Technology

Illuminating SolarStorm: Implications for National Strategy and Policy

March 4, 2021  • Aspen Digital

In December 2020, cybersecurity experts began to unravel an unprecedented security breach affecting potentially thousands of organizations, including key federal agencies and Fortune 500 companies. Fully investigating and remediating this operation—known alternatively as SolarStorm, Sunburst, or Solorigate—will take months or years, but we know some key details:

  • The perpetrators almost certainly acted on behalf of the Russian government, who can claim a tremendous intelligence success against the United States.
  • By exploiting security vulnerabilities in popular software used in government and industry, attackers created the opportunity to devastate thousands of organizations.
  • While software sold by a company called SolarWinds was the initial focus of efforts to learn the true scope and scale of the attack, we now know that the attackers also leveraged other vectors in the software supply chain to compromise private networks.
  • It appears that the attackers only stole data. No publicly available evidence suggests that computing systems or data were destroyed, manipulated, or disrupted.

As the White House and Congress consider the appropriate response to SolarStorm, the Aspen Cybersecurity Group has collected seventeen leading experts to offer concise assessments on a productive path forward for policymakers. Follow the links below each name to read their reactions in full.


Contributors

Gen. (Ret.) Keith Alexander
Founder & Co-CEO, IronNet Cybersecurity
Member, Aspen Cybersecurity Group

Jamil Jaffer
SVP, IronNet Cybersecurity
Founder & Executive Director, National Security Institute

Embrace collective defense.

Most troubling about SolarStorm is the fact that it went initially undetected and remained so for a long period of time, even in highly sophisticated private companies and some reasonably well-defended government institutions. The existing go-it-alone approach, which expects every organization to defend itself in isolation, has left us defensively hamstrung, constantly racing to keep pace with new threats.

As the Cyberspace Solarium Commission and the Aspen Cybersecurity Group have observed, creating a truly defensible cyber ecosystem requires a fundamental paradigm shift at the national level to prioritize collective defense. This means moving beyond mere information sharing to incentivize companies and government agencies to jointly triage threats, divide up the workload, and rely on one another’s decisions. In the near term, we need a capability like the Joint Collaborative Environment—a Solarium recommendation left out of the NDAA—that goes even further to integrate public-private information and actions.

Based on what we know today, the SolarStorm operation was neither an “attack” nor an “act of war.” Evidence revealed to date demonstrates a very capable, deep, and lengthy espionage campaign. Only a few hundred of the 18,000 targets initially penetrated in the SolarWinds portion of the larger Holiday Bear / SolarStorm activities were exploited with the second stage attack payload. As of now, we are not aware of any data or systems that were destroyed, manipulated, or taken offline for a significant period. Given this, it is critical that policymakers and other leaders avoid broad assertions about adversary actions based on limited information.

Yet the depth, scale, and length of penetration in this incident does provide the Russians with a significant ability, at their option, to destroy, manipulate, or disrupt systems across a major portion of the U.S. federal government (and key parts of industry). Any such action—or even a threat to do so—should elicit a swift and stiff response from the United States government.

The White House should also publish a clear declaratory policy on different types of cyber threats—accompanied by a detailed menu of response options and capabilities—that articulates the willingness of the United States to push back aggressively on adversaries that cross key lines. Such a policy ought to encompass not only actual attacks but also attempts to coerce our nation by threatening destructive acts after a deep and sustained penetration like SolarStorm. If adversaries trigger such a declaratory policy, we must be prepared to act and to hold our adversaries fully accountable in a manner that extracts real, substantive costs.

 

Dr. Erica Borghard
Senior Fellow, Atlantic Council
Senior Director, U.S. Cyberspace Solarium Commission

Real-time intelligence collection needs an upgrade.

Some observers argue that SolarStorm represents a failure of the Department of Defense’s (DoD) “defend forward” strategy introduced in 2018. This reflects a misunderstanding of the defend forward concept, which aims to use U.S. Cyber Command more actively outside of “blue space” (U.S.-controlled cyberspace) to counter cyber adversaries operating in “gray space” and “red space” (neutral- and adversary-controlled cyberspace). Defending forward can mean gathering information about evolving adversary attack methods or capabilities and sharing that information with other domestic agencies, allied governments, or private companies. It also encompasses lawful counter-cyber operations to disrupt, deny, or degrade adversary offensive cyber capabilities or infrastructure.

