Russia has long been viewed as a threat in cyberspace. But after one of the most successful cyber intrusion campaigns in U.S. history, questions are being raised over how the federal government was so completely blindsided by an attack many experts have seen coming.
The successful hacking of multiple federal agencies and tens of thousands of individual federal and private entities — widely presumed to be a Russian intrusion and which federal officials warn is ongoing — managed to subvert sophisticated protections by targeting third-party software contractor SolarWinds.
“We shouldn’t have been surprised, the Russians are very sophisticated, they are very dedicated and relentless, and this appeared to be a soft target they were able to exploit,” Christopher Painter, the former State Department cybersecurity coordinator under both the Trump and Obama administrations, said on Friday.
Russia, alongside China, North Korea and Iran, is considered one of the pressing threats to the U.S. in multiple fields.
Following the 2016 presidential election, when Russian agents launched a sweeping and sophisticated campaign designed to sway the election toward now-President Trump, top federal agencies began a four-year process designed to shore up the election and ensure this type of attack could never happen again.
These officials, led by the two-year-old Cybersecurity and Infrastructure Security Agency (CISA), largely succeeded, with Election Day seeing few security incidents.
However, some say the U.S. may have turned attention away from other attack vectors used by Russia.
As of Friday, agencies including the Department of Energy and its National Nuclear Security Administration, the Department of Homeland Security, the State Department, and the Treasury Department had reportedly been breached as part of the espionage incident. SolarWinds has reported it believes at least 18,000 of its customers were compromised by the hack.
The hackers accessed systems as early as March, and questions have mounted over how much they took or were able to access.
“This is the most significant cyberattack in the history of the United States,” Tom Kellermann, a former member of an Obama administration cybersecurity commission and current head of cybersecurity at VMWare CarbonBlack, told The Hill. “It’s unprecedented in the 22 years I’ve been in the business.”
Kellermann said he and his team believed that Russia had stepped up its cyberattacks against the U.S. in retaliation for the success of securing the 2020 elections and following the disruption of international botnet group “TrickBot” that targeted U.S. critical infrastructure with ransomware viruses.
He noted that ransomware attacks on hospitals over the fall “should have been a signal and a red line that dramatic escalation is occurring.”
Key details are emerging of overlooked vulnerabilities.
“It’s important to focus-in on this nuance that there is a small set of actions that can help prevent incidents like this in the future and that, could have, potentially discovered it earlier,” said David Springer, who has served at the National Counterterrorism Center and the Defense Intelligence Agency and is currently at the law firm Bracewell.
“The penetration of SolarWinds appears to be the product of poor cyber hygiene at the company,” said Mark Montgomery, a senior fellow at the Foundation for Defense of Democracies. “And let’s not undersell the skill sets of the perpetrators. The Russian intelligence services – SVR – are capable adversaries."
The idea of strengthening cybersecurity defenses and zeroing on critical supply chains for federal agencies is not a new issue on Capitol Hill, with both gaining wide bipartisan support. However, partisan gridlock on other issues has made it increasingly difficult for legislation to move through Congress, slowing down cyber priorities.
One item that has gained bipartisan support is the 2021 National Defense Authorization Act (NDAA), which includes the widest range of federal cybersecurity improvements in years, including provisions establishing a White House cyber czar and strengthening CISA’s powers.
President Trump has announced his intention to veto the bill over other concerns, drawing bipartisan backlash, and has not yet commented on the breach, despite being reportedly briefed on the topic.
“This cyber attack likely perpetrated by the Russians spotlights the glaring vulnerabilities of our federal cybersecurity system,” Sen. Susan Collins (R-Maine), a member of the Senate Select Committee on Intelligence, tweeted Friday.
“The President should immediately sign the NDAA not only to keep our military strong but also because it contains significant cyber security provisions that would help thwart future attacks,” she added.
The leaders of the Senate Armed Services Committee put out a statement Thursday night describing the NDAA as “must-pass legislation” in light of the breach. Sens. Rob Portman (R-Ohio) and Gary Peters (D-Mich.), the incoming leaders of the Senate Homeland Security and Governmental Affairs Committee, vowed Friday to produce “bipartisan comprehensive legislation” next year to ensure this type of attack never happened again.
National security officials are challenged by how to respond to foreign cyber espionage, resistant to imposing high costs that could be inflicted on the U.S. over its own intelligence gathering.
Officials have taken action when espionage activities have risen to the level of threatening national security, such as the Trump administration’s closure of the Chinese consulate in Houston in July over what it said were espionage activities that went beyond intelligence gathering.
Singer, the former federal counterterrorism official, said the information available on the SolarWinds attack points to traditional espionage, but is worrying over what national security infrastructure is compromised.
“Based on the very early days, limited information we have so far, it appears that this was mostly traditional intelligence gathering, but I think it’s a real concern that the same access to these critical targets and systems could easily be used for another purpose, in the future, had it not been discovered,” he said.
John Bolton, Trump’s former national security advisor, said the response from the U.S. needs to be at least three times more than the cost of the attack that was incurred, during an interview with MSNBC.