The Wall Street Journal reports today that
Investigators probing a massive hack of the U.S. government and businesses say they have found concrete evidence the suspected Russian espionage operation went far beyond the compromise of the small software vendor publicly linked to the attack.
Close to a third of the victims didn’t run the SolarWinds Corp. software initially considered the main avenue of attack for the hackers, according to investigators and the government agency digging into the incident. The revelation is fueling concern that the episode exploited vulnerabilities in business software used daily by millions. * * *
The attackers “gained access to their targets in a variety of ways. This adversary has been creative,” said Mr. Wales, whose agency, part of the U.S. Department of Homeland Security, is coordinating the government response. “It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.”
That is chilling news. What should be done?
In that regard, Fortune seeks to untangle the U.S. cybersecurity “mess” for us. The article explains
Restructuring [the U.S. cybersecurity] system is core to the work of the Cyberspace Solarium Commission, a task force commissioned by Congress to help reform U.S. cybersecurity. “Our focus [is] on making the market more effective at driving good behavior,” says commissioner Suzanne Spaulding, a senior adviser for cybersecurity and counterterrorism at the Center for Strategic and International Studies. “If the market isn’t performing the way it should, why isn’t it?”
The commission spent the past year drawing up a wide-ranging list of recommendations, and in January, 26 of them became law as part of the 2021 National Defense Authorization Act. The NDAA creates a White House–level Office of the National Cyber Director and grants new private-sector threat-response powers to the federal Cybersecurity and Infrastructure Security Agency—significant changes that commission members hope will prompt closer collaboration between government and industry on security standards. “A lot of the recommendations, some of us have been making for years,” says Cilluffo, who’s also a commissioner. “But the political will was not where it needed to be. Now, we don’t need any reminders.”
Solarium’s mandate has been extended for at least another year, and its next round of advocacy and recommendations will focus more squarely on the private sector. The goal: creating better incentives for building secure software and sharing intelligence about cyberthreats.
On the personnel front, GovConWire reported last week that
Sources said Biden is likely to name [Jen] Easterly to the newly created role of national cyber director at the White House to help guide the current administration’s cybersecurity strategy and oversee digital security efforts of agencies.
Easterly is head of resilience at Morgan Stanley and previously served as deputy director for counterterrorism at the National Security Agency between 2011 and 2013. She served in the National Security Council as special assistant to the president and senior director for counterterrorism during the Obama administration.
Healthcare Dive also noted that “The Biden administration hired Chris DeRusha as federal CISO, tasking him with coordinating cybersecurity policy across federal agencies. DeRusha previously served as the top cybersecurity officer for the Biden presidential campaign.”
Cyber Scoop adds with respect to the ongoing investigation that
[L]awmakers are demanding answers from the National Security Agency about another troubling supply chain breach that was disclosed five years ago.
A group of lawmakers led by Sen. Ron Wyden, D-Ore., is asking the NSAwhat steps it took to secure defense networks following a years-old breach of software made by Juniper Networks, a major provider of firewall devices for the federal government.
Juniper revealed its incident in December 2015, saying that hackers had slipped unauthorized code into the firm’s software that could allow access to firewalls and the ability to decrypt virtual private network connections. Despite repeated inquiries from Capitol Hill— and concern in the Pentagon about the potential exposure of its contractors to the hack — there has been no public U.S. government assessment of who carried out the hack, and what data was accessed.
Lawmakers are now hoping that, by cracking open the Juniper cold case, the government can learn from that incident before another big breach of a government vendor provides attackers with a foothold into U.S. networks.