If defend forward calls for cyber forces to understand adversary behavior and counter offensive capabilities, why was the United States unable to catch Russia “in the act” and thwart the SolarStorm operation before it materialized? Because defend forward was never meant to achieve perfect awareness of everything always happening in cyberspace.

In the case of SolarStorm, Russian threat actors were operating on domestic networks in blue space—precisely where the Cyber Mission Force (the operational arm of U.S. Cyber Command) is generally not authorized to operate. Moreover, cyber operations that are part of defend forward require meticulous planning and must abide by strict authorities, rules of engagement, and operational requirements. A specific operation that focuses on one threat actor over there will inevitably miss some activity from another adversary over here.

Dispensing with the myth that SolarStorm represents a failure of defend forward, we can glean real lessons. We clearly need to improve real-time intelligence collection against threat actors and track them as living, breathing organizations. While adversaries can traverse cyberspace at will, government organizations and private entities can only monitor and act on the networks where they have authority to operate. Enhancing collaboration between government and the private sector is therefore essential to enabling the rapid movement required to gather intelligence and thwart attacks with joint action, especially when adversaries operate on networks owned by the private sector. Without true operational collaboration, even the most capable operators will often find themselves unable to track adversaries and act when it matters most.

 

Michael Daniel
President & CEO, Cyber Threat Alliance
Member, Aspen Cybersecurity Group

Seize the opportunity to modernize.

Although many cyber intrusions are described as “sophisticated,” the adjective really does apply to SolarStorm. The attackers demonstrated an impressive level of both technical and organizational sophistication. Focusing on a limited number of targets, waiting for certain conditions to occur before initiating activity, and trading short-term gains for long-term payoffs are hallmarks of advanced organizational thinking. This intrusion shows the power of combining technical skill with organizational capability. It should remind us that a well-resourced, dedicated, and sophisticated adversary will always find a way to access a target network.

Nevertheless, due diligence requires examining which security weaknesses the adversary exploited and how to remediate them. Some evidence points to flawed cybersecurity practices at SolarWinds or federal agencies. The government and cybersecurity industry should identify the policy, organizational, and technological changes necessary to reduce the impact of similar incidents in the future. For example, could we avoid a repeat of SolarStorm by requiring federal IT vendors to demonstrate their cybersecurity maturity before they win a contract? The Department of Defense has already implemented this concept with the Cybersecurity Maturity Model Certification process; other federal agencies and private sector companies will need to adopt appropriate versions for their own procurement.

However, the White House should be mindful and resist the temptation to overemphasize supply chain risks. For most organizations, the most dangerous threat vectors remain phishing emails, website vulnerabilities, ransomware, or business email compromise.

Finally, the SolarStorm crisis presents an opportunity. The federal government suffers from a significant technology debt, with many unprotectable legacy systems. It should use these landmark intrusions as a forcing function to replace legacy systems with more defensible modern architectures, equipment, and software. This approach would have the added benefit of improving agency productivity and service delivery as well.

 

Tiana Demas
Partner
Cooley LLP

Incentivize vulnerability discovery and disclosure.

The SolarStorm attack highlights our nation’s deep dependence on the private sector to defend vulnerable critical software infrastructure. This is unlikely to change, and any coherent federal cybersecurity strategy should incentivize companies to invest in zero-trust security, transparently disclose attacks, and establish stronger collaboration between companies and with government agencies.

Our software supply chains are inextricably intertwined, and these interconnections make end-to-end security impossible. The federal government should incentivize companies to use a zero-trust model by reimbursing smaller companies for the associated costs of adoption, or as part of a broader federal law that shields companies from liability for the costs of a breach if they provide evidence that they adopted a zero-trust model.

The federal government should also incentivize prompt and transparent disclosure of attacks. Many large companies already disclose some security issues voluntarily, but smaller companies with fewer resources understandably fear the costs posed by a dizzying patchwork of state and federal rules. Disclosure incentives could take many forms, including protection from liability if companies fully and transparently disclose, or cooperation credit along the lines of DOJ’s FCPA Corporate Enforcement Policy.

