WASHINGTON — The reported cyber breach through an IT contractor’s software used by the military highlights the risks the Department of Defense takes when it increasingly must rely on third-party vendors for digital services.
As civilian agencies disconnected Monday from the SolarWinds’ Orion platform under government orders, the Department of Defense declined to comment on whether its systems are among those across several government agencies reportedly accessed by hackers affiliated with Russia’s foreign intelligence agency. SolarWinds counts all five military services, the Pentagon and the National Security Agency among its clientele for the network management platform, and said Monday in a Securities and Exchange Commission filing that the hack between March and June affected 18,000 customers — both government agencies and businesses.
With agencies just now unplugging from the platform, the extended time that hackers potentially had access to government emails and other information particularly alarmed experts.
“This is just the price that the Department of Defense, the Intelligence Community and the U.S. government, writ large, are going to pay over and over for their continued and increasing reliance on, at its core, code that someone else wrote and tested on their network” (as opposed to code that they wrote and they tested), said Philip Reiner, CEO of the Institute for Security and Technology, who also formerly served at DoD and on the National Security Council.
“As the Department of Defense continues to expand its trust in third-party products and services, because it has no choice, really, this will only get worse. Trust is a transitive property, and threat actors know this, which is why they take advantage of it.”
The Navy and Army referred questions to the Department of Defense, which declined to comment. A spokesperson for the chief information officer of the Air Force did not respond right away to a request for comment.
A U.S. Cyber Command spokesperson said the command is assessing the issue. “U.S. Cyber Command is postured for swift action should any defense networks be compromised. We are in close coordination with our interagency, coalition, industry and academic partners to assess and mitigate this issue.”
Reuters, which first reported the breach, identified the departments of Commerce, Treasury and Homeland Security as agencies that hackers infiltrated. The Washington Post reported that the group behind the intrusions was APT29, which is associated with the SVR, Russia’s foreign intelligence agency. Reuters reported that the breach was severe enough for the National Security Council to call an emergency meeting. The Wall Street Journal reported Monday that “national security agencies and defense contractors” were among the breached organizations. FireEye, a cybersecurity company with significant federal contracts, announced last week that hackers broke into its servers, which the Washington Post attributed to the same Russian outfit.
What this could mean for the Defense Department
Greg Touhill, who served as the federal government’s first chief information security officer and helped oversee response to the 2015 breach of the Office of Personnel Management, told C4ISRNET that the DoD needs to be on “red alert.”
“I’m in the DoD, I’m thinking, ‘They’re inside, and they’ve been snooping around and laying low,’” said Touhill, a retired Air Force brigadier general and president of Appgate Federal. “So I’m very concerned to find them in the DoD and across the whole federal government; they should be very concerned. And you know what? Those of us in the industry, we ought to be very concerned as well. So this is a five-alarm fire.”
Hackers gained initial access through SolarWinds software updates, allowing them to move within networks beyond the contractor-supported systems.
“This is just an unprecedented breach of commonly used network management tools,” said Trey Herr, director of the Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security at the Atlantic Council. “If you’re DoD, you’re looking at a significant impingement on your ability to do every basic office function in a way that you can be assured is not subject to significant compromise.”
The hack through the supply chain comes as the Defense Department works to ramp up contractor cybersecurity requirements through the Cybersecurity Maturity Model Certification, which evaluates contractors’ cybersecurity strength.
“It certainly highlights the criticality of improving the security posture of the supply chain,” said Jacob Olcott, vice president of government affairs at BitSight Technologies. “However, one of the significant gaps in CMMC today is the real-time, timeliness issue … You could imagine a situation where an organization would have answered positively to a lot security checkboxes and then something like this happens.”
Across the military services, components are turning to managed service providers for many “as a service” functions, particularly IT as a service. In a recent webinar, a top official at the Army program office task with managing the service’s enterprise network said that there’s “probably nothing that we’re not looking at as ‘as a service.’”
Jon Bateman, a fellow in the Cyber Policy Initiative at the Carnegie Institute for International Peace, told C4ISRNET that the situation highlighted the limits of cybersecurity.
“You’ve got the leading entities in the world, the U.S government or … FireEye, and then you’ve got the leading hackers in the world, some of them are in Russia. And just given enough time and persistence and effort, the offense can win in huge ways,” said Bateman, who served as special assistant to former chairman of the Joint Chiefs of Staff Gen. Joseph Dunford. “I think that shows us something about the limits of cybersecurity.”
While initially, the goal of the intrusion was purely espionage, the access could have been used for disruption, Herr said. In a hypothetical example, he noted it could have been strategically timed with a significant event crippling DoD’s ability to send emails or other functions, which would be a significant handicap.
The access provided by the intrusion to a foreign actor would be a goldmine from an espionage perspective, Herr added. Being able to read interdepartmental communications and exchanges affords the hackers the opportunity to learn about more about the decisions made within the U.S. government and what is important to leaders.
“I could, for example, from an espionage standpoint, get a much clearer sense of where my redline might be and run significantly closer to that, or see where there’s less interest in or focus on certain geographic or topical areas and policies and push my activity in that direction away from the adversary’s focus, which in this case, be the United States’ focus as a way to avoid penalties,” he said.
Moreover, the duration of the access means that the actor has a good snapshot of the U.S. decision making process rather than just a small snapshot in time.
On Sunday, the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, which is tasked with securing federal networks, directed federal civilian agencies to unplug all SolarWinds Orion products. In the directive, CISA categorized the breach as grave. Across the government, an effort to assess the damage from the breach is underway.
“The NSC is working closely with @CISAgov, @FBI, the intelligence community, and affected departments and agencies to coordinate a swift and effective whole-of-government recovery and response to the recent compromise,” NSC spokesman John Ullyot wrote in a tweet Monday morning.
Reaction from the Hill
On Capitol Hill, lawmakers expressed great concern about the supply chain tactics to reach into federal agencies.
“Software supply chain attacks of this nature can have devastating and wide-ranging effects — whether it’s via niche Ukrainian tax software or, as here, network management tools relied upon by some of the world’s largest companies,” said Sen. Mark Warner, D-Va., vice chairman of the Senate Select Committee on Intelligence. “As we gather more information on the impact and goals of these malign efforts, we should make clear that there will be consequences for any broader impact on private networks, critical infrastructure or other sensitive sectors.”
California Democrat Adam Schiff, chairman of the House Permanent Select Committee on Intelligence, called cybersecurity breaches like this a persistent problem.
“These intrusions reinforce the need to secure our unclassified government networks and those in the private sector that partner with the government,” Schiff said.
Sen. Angus King, I-Maine, who chaired the bipartisan Cyber Solarium Commission, pointed to the risks posed by the sheer magnitude of the federal government’s supply chain.
“I hesitate to even imagine how many vendors there are to the United States government,” King said. “So that underlines that danger.”
Companies doing business with the Pentagon total around 300,000.