December’s revelation that U.S. government agencies and our largest corporations were subject to a hyper-sophisticated cyberattack was not unexpected, but the breadth of the SolarWinds hack was shocking. FireEye, a world leader on cybersecurity, stated the company had never witnessed a breach of this scope and magnitude. In a blog post disclosing the attack, FireEye CEO Kevin Mandia wrote, “We are witnessing an attack by a nation with top-tier offensive capabilities.” It was evident just how serious the situation was.
Then the other shoe dropped. Days after the initial report disclosing the breach, we learned that the SolarWinds hack impacted thousands more entities than previously believed and is still ongoing as we speak. Through a series of seemingly innocuous software updates, hostile actors penetrated our networks and spread undetected for months like a metastatic cancer.
We don’t yet know the full extent of what assets were compromised in SolarWinds, something that will take months or longer to assess. What is clear is very few nation-states have the cyber capabilities needed to orchestrate a hack of this sophistication, and SolarWinds bears all the hallmarks of Russian malign activity.
Malware and cyberattacks are something of a Russian specialty and remain their tools of choice because they are cheap to execute and can wreak maximum havoc. In 2007, a massive Russian cyberattack crippled Estonia’s government and economy for three weeks. Eight years later, Russia hit Ukraine’s critical infrastructure with a cyberattack that cut off power to hundreds of thousands of people.
It is critical we respond with a clear, forceful message to the Russians and any others who wish to do the United States harm. For now, the SolarWinds hack is considered an egregious act of espionage, stealing data and establishing unauthorized access of information technology. If it becomes clear the actions also impact operational technology (the operation of physical processes or systems), it must be considered an attack and the realm of potential responses greatly escalates.
Next, we must move past jurisdictional grandstanding to develop a national cybersecurity strategy. Once we identify the vulnerabilities that allowed this hack to take place, we need a comprehensive approach to cybersecurity that keeps the United States a step ahead of its adversaries. The Idaho National Lab has been at the forefront of this work with its Consequence-driven Cyber-informed Engineering (CCE), which urges leaders in industry and cyber professionals to think like an adversary by developing techniques to defend our most critical systems by isolating them in order to limit attack options. While our coordination on these issues has improved in recent years, greater collaboration between the federal government, businesses, national labs and our energy sector will unite our greatest strengths to protect our most sensitive systems and information from hostile foreign actors.
Finally, we need a long-term solution to build and maintain a deep bench of cybersecurity professionals. Early exposure to STEM education, computer coding and cyber curriculum can inspire a whole new generation of students to pursue a career in cyber. Meanwhile, our universities have an opportunity to evolve with the changing workforce to facilitate a pipeline of talented individuals to succeed in a fast-paced, well-paid and highly-skilled career in cybersecurity.
SolarWinds has set us on a course to one of two eventualities: allow ourselves to fall victim to bureaucratic paralysis by analysis, or act decisively to enact policies to ensure America’s cyber dominance for decades to come. Let it be the latter.