Finally, the Cybersecurity Information Sharing Act of 2015 spurred some improvements in information sharing between industry and government, but more needs to be done. Bug bounty programs that incentivize security researchers to find and report security vulnerabilities to sponsoring companies are critical, but their purely private nature arguably encourages security researchers to focus on larger, well-funded tech companies instead of smaller ones that may be more vulnerable. For example, a bug bounty program sponsored by Company X encourages security researchers to hunt for bugs on Company X’s platform and report them to that company. If Company Y does not have such a program, security researchers are not as incentivized to do the same. (To be sure, plenty of security researchers report bugs in the absence of these programs.) The government should consider funding a federal bug bounty program, which would reward security researchers for finding and reporting software vulnerabilities to an independent panel of experts drawn from the private and public sector. Implementing such a program would require close collaboration to verify legitimate reports.

Private sector tools are deeply embedded across all sectors, and companies are often in the best position to innovate in response to novel threats. But federal policy can do more to ensure the ecosystem is robust and help protect against future catastrophic failures.

 

Michael Garcia
Senior Policy Advisor
National Security Program, Third Way

Look to the National Cyber Director.

SolarStorm was discovered because a private company voluntarily chose to publicize its own security breach. FireEye had no obligation to do this, and their transparency allowed thousands of organizations to mitigate the damage from the broader SolarStorm campaign. This underscores the need for government to establish a new social contract with industry that rewards, rather than punishes, companies for acknowledging failure.

This kind of public-private partnership in cybersecurity has alluded us for several reasons. First, companies are hesitant to report security incidents out of fear of market retaliation and potential regulatory punishment. Second, companies who voluntarily share information with the government are frequently disappointed in the government’s inability or unwillingness to return the favor by sharing useful intelligence. Lastly, no formal mechanism exists for the private sector to conduct joint-cyber operations with the U.S. government to disrupt attackers and their infrastructure. Case in point: the TrickBot takedowns, which saw U.S. Cyber Command and Microsoft act separately against the same criminal group without a coordinated plan.

The new National Cyber Director (NCD) offers an opportunity to address these challenges.

As Congress considers a national data breach notification law, the NCD should work with federal agencies to streamline and clarify existing regulations to ensure that breach disclosures will not be used for regulatory purposes. Further, Congress should ensure that the definition of “data breach” or “incident” encompasses compromises like SolarStorm. Current state data breach laws generally require companies to report a breach of customer data but impose no obligations if a malicious actor steals proprietary information or disrupts services. The NCD should review the US Cyberspace Solarium Commission’s recommendation on incentivizing private partners to report incidents that disrupt the confidentiality, integrity, and accessibility of services and data.

Second, the NCD should work with Congress to build trust with private partners by codifying the vulnerabilities and equities process (VEP), which outlines when and why the government discloses or withholds cybersecurity vulnerabilities. Sen. Ron Wyden asked what measures FireEye took to warn its customers and the government of a key vulnerability used by the Russians during its SolarStorm operations. Policymakers should also question if and how the government itself should publicize similar knowledge. A codified VEP should also account for the ability of law enforcement and companies to create “sand traps” in vulnerabilities and launch disruption operations against malicious actors that try to exploit them.

The federal government has improved public-private communication, as made apparent by FireEye’s willingness to work with the FBI. Yet we need more formal mechanisms to turn such ad-hoc successes into a continuous cycle of reporting incidents, sharing vulnerabilities, and disrupting malicious operations.

 

Trey Herr
Director, Cyber Statecraft Initiative
Atlantic Council

Embrace incremental change.

It takes a village to produce a complex failure and in the case of Sunburst the aid of a patient and persistent adversary. Our response must attack that complexity head on. Sunburst isn’t the product of a single lapse any more than the Challenger disaster was the fault of a single O-ring. The attack was also not as exceptional as a supply chain compromise; over the past 10 years, there have been at least 36 successful attacks on software updates (out of more than 130 total software supply chain compromises).

The way that we evaluate risk in the software supply chain does not match how we use that software, but there is room to improve. Large enterprises need to focus less on the provenance of software—where did the code originate, what is in it, and who developed it—and prioritize software performance, which tells us far more about its relative security than a point-in-time snapshot at purchase. Evaluating performance will force users to demand better baseline understanding of their software from developers and help push for software to be more defensible, not just more secure.

