The first public hearing on the massive hack associated with SolarWinds and most likely perpetrated by the Russian intelligence services occurred this week. The Senate Intelligence Committee heard from private sector witnesses, including from SolarWinds, in what will be the first of many hearings across a number of hearings in both chambers of Congress. Members and witnesses floated legislative and policy fixes that may prevent another massive hack of the United States (U.S.) agencies and the private sector, which is not to say Congress will imminently act. However, like any organization, some Members may have fallen prey to what has been called the “Do Something” fallacy under which the animating belief is that action beats inaction. A number of Members stressed that the full scope and breadth of the hack may not be known for some time, suggesting prudence may be warranted in making systemic changes in U.S. law and policy. However, the power of appearance may overcome prudence and there may soon be legislation.
Both the chair and ranking member did not name the Russian Federation or its foreign intelligence agency, SVR, as the perpetrator of the hack even in though in early January, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) issued a joint statement, naming the Russian Federation as the likely perpetrator of the massive SolarWinds hack in what is qualified and hedged language.
Turning to policy prescriptions, the witnesses came armed with plenty. The solutions offered by the witnesses broadly fall into the category of doing more of what is currently happening but better and more widely such as sharing more and better threat information. Of course, the information sharing regime established under the “Cybersecurity Act of 2015” (P.L. 114-113) was marketed at the time as the law needed to foster information sharing between public and private sector entities. Last fall, the Department of Homeland Security’s (DHS) Office of the Inspector General (OIG) issued its biannual report on how this statute has been implemented and found numerous issues, especially related to the lackluster and limited information the Cybersecurity Infrastructure Security Agency (CISA) has been providing the limited number of participants. There are a host of reasons why private sector companies may not participate in this information sharing arrangement as noted in this blog posting from 2015 by a “white shoe” law firm that warned “disclosing information about a company’s own specific cyber vulnerabilities and incidents can carry legal, competitive, and reputational risks that are far greater if that information is learned by competitors and customers.”
Nonetheless, a few witnesses asked the committee for changes in U.S. law that would provide legal protection for firms so they would report cyber incidents to the U.S. government. Some suggested a mandatory reporting regime as currently exists for some regulated entities while others seem to imply liability protection would function as an effective incentive, obviating the need for a requirement. In view of how well CISA’s information sharing arrangement has functioned, it seems a mandatory system will be needed.
In any event, information sharing, even of the best, highest quality, most actionable threat data, will only matter if entities act. For example, there have been reports of SolarWinds not acting to shore up vulnerabilities when informed of them. Likewise, the People’s Republic of China’s massive hack of Equifax was largely made possible because the company failed to apply a widely available patch. And, these are not isolated instances.
In his opening statement, new Chair Mark Warner (D-VA) lauded the committee’s long-time bipartisan tradition, perhaps subtly trying to signal to Members not to politicize matters before the committee. He noted Amazon Web Services (AWS) declined to testify but said they have updated the committee. Warner noted that a number of victims of the hack did not use SolarWinds, which indicates there is much about the attack vector that is not known. He noted that the hack is shaping up to be the biggest and most significant hack in U.S. history. Warner stressed “this intrusion had the possibility of being exponentially worse than what has come to pass so far.” He worried that the unnamed hackers (since Warner never identified the nationality or affiliation of the hackers probably out of an abundance of caution) have established beach heads in numerous companies that will allow them to return to surveil and possibly attack for years in the future.
Warner lamented that the U.S. government’s multi-billion dollar cybersecurity enterprise did not uncover the hack. He noted that had not FireEye revealed it had been penetrated, it is by no means certain the hack would have been discovered by now. Warner wondered what would have happened if FireEye had not come forward. He quoted Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger who said the response will take a long time in both the public and private sectors (which by implication means an expensive process.)
