President Biden looks set to sign off an executive action to address gaps in the US’s national cyber security posture that were left painfully exposed by the December 2020 SolarWinds incident.
The cyber attack first came to light via cyber security company FireEye and was subsequently found to be a wide-ranging intrusion into multiple systems and agencies of the federal government – with the perpetrators, known as UNC2452, almost certainly backed by the Russian government.
Speaking at a White House press conference, Biden’s security lead, Anne Neuberger, said nine federal agencies and 100 private sector companies were compromised out of 18,000 entities that downloaded tainted updates to SolarWinds’ Orion platform.
“So, how did this happen?” said Neuberger in prepared remarks. “There are two parts to that – them and us. The actor was a sophisticated advanced persistent threat. Advanced: because the level of knowledge they showed about the technology and the way they compromised it truly was sophisticated. Persistent: they focused on the identity part of the network, which is the hardest to clean up. And threat: the scope and scale to networks, to information, makes this more than an isolated case of espionage.
“And then, us: there is a lack of domestic visibility, so, as a country, we choose to have both privacy and security. So the intelligence community largely has no visibility into private sector networks. The hackers launched the hack from inside the United States, which further made it difficult for the US government to observe their activity. Even within federal networks, a culture and authorities inhibit visibility, which is something we need to address.”
Neuberger said the group did its best to obfuscate its activity and, as previously reported, had been active for a long time. She said it would take the authorities some time to uncover the full extent of the group’s malfeasance, and implied that it may, in some cases, still have access to target systems.
Over the past few weeks, Neuberger has been coordinating a wide-ranging, cross-departmental response, and has ramped up engagement with the cyber security community to leverage its visibility and technology, with a view to overcoming barriers and disincentives to effective information-sharing in the future. She also pledged to invest in the security of federal networks, adopting more of an integrated approach to detect and block future threats.
Jonathan Reiber, previously a government cyber policy operative under president Obama, and these days senior director of cyber strategy and policy at AttackIQ, agreed that there was a real opportunity to enhance information-sharing and public-private sector collaboration in the wake of the SolarWinds attack, specifically combined cyber operations conducted by security firms alongside government agencies.
“The 2021 NDAA [National Defence Authorisation Act] includes a provision for a joint public-private planning centre, which is a good step,” he said. “This centre should focus on increasing voluntary, combined cyber defence operations to effectively blunt and disrupt attacks.”
Reiber said he expected some cost impositions on the perpetrators “at a time and place of the US government’s choosing”.
“Our adversaries continue to operate with impunity in the grey space below the level of conflict, and the US needs a real cost imposition capability to deter and dissuade attacks,” he said. “Upcoming response options could include sanctions, indictments, cyber space operations and other punitive measures. In this case, I would expect sharp sanctions at the least, commensurate with the intrusion.”
Meanwhile, other organisations that suffered collateral damage continue to make themselves known, including Norges Bank Investment Management (NBIM), which is responsible for running the multibillion-pound national sovereign wealth fund set up to manage Norway’s vast reserves of oil money.
Speaking to business newspaper Dagens Næringsliv, the organisation’s chief governance and compliance officer, Carine Smith Ihenacho, said NBIM had downloaded and installed the tainted Orion platform updates in July 2020, and only realised it was at risk in the wake of the December 2020 revelations.
Ihenacho said there was no sign that the group behind the SolarWinds attack had accessed its systems during that five-month period, or any evidence to suggest that NBIM was one of its targets.
Nevertheless, the organisation has now ended its relationship with SolarWinds, she added.