The U.S. government was hit by one of the largest cyberattacks on record after government contractors FireEye and SolarWinds announced a breach into their networks earlier this month.
The Cybersecurity and Infrastructure Security Agency (CISA) said in a Dec. 17 statement that the breach “poses a grave risk to the federal government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”
Intelligence community reports following the cyberattack concluded that its origins were most likely a cyber espionage operation conducted by Russian hackers.
Historically the vast majority of covert action operations, active measures, even military offenses, are preceded by some form of intelligence collection. Indeed collection may inspire and enable escalation. But an attack only begins after it is proposed, authorized, and planned.
— Thomas Rid (@RidT) December 23, 2020
Independent cybersecurity experts have since warned that the cyberattack could have dangerous consequences for national and corporate security. The federal government is scrambling to respond to the latest hack — here’s what their next steps could look like.
The full extent of the cyberattack has not been determined yet but an initial review concluded that multiple Cabinet-level departments, intelligence agencies, nuclear labs and Fortune 500 companies were compromised, according to The New York Times.
Hackers reportedly monitored and may have stolen emails from Homeland Security Department, Treasury Department, and Commerce Department officials. The allegedly Russian operation also began nine months ago but was not discovered until early December.
The CISA issued Emergency Directive 21-01 Dec. 13 instructing all federal civilian agencies to review their systems for indications of compromise and to disconnect anything reliant on SolarWinds’ Orion software.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” CISA Acting Director Brandon Wales said in a statement. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners — in the public and private sectors — to assess their exposure to this compromise and to secure their networks against any exploitation.”
The National Security Council (NSC) invoked an Obama-era presidential directive Dec. 15 creating a special group responsible for coordinating the federal government’s response.
“A Cyber Unified Coordination Group has been established to ensure continued unity of effort across the United States Government in response to a significant cyber incident,” NSC spokesman John Ullyot tweeted.
(1/3) “Pursuant to Presidential Policy Directive-41 (26 July 2016) and its Annex, a Cyber Unified Coordination Group (UCG) has been established to ensure continued unity of effort across the United States Government in response to a significant cyber incident.
— NSC (@WHNSC) December 15, 2020
The Inspectors General (IG) may also begin to look at the threat assessment to their respective agencies. Treasury Department IG J. Russell Georgia wrote in a Wednesday letter to members of Congress that the department conducted an internal audit of its systems and found no evidence that IRS taxpayer information was monitored or exposed.
Cybersecurity experts say that affected agencies and businesses should proceed by closing off all potential vulnerabilities and continuously monitoring data from SolarWinds and FireEye networks.
“Security teams need to know where their data is at all times across all environments, how it is used, and who has access to it in order to apply the appropriate controls,” Imperva chief technology officer Kunal Anand told Compliance Week.
This is not the first time the U.S. government has been affected by a major foreign cyberespionage operation. The Office of Personnel Management (OPM) hack in 2015 was one of the largest breaches of government data in U.S. history and could offer lessons in addressing the latest SolarWinds hack.
A group of hackers identified as X1 and reported to be working on behalf of the Chinese government breached the systems of contractors who ran background checks and had access to OPM servers, according to CSO. The agency was heavily criticized for weak security practices and for their slow response after the breach, according to NBC News.
Around 21 million personnel records were targeted in the OPM hack, including information about government employees and background check data.
OPM massively revamped its cybersecurity capabilities in the year after the breach, NPR reported. The agency requires two-factor authentication and only permits certain programs from being accessed on office computers. The OPM also introduced new tools to detect malware and monitor data moving through its network.
“There’s a whole series of things around technology, around people, and around process that are different today than a year ago,” former Acting OPM Director Beth Cobert told NPR. These policies likely carried over into the Trump administration.
But the OPM in 2018 was reportedly still vulnerable to a breach as it had failed to implement a number of recommendations provided by the Government Accountability Office, according to Forbes.
The government’s slow response after the OPM hack could serve as a cautionary warning for officials today as cybersecurity experts say the SolarWinds hack could take years to fully sort out, according to Business Insider.
Like the OPM hack, the SolarWinds hack will also cross over into a new presidential administration. President-elect Joe Biden has said he will approach the attack very differently than President Donald Trump, who appeared to downplay the incident.