In searching for a cure-all for supply chain security, beware of the “moonshot.” Progress in security has been crippled by a desire to accomplish one big thing instead of accelerating many small changes. Two days after FireEye announced its discovery of Sunburst, GAO issued only its latest report warning, “Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks.” The report echoed themes found as far back as a 2012 GAO report and a 2010 Carnegie Mellon study. Trust doesn’t come from slickly branded zero days, widespread government mandates, or from any automagic industry initiative. Big ideas do matter. But the key to more mature, nationwide risk management is changes that start small, collaborate widely, and iterate rapidly.

 

Herb Lin
Senior Research Scholar
Stanford University

The worst is (probably) yet to come.

We still have a lot to learn about what happened, but it is not too early to offer some high-level observations.

First, the majority of cybersecurity breaches reported to date have compromised the confidentiality of data—hackers get their hands on information they have no right to access. But there are other threats to data. Perhaps more dangerous are compromises to data integrity—instances when hackers alter or erase data. Consider a cyber intrusion that does not simply leak a confidential medical record but instead modifies that record by deleting any indication of a patient’s allergy to medication. Attacking data integrity can have real life-or-death consequences.

Second, data is not the only component at risk in cybersecurity breaches. Cyber-physical devices and computer-based control systems can also be affected. One report indicates that the compromised SolarWinds Orion software is sometimes used to manage networks that support devices for environmental controls and power in buildings. But nearly any physical real-world functionality can be tied to a network and controlled by computer, and it is quite unlikely that anyone knows the full range and extent of cyber-physical capabilities that the attackers could now control. This lack of knowledge may also be true even in individual organizations where building engineers and individual offices often make decisions, without reporting to higher management, to put control of physical systems on networks.

Third, SolarStorm illustrates how cybersecurity requires resilience, because a perfect defense is impossible. Unfortunately, the United States’ public and private sectors have simply not yet internalized this fact. Those using information technology must assume their systems and networks have already been compromised, and take the proper precautions as if they are operating on compromised systems and networks. This will be inconvenient, reduce productivity and seem unnecessary, but it is the only way to limit the effects of a security compromise.

Finally, we have to moderate user demands for additional functionality. Today, users want computer systems to be faster, easier to use and more interoperable; to control more things; and to provide new capabilities. Meeting these demands requires greater complexity in computer systems, which creates more vulnerabilities and more opportunities for intruders to gain unauthorized access. Unfortunately, IT vendors like SolarWinds have strong incentives to sell systems and services that offer more for their customers, and moderating customer appetite for functionality is inconsistent with their business models.  Creating incentives for cybersecurity as a counterweight to these demands for more functionality thus remains important and un-done.

How bad is SolarStorm? It’s very bad. This incident may well be “the worst cyberattack to date,” but a decade from now, will it be the worst cyber incident that the United States has ever experienced? Given that escalating beyond past responses would likely be more provocative than anyone wants, do not plan on it.

 

Brad Maiorino
Executive Vice President and Chief Strategy Officer, FireEye
Member, Aspen Cybersecurity Group

Encourage transparency in reporting.

Available evidence suggests the actors behind the SolarStorm supply chain attack were carrying out espionage. That differentiates this campaign from other security events – like election interference or widespread intellectual property theft – which are clear violations of international norms. By contrast, espionage is a well-established practice as old as government itself. That is important because it means recent incidents do not tell us very much about the success or failure of U.S. strategy to deter adversaries in cyberspace. Though it might be possible to pressure nation states to avoid highly aggressive cyber activity that causes physical destruction, it is hard to imagine how to deter a nation state from conducting espionage. For that reason, it is critical for the government and industry to carefully examine longstanding practices for securing their digital supply chains that will not undermine innovation, such as strong vulnerability and vendor risk management programs supported by actionable intelligence.

Our focus going forward should be on reexamining the public-private sector relationship at the heart of the issue. We need to promote sharing of information and responding to cyber intrusions in a coordinated way, and rethink how the private sector is incentivized to hide weaknesses in cybersecurity or actual breaches due to fear of litigation, reputational damage, and other liabilities. Cyber policy should focus on establishing a common defense through incentives to encourage transparency in reporting vulnerabilities and breaches.

More tactically, clarifying roles, responsibilities, and authorities within the federal government to help mitigate, prevent, and respond to cyber attacks is imperative for public and private sector entities. So too is regularly updating and executing a national cybersecurity incident response plan and other existing guidance and procedures.

 

Katie Moussouris
Founder & CEO
Luta Security

Under-resourced bug bounties and vulnerability disclosure programs will cause more harm than good.

