funding allocated for military-backed operations in the fiscal year 2021 budget.
An outline of NCCIC duties notes that the agency’s mission is to “reduce the risk of systemic cybersecurity and communications challenges” across federal networks. The NCCIC is also responsible for malware analysis and ensuring that vulnerabilities within federal networks are identified and eliminated. (RELATED: Feds Say Latest US Government Hack ‘Poses A Grave Risk’ To National Security. How Might They Respond?)
SolarWinds, in a Dec. 20 statement, identified the hack as a “supply chain attack” involving malware designed to compromise the company’s Orion program by embedding malicious code into software updates.
SolarWinds asks all customers to upgrade immediately to Orion Platform version 2020.2.1 HF 1 to address a security vulnerability. More information is available at https://t.co/scsUhZJCk8
— SolarWinds (@solarwinds) December 14, 2020
The NCCIC would have been the first line of response against the attack, likely tasked with identifying the malware and closing off any points of entry hackers could have used to access the federal network.
The CISA issued an emergency directive Dec. 13 warning federal agencies to power down networks using SolarWinds software. FireEye, another government contractor that discovered the hack, said this only solved part of the problem as it does not address potential “back doors” left behind by the hackers, according to The New York Times.
JUST RELEASED: Emergency Directive 21-01 calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately. Read more: https://t.co/VFZ81W2Ow7
— Cybersecurity and Infrastructure Security Agency (@CISAgov) December 14, 2020
FireEye threat director John Hultquist noted the hackers could have maintained their presence in the network by using illegitimate email addresses and other tools to bypass security systems. Such a tactic highlights the sophistication of the hack and the inability of cyber agencies to effectively respond.
“A supply chain attack like this is an incredibly expensive operation — the more you make use of it, the higher the likelihood you get caught or burned,” Hultquist told The New York Times. “They had the opportunity to hit a massive quantity of targets, but they also knew that if they reached too far, they would lose their incredible access.”