Warner quickly turned to solutions. He said he wanted to hear from witnesses what the Congress and the U.S. government should do and also how private sector entities are responding. Warner summarized the hack as a massive exploitation of authentication and trust systems arranged around the update supply chain. Warner said the attack highlights lingering cybersecurity issues and noted some of the policy solutions some are calling for:
- Mandatory incidents reporting requirements
- Requiring a software bill of goods
- Significantly improving information sharing between the government and private sector
Warner posed some policy questions he thinks need answering:
- Why should not the U.S. government impose mandatory incident reporting requirements even if this entails some level of liability protection? He conceded it is an open question as to who would receive this information, and if a new entity, whether it be a government or private sector body
- What policies would improve cybersecurity and incident reporting in the U.S.?
- Whether the U.S. needs cyber norms that are ideally shared by other nations that would declare certain targets as off limits the same way the laws of war do?
It bears note that despite the joint statement by U.S. security agencies saying it was likely Russia that hacked SolarWind, government agencies, and private sector entities, Warner did not once mention the country. In fact, he did not mention any nation even though there have been reports the PRC may have also hacked SolarWinds into to penetrate U.S. government agencies, namely the Department of Agriculture’s National Finance Center (NFC). Perhaps this is a strategic move to keep the hearing focused on the issues at hand without opening the door for politically explosive topics given the Trump Administration’s treatment of the Russian Federation.
New Ranking Member (and former Chair) Marco Rubio (R-FL) also mentioned his disappointment that AWS opted against appearing at the hearing. He pointed out that the hackers used AWS architecture in large part to conduct the attack, meaning AWS may be getting numerous invitations to testify as Congress continues to dig into the massive hack.
Rubio reiterated Warner’s observation that without FireEye coming forward, the hack may still be unknown today. He stressed there is still much that is not known including who has been breached, what information and systems accessed, and any actions the hackers may have taken. Rubio raised the point that confidence in agency and private sector networks may be long in coming because of the great skill the hackers used, suggesting his expectation that there more victims who do not yet know they have been breached. Or the implication is that there are so many places they could hide or have planted a backdoor, the task of thoroughly searching systems will take an inordinate amount of time. Rubio wondered what the U.S. can do “to raise the bar for the cybersecurity of this nation.”
Rubio rebutted the Biden Administration’s claim that “when there is a compromise of this scope and scale, both across government and across the U.S. technology sector to lead to follow-on intrusions, it is more than a single incident of espionage; it’s fundamentally of concern for the ability for this to become disruptive.” He said such an operation and modus operandi could have resulted in “mass chaos,” but that this is not the situation. Instead, in his view, the hackers engaged in espionage. Rubio cautioned against calls for retaliation against the hackers, especially military responses, until all the facts are known. In doing so, he also warned against using terms like “act of war” to describe what in all likelihood was an espionage operation.
Rubio asserted the committee, Congress, and stakeholders should look at means to shore up U.S. critical infrastructure, namely how to defend better. On this point, Rubio may be gently pushing back against the cult of defend forward and taking the attack to the enemy for U.S. offensive capabilities were largely unchained by the Trump Administration and yet a nation state adversary was able to conduct perhaps the most significant hack in the U.S. history. Rubio added he is open to some cyber incident report mandates.
Interestingly, Rubio went out of his way to express his desire to be a constructive participant in discussions over information sharing:
We must improve the information sharing between the federal government and private sector. I look forward to being an active and constructive participant in these debates.
Perhaps this is the sort of verbiage or padding staff throws in for their Member to say in order to make them appear reasonable. It is still curious, for why would a Member not be constructive on such an important issue?
As mentioned, the witnesses had many policy descriptions, but there is a need to separate the wheat from the chaff (i.e., thinly disguised advertisements for their companies’ services and policies that would benefit the company). And so, Microsoft President Brad Smith’s extolling the virtues of moving more U.S. operations and systems to the cloud should be questioned given the company’s Azure cloud offerings. Moreover, it is not uncommon for private sector stakeholders to take a Trojan Horse approach to getting pet policies enacted by having them ride along with other policies.
