Evaluating the Aftermath of the SolarWinds Hack

We continue to learn more every day about the recent SolarWinds compromise, which has affected multiple agencies and organizations. Microsoft called this attack "one of the most sophisticated and protracted intrusion attacks of the decade."

While it is clear we are dealing with a very sophisticated actor, we don't know the full extent of the impact on government agencies and departments. Most certainly the actor collected sensitive information, and details are emerging on attempts to avoid detection and maintain persistence on the network for future exploitation.  

The consequence of this breach is dramatic yet still unknown to a large extent. But simplistically, despite the significant investment in cybersecurity detection and prevention, a sophisticated adversary was able to penetrate sensitive government networks undetected. How can we be sure that we have removed all the backdoors to eliminate the possibility of access at a future date?

Imagine during wartime if these penetrations are used to gather intelligence or degrade America's ability to defend itself. The effects could be catastrophic to the safety of our warfighters and country. This event should be a reckoning that our approach to detecting and combating sophisticated attacks from nation-state actors and others will have to evolve to better protect and defend our nation.

Having supported counterterrorism and cybersecurity missions in the Government and private industry, there are many parallels that we can use to think about the changes and investments we will need to make in the future to combat nation state cyber actors. When planning an agency's security strategy, consider the following actionable adjustments.

Double down on intelligence collection and share responsibly. 

After the events of 9/11, the Government directed billions of dollars and allocated additional resources to focus on intelligence collection of terrorists, their networks, and their sponsors. Similarly, we must increase the Government's ability to understand our adversaries' plans and intentions in cyberspace with the full weight of the nation's intelligence prowess and use that information to help drive the protection of our defense and economic engines. That includes tracking the organizations responsible, their funding, infrastructure, and every aspect of their operations, logistics, and command and control. Intelligence has always been a critical component of our nation's defense and it is no different in cyberspace. 

It becomes a challenge to share this data responsibly to protect the nation. The reality is that the more information that is shared, the greater the likelihood that the game of cat and mouse will continue. Simply put, we do not reveal to terrorists what we know about them. We counter and disrupt them at the right time. As cyber information is shared with industry and commercial cybersecurity tools advance, so do our adversaries' knowledge of our defenses.

Balancing information sharing is not a new thought in the Government. A Vulnerabilities Equities Process already exists within the Government to strike this balance for software vulnerabilities. It can expand to cover defensive cybersecurity information as well. While there are consequences to the theft of credit card data or other PII, the threat of penetrating critical DoD and government systems is far different. The extent that the information does not compromise the nation's defense should indeed be released. However, we need to understand that there will be times when the Government should not release information because, while consequential, it benefits the entire country.

Untapped data is a strategic asset.  

We can improve data sharing within the Government for cyber data. The National Counter-Terrorism Center (NCTC) was created after 9/11, "To serve as the primary organization in the United States Government for analyzing and integrating all intelligence possessed or acquired by the United States Government pertaining to terrorism and counterterrorism." The US Government did that because of an important finding: The lack of data sharing made it hard to uncover elements of terrorist planning and connect the dots.

Suppose you consider the vast IT machinery, networks, and cybersecurity systems across the Federal Government all generating cyber data. It is arguably one of America's largest sources of cyber data and most certainly includes information on cyber activity from our adversaries. However, much of that data is segregated in siloed systems and stove pipes across every government agency and department. Sharing this cybersecurity data is a complex maze within the Government, and the technical issues are the least of the concerns. In my job, I've had the opportunity to talk to many officials on this topic. There is rarely a person who thinks they have access to all the data needed to support their cyber defense mission. 

Cyber analysts and tools are limited in the data they have access to even though additional relevant data might exist elsewhere in the Government. Our adversaries do not limit themselves to one particular agency or department. If one is concerned with analyzing and identifying intrusions across the Government, there is no one place to go. 

We can make cyber analysts more effective by providing them access to more data or creating a government-wide effort similar to NCTC with expansive authorities to hold and analyze cyber data across the entire Government. We can supplement this with additional funding and research in artificial intelligence and machine learning to process vast stores of data to separate the "signal from the noise." There is much work to do from a policy and technology perspective to make this a reality and adequately utilize this rich stockpile of data already accessible to government.

Bring the right tools to the fight.  

Finally, we must look at the machinery we use to defend government networks. To protect the physical world, the Department of Defense acquires purpose-built weaponry – missiles, tanks, ships, aircraft. These specialized capabilities are designed by companies that follow numerous specific requirements and have heavy scrutiny on every aspect of development, from the supply chain to testing and operational readiness. These capabilities come at a great expense, but the alternative would be to equip our military with pick-up trucks and handguns purchased from the town shop.

When it comes to cybersecurity, looking at the myriad acquisition programs that attempt to buy and implement an overly complicated maze of commercial capabilities, one can only wonder if there is another way. Somehow it has been determined that these complicated architectures of tools implemented with much overlap acquired in multiple ways without regard to interoperability are sufficient to protect critical government information from the most sophisticated adversary.

This is not to say that commercial cyber capabilities do not have an essential role in the protection of Government. Yet, the Government implements them in ways that create too much complexity and poor interoperability to function optimally. Additionally, we simply cannot expect solely commercially developed products to protect us against nation-state cyber attacks. We should also acknowledge that it is not economically viable for these companies to safeguard their systems and provide defenses from an advanced adversary with nearly limitless resources. Therefore, there is and will continue to be a need for highly specialized capabilities funded by the Government, for the specific purpose of protecting government systems.

As new details continue to emerge every day, we will not know the severity of this breach for quite some time. However, we do not have to look far for practical lessons to improve our ability to combat the ever-growing threat against government networks and information from nation-state actors. We need to continue to focus our government capabilities and response in conjunction with industry to protect the nation.