SolarStorm underscores the value of coordination across the many government components that manage U.S. cyber-defenses. The last administration's uncoordinated and understaffed efforts have left federal agencies without essential prevention, detection, and remediation capabilities. While the Biden-Harris Administration’s new roster of talented cybersecurity leaders is encouraging, the sheer number of government stakeholders who have a seat at the table will present ongoing challenges to a more unified approach. Time will tell if the new National Cyber Director can streamline the process of implementing a comprehensive cyber strategy and integrating incident response procedures.

Beyond interagency coordination, the White House should prioritize a comprehensive cyber workforce study to determine which specific cybersecurity job roles are most frequently vacant across the federal government, and finally fix the pay gap between the private and public sectors if it hopes to attract, grow, and retain a cybersecurity workforce. Congress has previously given the Department of Defense and Department of Homeland Security flexibility to increase pay for cybersecurity experts. These changes should be expanded to all federal agencies. By reducing the ongoing brain drain, the government will have more highly skilled cyber experts with longer operational histories in key defensive cyber roles, which will improve security and efficiency overall. A more talented workforce will also reduce the federal government’s dependence on large technology companies that attempt to leverage their expertise to influence policy decisions in ways that are detrimental to security, privacy, and democracy itself.

Finally, a misunderstood industry practice that is being levied as a key defense against supply chain attacks is establishing a bug bounty program or vulnerability disclosure program (VDP). In September 2020, the Cybersecurity and Infrastructure Security Agency issued Binding Operational Directive 20-01, which set a March 1, 2021 deadline for each federal civilian executive branch agency to develop and publish a VDP for internet accessible systems and services. Managing vulnerabilities and improving security goes well beyond receiving bug reports, and unfortunately, BOD 20-01 does not require agencies to build out their security operational capacity and process maturity before implementing a VDP. Agencies cannot take a bug-by-bug approach in starting VDPs or bug bounties before addressing the gaps in their people, process, and technology, lest they exhaust already-overtaxed internal security teams who were not able detect the SolarStorm attack.

 

Greg Rattray
Co-Founder & Partner, Next Peak
Member, Aspen Cybersecurity Group

Promote operational collaboration between business and government.

The SolarStorm compromise should not have come as a surprise. Software supply chain attacks are not new, and they offer a quiet and elegant solution for any intelligence service that conducts cyber espionage. We should expect them to grow in frequency and impact in the years ahead.

Both the Cyberspace Solarium Commission and the Aspen Cybersecurity Group have called on the U.S. government to develop a joint strategy with industry to “ensure more trusted supply chains and the availability of critical information and communications technologies.” Such a strategy will be an ambitious undertaking that demands buy-in and continuous leadership from the highest levels in the White House. The State Department also has a critical role in generating consensus with allies and partners on how to generate sustainable competition in critical technology markets.

But no strategy can completely eliminate supply chain risks like those at issue in SolarStorm. We should assume that some attackers will succeed and prioritize deep contingency planning to contain the impact and severity of future incidents. Because supply chain risk affects both public and private sectors, effective cyber contingency planning must be a shared public-private endeavor requiring real, shoulder-to-shoulder operational collaboration. To that end, the Biden-Harris Administration should closely examine opportunities created by the 2021 National Defense Authorization Act, particularly the Office of National Cyber Director and a new joint public-private cyber planning office under the Cybersecurity and Infrastructure Security Agency (CISA). The New York Cyber Task Force just published recommendations for additional steps to enable effective, whole-of-nation operational collaboration to deal with cyber crises. Recommendations will include the creation of a national cyber contingency planning framework as well as a public-private cyber response network for effective cyber crisis response.

 

Devon Rollins
Senior Director, Cyber Intelligence
Capital One

Innovate to make security easier.

The Biden-Harris Administration has its hands full with quickly addressing the SolarStorm prognosis. Luckily, the Cyberspace Solarium Commission has laid the groundwork for fixing the kinds of supply chain vulnerabilities that allowed foreign adversaries to infiltrate government networks. It is a layered challenge that requires collaboration, sustained investment, and well-defined priorities.

First, the $10 billion that President Biden wants to earmark to harden federal networks should be carefully targeted. An unbounded budget to buy the latest tools and increase headcount will not fix the problem. Instead of simply adding capabilities, the money would be better spent on inventorying current assets, modernizing outdated technology, simplifying networks, and paying special attention to the “crown jewels.” A less complex network, with a full accounting of assets, is one that stands to be much more secure—without fancy new (and expensive) tools.

