Federal agencies fall short on cybersecurity, undermining standards

As the fallout continues from the SolarWinds Orion vulnerability, organizations are surveying the damage and long-term impacts of a flawed IT supply chain.

Though FireEye found a killswitch Wednesday, SolarWinds called on about 33,000 affected customers this week to respond to the flaw, reportedly including the Departments of Homeland Security, Treasury and Commerce.

With federal organizations hard hit, the cyberattack is undermining their governance of the private sector.

On Tuesday, national security agencies and the intelligence community put in place an Obama-era directive that coordinates emergency cyberthreat response between federal and private sector stakeholders. Under the PPD-41 guidance, a Cyber Unified Coordination Group (UCG) will serve as the primary liaison between the agencies and the private sector and advise on response.

The FBI, CISA and Office of the Director of National Intelligence (ODNI) confirmed the SolarWinds hack is an "ongoing cybersecurity campaign," in a joint statement Wednesday. The UCG will unify "the individual efforts of these agencies as they focus on their separate responsibilities."

As a UCG is formed under the directive, how companies communicate will work with the group is unclear:

Do all participating organizations have contacts in place?
Who is the point of contact in the UCG or in the companies they are coordinating with?
How will contacts scale if/when more organizations discover they were breached?

"You don't want to be the one caught unprepared in a high-end contingency like today," said Philip Reiner, CEO of the Institute for Security and Technology.

A coordinated federal response should allow agencies to more efficiently direct private sector businesses response to advanced cyberthreats. At the same time, private companies are far more advanced in cyberthreat deterrence — their regulatory agencies have fallen short.

The severity of the SolarWinds hack leaves private industry "little option" in their willingness to coordinate with the government, said Casey Ellis, founder and CTO of Bugcrowd. The PPD-41 directive "leaves little room for pushback. If anything, they'd be appreciative of the aircover."

GAO had concerns

The Treasury Department has not issued a formal evaluation of the economic significance of the hack or whether or not it will hurt the financial sector's ability to provide its services. The Treasury is the "designated lead agency for the financial sector" and "plays a key role in supporting many of the efforts to enhance the sector’s cybersecurity and resiliency," according to the Government Accountability Office (GAO). The watchdog warned the Treasury of cybersecurity risks in September.

The Treasury had failed to implement a November 2015 recommendation for sector-specific agencies to measure cybersecurity progress, according to the GAO. While the Treasury had taken some actions, the agency had not developed metrics for quantifying the effectiveness of its cyber risk mitigation in the financial sector or in other parts of the agency.

On Tuesday, Senators Sherrod Brown, D-Ohio, and Ron Wyden, D-Oregon, sent a letter to Treasury Secretary Steven Mnuchin regarding the agency's response and asking what bureaus and offices were impacted by the hack. Following attribution confirmation, the senators want to know if the Treasury will "initiate a process to consider using the full panoply of economic, financial, cyber and other sanctions tools" for response.

As a part of the U.S. critical infrastructure, the financial sector is highly reliant on third parties for systems and applications, hardware and software, and technologists. "Currently, most of the [financial] sector’s key services are provided through the use of information and communications technology, increasing further the importance of cybersecurity to the sector," said the GAO.

Since NotPetya in 2017, "supply chain attacks and government reliance upon private sector technologies have had significant consideration and open debate," said Luke Tenery, partner at StoneTurn. Attackers are more likely to target software in the supply chain than to go after a single organization.

Industry's lesson in national security

The GAO found that the Treasury's slow progress in updating its cyber risk is in part because the agency "relied on private sector partners to voluntarily share information needed to measure efforts."

Despite greater reliance on private sector technologies, federal agencies haven't improved their supply chain risk management (SCRM). The GAO found none of the 23 agencies (under the CFO Act), including DHS and Department of Commerce, had fully implemented SCRM practices. More than three agencies failed to adopt any of the practices.

The SolarWinds incident is "a 'now' conversation," said Reiner. Just as the tech industry needs to take national security into consideration for developing products, the government "needs to more intimately understand the business dynamics that drive corporate and product decisions."

Tech and security firms are aiding in response and mitigation to the continued SolarWinds fallout, but "the immediate fact is that this unfolded in the midst of our most heightened period of focus, awareness and operations, as we worked to defend the 2020 election," said Reiner.

The malware remained dormant before private industry found the intrusion, resulting in an intelligence failure in the public and private sectors. "It demonstrates a glaring lack of depth as to the awareness [and] intelligence into threat actor activities and the near-impossibility of identifying the next vector," said Reiner.

The organizations involved under PPD-41 will already have a playbook of next steps but highlights a recommendation made by the Cyberspace Solarium Commission (CSC). The adoption of a "Cyber State of Distress" would trigger a recovery fund "beyond what is available through conventional technical assistance and cyber incident response programs," according to the report.

The fund would support technical assistance for critical infrastructure owned by the public and private sectors. A cyber campaign of multiple incidents "that are not significant on their own" but compiled together could create "demonstrable harm," can initiate a Cyber State of Distress.

One of the CSC's recommendations, for a National Cyber Director in the White House, was adopted in the defense bill. The timing of the hack is testing the absence of a leader in the executive branch.

"Planning takes longer, coordination takes longer and there is no official chain of command or approval authority for immediate action," said Tatyana Bolton who leads the Cybersecurity and Emerging Threats team at R Street Institute and served as senior policy director for the CSC. There isn't a single source to tell CISA, the Defense Department, or the breached agencies "what to do right now in a coordinated manner."

CISA is moonlighting as the coordinator, releasing the emergency directive 21-01 Sunday. The directive called for all federal civilian agencies to power down SolarWinds Orion products, though Congress is waiting on confirmation of the completed directive. According to law enforcement agencies, CISA will continue its contact with government and private industry, assist in technical requests, and aid entities in critical infrastructure "to ensure they understand their exposure," according to the joint statement Wednesday.