FireEye CEO Kevin Mandia proposed “a federal disclosure program for not only sharing threat indicators but for also providing notification of a breach or incident…[that] should:
- Safeguard the protection and integrity of electronic and other types of data;
- Encourage entities to adopt recognized cybersecurity standards and practices with a
- minimum threshold;
- Focus less on punitive measures;
- Provide greater incentives for private sector entities, including liability protections and
- statutory privilege to not be disclosed in civil litigation (e.g., confidentiality obligations);
- Protect privacy and civil rights; and
- Provide technical assistance to small entities that do not have cybersecurity expertise or
Mandia also suggested the U.S. government utilize the capabilities of private sector cybersecurity firms, a proposal with the hint of implementing a policy that would apparently benefit his companies and other similar security firms. Mandia stated:
- The Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security has made great strides in recent years to encourage information sharing from the private sector and to develop capabilities that provide cyber threat hunting and incident response capabilities to government agencies and critical infrastructure partners. Unfortunately CISA’s capacity is still limited compared to the relative demand, especially during periods of large-scale or widespread cyber attacks.
- The only way CISA can be successful is to properly harness the power and respect of the private sector. Private companies have huge resources and talent, and already defend much of our Nation’s infrastructure. We must be more creative about how CISA can leverage and work with private sector talent and resources. This also necessitates involving the National Security Agency and U.S. Cyber Command in certain instances of widespread cyber attacks.
- In addition to encouraging private sector information sharing, focused attention should be given to building more effective collaboration between the government and private sector critical infrastructure organizations. Providing timely, contextual, and actional information and technical support prior to and during a cyber attack is key to building trust and providing mutual value and benefits to both parties.
- Although we cannot eliminate or prevent every security incident, prompt and coordinated actions allow us to minimize the impact and consequences of an incident. Rapid detection of the intrusions, combined with more timely notification to victims, would provide organizations an opportunity to mitigate as opposed to just evaluating the impact of the compromise and the value lost to the adversary. Such speed could be achieved through efficient, consistent, and confidential information sharing between and among members of a small consortium of government agencies, law enforcement, security and other private companies.
SolarWinds CEO Sudhakar Ramakrishna stated that “[w]e are committed to contributing our lessons and experiences, and believe this response should build on recommendations from the Cyberspace Solarium Commission and the Fiscal Year 2021 National Defense Authorization Act (NDAA):
- Improving Industry Government Supply Chain Security Collaboration Building on CISA’s Information Communications Technology Supply Chain Risk Management Task Force and consistent with Solarium Enabling Recommendations 4.6.1 (Increase Support to Supply Chain Risk Management Efforts) and NDAA Section 1713 (Establishment of an Integrated Cybersecurity Center), advocate for a public-private initiative to secure enterprise software and services by increasing threat sharing and fostering greater joint collaboration between private firms and governments stakeholders including CISA, FBI, DOD and ODNI.
- Improving Federal Government Cybersecurity Standards Building on DOD’s Cybersecurity Maturity Model Certification (CMMC) effort for Department of Defense contractors and continued security enhancements to the Federal Information Security Modernization Act (FISMA), support the creation of industry-wide security standards based on continuous risk monitoring and measurement for current and potential government contractors.
- Improving Incident Notification to the Government Consistent with Enabling Recommendation 4.7.1 (Pass a National Breach Notification Law), empower organizations with the appropriate incentives and liability protections to share more information on attempted or successful breaches with government cybersecurity authorities. Indicators of compromise associated with those events shared with software vendors in an anonymized way enriches the understanding of prevailing threat actor techniques and target sets, enabling software providers to improve defenses and better protect users.
Microsoft President Brad Smith offered the most extensive, detailed suggestions, which will be quoted only in relevant part:
- First, we need to strengthen supply chain security for the private sector and the U.S. Government for both software and hardware.
- There are existing best practices to draw upon, especially for software supply chain security. Any software developed or procured by federal agencies, including software that powers cloud services to which agencies subscribe, should reflect secure development practices and clear commitments to maintain software, including through vulnerability management, during the defined life of a product. Federal agencies should also require use of integrity controls throughout the software development, testing, and delivery processes, mitigating the risk of an attacker inserting malicious code before a new software product or update is delivered to users.
- Second, we need to broaden use of cybersecurity best practices, including through improved cyber hygiene and a commitment to IT modernization.