Second, we need to enforce the adoption of relevant, useful cybersecurity standards across the supply chain. Last year, the Department of Defense established a standards program called the Cybersecurity Maturity Model Certification (CMMC), designed to ensure that defense contractors and their suppliers meet a baseline of security controls and best practices. We should expand this kind of robust monitoring program to cover all federal contractors, with appropriate standards overseen by those with procurement know-how in the General Services Administration and the Defense Logistics Agency. That is key to raising expectations, incentivizing meaningful investments by contractors, and generating a tide that raises all boats.

The White House should push to expand assistance for the private sector beyond large companies with deep pockets. One approach would take the concept of MITRE’s Center for Threat Informed Defense to design a federally funded collaborative that would allow small and medium-sized businesses to drive a research and development agenda tailored to their technical and organizational needs. The outcome would be real-world defensive capabilities that make security easier for smaller organizations.

Finally, the White House and Congress should look to the crowd for innovation in this area. President Biden should launch a cybersecurity “grand challenge,” backed by federal funding, to galvanize American ingenuity on an all-too-important problem. Not only will this generate creative solutions, but it will also provide a signal—one that is more compelling and newsworthy than a press conference or a speech—that this administration prioritizes cybersecurity in a brand-new way.

The above comments belong to the author and were not made on behalf of Capital One.

 

Bruce Schneier
Chief Security Architect, Inrupt
Fellow and Lecturer, Harvard University
Member, Aspen Cybersecurity Group

Prepare to pay for good security.

This operation was a tremendous intelligence success for the Russian government, and recovering from it is going to be much harder than people think. It might not even be possible. It requires much more than simply patching the Sunburst vulnerability. It means burning the infected networks to the ground and rebuilding them from scratch, just as you might reinstall your computer’s operating system after a bad  virus. But even that won’t be enough.

The Russians were slow and deliberate, using the backdoor in the SolarWinds update to obtain initial footholds in only a few of the 18,000 vulnerable networks, and then working over months to establish persistence by creating alternative means of access that would survive discovery of the initial vulnerability.

This means they were able to burrow very deep into compromised systems. How deep? We don't know for sure, but here's a comparable example. IRATEMONK is one of the National Security Agency (NSA) hacking tools initially described in Edward Snowden’s archive. It’s a way to infect a hard drive that survives reformatting of that drive. In other words, the only way to fix the vulnerability is to completely replace the drive with a brand new one, which costs money. This particular NSA trick is at least eight years old, and the actual code for performing it was stolen and published by the Shadow Brokers in 2015. Today cyber criminals use it in ransomware. Assume that the SVR had equally clever tricks back then, learned about some NSA approaches, and had almost a decade to invent even cleverer ones.

In short, unless those infected by the SolarStorm operation throw away their hardware and software, and then start from scratch, they won’t know for sure that the Russians have been purged from the network. But rebuilding networks from the ground up, never mind going the extra step of replacing all hardware, is very expensive. Knowing the size of the federal agencies involved, there is just too much hardware and software to consider it. So that is unlikely to happen.

It is also unlikely that the federal government will enforce strict security standards for technology procurement—which is what we need to prevent a repeat of SolarStorm. Enforcing minimum security requirements raises the cost of everything while it limits procurement options. And such requirements will be opposed by the full lobbying might of an industry that would rather sell cheaper insecure products than do the hard work of security.

Cybersecurity is expensive. Cybersecurity to defend against nation-state operations like SolarStorm is very expensive. But cyber-insecurity can end up costing even more. We as a country need to decide when and how we are willing to pay.

 

Camille Stewart
Cyber Fellow, Belfer Center Cyber Project
Harvard Kennedy School

There is no silver bullet.

While supply chain vulnerability has long been a challenge for industry and government alike, most striking about SolarStorm is its manipulation of a security best practice—updating software—to infiltrate victims. This is coupled with our inability to know whether the perpetrators were conducting espionage alone or preparing for a destructive attack. This incident illustrates the need for broad sweeping improvements across policy and operations to incentivize transparency and promote cyber resilience. As the National Cyber Director builds out their team, top priorities should be clarifying authorities, creating clear processes for collaboration and information sharing with the interagency and industry, articulating an action-oriented national cyber strategy, and driving collective action.