- Cloud migration is critical to improving security maturity across many organizations. At the same time, it’s not a panacea; even as technology users modernize legacy systems, they need to have strong basic security practices in place. This includes fundamentals for establishing a Zero Trust environment, assessing the security of cloud providers, and re-orienting risk management activities to complement third party services and security automation.
- At a national level, Microsoft recommends that the U.S. government, and particularly CISA, drive a national effort to improve cyber hygiene, with a particular focus on identity and access management. The SolarWinds incident makes plain why all organizations, including governments, must heighten their focus on implementing basic security best practices, even as we harden technology development processes and explore other steps.
- Third, we need a national strategy to strengthen how we share threat intelligence across the entire security community.
- The time has come for a more formal and cohesive national strategy for the exchange of cybersecurity threat intelligence between the public and private sectors. This strategy should have provisions for threat intelligence sharing during incident response – when collaboration should be at its best and when competitors and others should set aside differences to focus on the security of the nation and the interconnected global technology ecosystem. But to make this strategy work in any context, foundational issues must be addressed, strengthening cross-government visibility, declassification, and trust in private sector actors to not misuse information that can facilitate threat hunting and remediations.
- Fourth, we need to impose a clear, consistent disclosure obligation on the private sector.
- In the U.S., there is currently a patchwork of obligations in place. This includes state data breach notification requirements, which cover instances in which customer data is accessed, and federal procurement requirements, including a Department of Defense regulation that requires contactors to report cyber incidents and conduct investigations. By comparison, other parts of the world have requirements that are applied more consistently across organizations operating in their jurisdictions. In the European Union, for example, all digital service providers are required to notify their competent authority of any incident having a substantial impact on the provision of a service.
- Disclosure should not be limited just to the private sector. In exchange for imposing such an obligation, government should also commit to faster and more comprehensive sharing of relevant information with the relevant security community.
- Finally, we need to strengthen the rules of the road for nation state conduct in cyberspace.
- However, as it stands, existing rules are sometimes considered ill-defined and rarely enforced. Despite recommendations by a global group of experts, the United States and like-minded allies need to speak more boldly to make clear that indiscriminate and disproportionate supply chain attacks that put technology users at risk and undermine trust in the very processes designed to protect them are out of bounds for state actors. As Anne Neuberger acknowledged last week, even if the Russian actor primarily leveraged its extraordinary potential access to exfiltrate data, the scope and scale of the attack on SolarWinds customers denote much more than an isolated case of espionage. Attacks that leverage supply chains and widely disrupt confidence in data, systems, and update processes impact many users beyond those targeted. If enough users doubt the integrity of their systems or data, the stability of cyberspace and our readiness to rely on it could be impaired.
- The U.S. government has a critical leadership role in advancing international consensus on establishing and enforcing a rules-based order, and we urge policymakers to lead in ongoing international processes such as at the United Nations and to join the Paris Call for Trust and Security in Cyberspace.
CrowdStrike President and CEO George Kurtz suggested “there is room for improvement in Federal cybersecurity” because “our government colleagues are hobbled by legacy technologies and programs, complex procurement processes, or compliance obligations that detract from core security work.” He said “[f]or the Cybersecurity and Infrastructure Security Agency (CISA), new authorities to hunt across the “.gov” domain recommended by the Cyberspace Solarium Commission and granted by the FY21 National Defense Authorization Act (NDAA) could be a game-changer.” Kurtz added:
Programs like the National Cybersecurity Protection System (NCPS/”EINSTEIN”) and Continuing Diagnostics and Mitigation (CDM) should be enhanced to realize this vision. And across the broader Federal government, more progress and investment can be made on IT modernization, with security as a central consideration. Finally, we support ongoing, bipartisan efforts in this Chamber to review and reform the Federal Information Security Modernization Act (FISMA).
Kurtz encouraged “the Committee to view cybersecurity holistically.” He said:
Employing qualified personnel, conducting specialized training, implementing valid methodologies, strategically leveraging third-party capabilities and expertise, and having informed and involved leadership are all critical factors in a successful overarching cybersecurity risk management program.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.