More specifically, new digital supply chain transparency and security requirements on federal contractors is essential. Requiring a Software Bill of Materials, and similarly clear information on the origin and useful life of hardware components (especially those related to the Internet of Things), can help. Transparency alone facilitates greater accountability and rapid vulnerability mitigation. Federal contractors represent a limited set of companies for piloting new standards that can inform a liability structure and requirements for the larger technology industry.

Congress must also pass national breach notification legislation to clarify when, where, and how companies notify the federal government and other parties about security incidents. This effort can feed a National Transportation Safety Board-type body housed within the Cybersecurity and Infrastructure Security Agency (CISA), which has a broad mandate to protect federal networks and support critical infrastructure and the private sector.

Congress needs to increase funding for federal cyber defense tools, ongoing efforts to protect the national digital supply chain, and U.S. innovation more generally. We need additional capabilities for Einstein if we want to detect attacks like SolarStorm. We can mitigate adversary access to supply chain vulnerabilities by funding proactive identification and enforcement of foreign investment violations through the Committee on Foreign Investment in the United States (CFIUS). Strengthening our own domestic control of the critical supply chain components for current and future technical innovation will require more support for the Small Business Innovative Research program and ‘Other Transaction’ agreements via the government organizations DHS Science and Technology (S&T) Directorate, AFWERX, AFVentures, and Army Futures Command, among others.

Allies are similarly being impacted by breaches like SolarStorm and can be effective partners to advance digital supply chain transparency and cement cyber norms. Encouraging allies to build out similar supply chain transparency requirements is mutually beneficial. And as we re-engage on cyber norms discussions related to critical infrastructure, we may be able to support cyber deterrence and response by crafting rules prohibiting destructive attacks that begin with supply chain intrusions.

 

Lt. Gen. (Ret.) Vince Stewart
Chief, Innovation and Business Intelligence, Ankura
Former Director, Defense Intelligence Agency

Raise costs for adversaries.

The scope and impact of SolarStorm is only beginning to come into focus. Where do we go from here and how do we stop another similar incident from happening again? SolarStorm might generate calls for a fundamental realignment of how we defend the United States in cyberspace. But rather than tearing down and rebuilding national cyber policy and strategy, we should rededicate ourselves to testing and implementing the highly effective strategies that we have.

We should expect to see foreign governments continue to mount operations like this. Without delving into technical minutiae, this type of operation grants the attackers with tremendous access to targeted systems while reducing their risk of detection. Because the purpose of SolarStorm was likely espionage—at least from an international law perspective—the United States’ options for responding are limited. These conditions define the risk calculus for future operations of this kind: adversaries do not appear to risk very much for considerable gain.

This means that strengthening cybersecurity defenses cannot be the whole answer. Nor can pure ex post facto attribution adequately deter potential adversaries. The answer lies in a unique combination of both doctrines, with some added elements, known as Defend Forward.

The strategic rationale behind Defend Forward is that countering increasingly aggressive adversary activity requires Department of Defense (DoD) cyber operators to operate beyond DoD networks. We need to take the fight to our adversaries before they penetrate our defenses, raise the operational cost of their malicious activities, and decrease their likelihood of success. By operating in adversary cyberspace, DoD can degrade the adversary’s ability to launch attacks like SolarStorm by targeting infrastructure and disrupting command and control systems. This prong of Defend Forward can be paired with a second element, namely operating broadly and lawfully within the United States’ cyber infrastructure to hunt for and identify anomalous and malicious activity and engage in robust, systemwide intelligence sharing. If the first prong fails, the second can improve our chances of early detection.

 

Corey Thomas
CEO
Rapid7

Recover from SolarStorm, but stay focused on the big picture.

The SolarStorm/Solorigate compromise was very serious, it could have been much worse, and the government must take action to address it. But, as we recover from that event, we cannot lose sight of the bigger picture and neglect the areas of greatest cybersecurity risk.

A top priority, as the Biden Administration knows, is to recover from SolarStorm. It will be quite costly to achieve any degree of certainty that federal systems are adequately scrubbed of malicious code from this compromise. But the situation also presents an opportunity to supercharge overdue federal IT modernization. Congress’ infrastructure and stimulus legislative packages are timely vehicles to mandate and properly fund these efforts. Go big! The U.S. is more at risk of underreacting to SolarStorm defensively than overreacting offensively.

The U.S. government should consider encouraging a broad and diverse, but still secure, federal technology ecosystem to limit the impact of inevitable compromises while also improving access to innovation. This runs counter to the prevailing approach of consolidating services on fewer platforms with higher requirements. While there are clear benefits to consolidating services, this approach also creates a massive target and makes compromises more devastating. Additionally, high-requirement, low-competition solutions frequently fail to deliver needed innovations over time, ultimately raising costs for taxpayers.

The SolarStorm compromise highlights the need for robust and active security research that finds vulnerabilities and responsibly reports them to stakeholders. Over the last decade, the US government has moved away from actively discouraging responsible security research, but it does little to actively promote it. To keep security at pace with accelerating technology adoption, we need to leverage the expertise of the security research community.

While SolarStorm was clearly a landmark event, we must also recognize that sophisticated attacks from nation states are only one of many threats. For most sectors of the economy, ransomware and data breaches that leverage tried-and-true techniques like phishing or password spraying pose greater risks than Russian espionage and zero days. We must maintain focus on preventing these lower profile but cumulatively higher damage attacks at the same time that we work to prevent the next SolarStorm. That means accelerated adoption, across all sectors, of fundamental security protocols, such as maintaining an organizational security program, risk assessments, technical safeguards, monitoring and testing security effectiveness, staff training, vendor management, and incident response.

Cybersecurity-focused incentives—such as grants, tax breaks, and regulation—and education programs for smaller private sector entities will strengthen baseline security practices. Many larger enterprises and regulated entities are making progress on security, but there is often less security awareness, security maturity, and resource availability among smaller private sector organizations. Unfortunately, this increasingly makes them cyberattack targets, and it is more difficult for smaller and medium-sized entities to recover when they are already under-resourced. This problem is independent of SolarStorm and will persist after the compromise fades from public attention, and this is why the government's cybersecurity efforts must continue prioritizing broader adoption of the fundamentals.

 

Kiersten Todt
Managing Director, Cyber Readiness Institute
Former Executive Director, Presidential Commission on Enhancing National Cybersecurity

Prepare for the unexpected.

What we can say for certain about SolarStorm is that an adversary caught us unprepared with a serious attack against our infrastructure—the breadth and depth of which are still being understood. In grappling with the implications, we should consider and consciously override the human instincts that underlie our historical approach to national security.

History clearly illustrates how our nation brings all our resources to bear when responding to a crisis, and doesn’t invest enough in preparation and innovative thinking to anticipate potential adverse scenarios. After the 9/11 terrorist attacks on our homeland, experts shared that they had expected an Al Qaeda attack on the United States to occur on foreign soil. The previous two bombings—one against the U.S. Embassy in Kenya and another on the U.S.S. Cole in Yemen—occurred overseas. Poor intelligence sharing and a “failure of imagination” played a significant role in our surprise when Al Qaeda struck the homeland.

Fast forward to SolarStorm. We know that our government information networks had sensors deployed to detect attack signatures previously identified in intrusions from 2014 and 2015. But these sensors were not equipped to detect novel tactics, techniques, and procedures. In hardening our government systems, we did not stretch our thinking and anticipate a severe and debilitating software supply chain attack.

As a nation, we prepare for what we know we can respond to—but that is not enough. We need to review our list of prioritized risks and ask ourselves: Are we focusing on the obvious dangers at the expense of other, uncomfortable risks that may pose disproportionately greater costs to government and our infrastructure?

One of the key components to ensuring our infrastructure is secure and resilient against future attacks is proactive scenario planning to imagine how creative an adversary could be in breaching our networks—to stretch our thinking beyond what we know to consider what we have never imagined. As the Biden-Harris Administration develops cybersecurity plans and strategies, it should ensure that government and industry are collaborating, pre-event, to exercise scenarios that would break our current capacity to respond—events from which this nation could not recover. By doing so, we will harden our systems against the threats we know and those we don’t, while identifying the most important areas for collaboration between the public and private sectors.

Only by planning for worst-case scenarios and low-probability, high-risk events, and applying innovative thinking to response procedures and technical solutions, can we ensure the systems upon which our nation depends are strengthened against even the most sophisticated nation-state attack.

 

“Cuckoo’s Nest” by Ivana Troselj is licensed under CC BY 4.0 / Cropped from original.