By: Amanda Nardozza
When news broke of a large-scale cyberattack within the United States government, many Americans were shocked to learn of the immense vulnerabilities present within the nation’s highest administrative bodies. From the Department of Homeland Security to the Pentagon––what should be some of America’s most tightly secured entities appeared to be entirely unequipped to handle the most recent attack by Russian hackers.[1] While this failure was certainly attributable in part to governmental unpreparedness, the sophistication of this breach made it particularly difficult to defend against.[2]
In this elaborate cyberattack, hackers targeted the IT management giant, SolarWinds, to gain access to its lofty clientele.[3] Unbeknownst to SolarWinds, hackers breached the company’s widely used Orion software, programing a malicious code within it.[4] According to FireEye analysts that code enabled hackers to transfer and execute files, profile systems, reboot devices, and disable system services on any server that downloaded it.[5] It also afforded these hackers the ability impersonate other users.[6] As a result, when thousands of SolarWinds’s clients completed scheduled software updates, they inadvertently provided hackers with unimaginable access to their devices.[7]
Unfortunately, those clients consist of some of the most powerful offices in the United States.[8] Indeed, the entities impacted by the Russian cyberattack include the Department of State, Department of Homeland Security, National Institutes of Health, Department of Energy, Department of the Treasury, the Pentagon, Department of Commerce, the Centers for Disease Control and Prevention, and even some state and local governments.[9] The result: a hostile, foreign adversary with nearly unchecked access to the information saved and shared between America’s most important servers.[10] Fortunately, the breach appears to be contained within the business networks of the impacted government agencies, seemingly sparing the nation’s most classified data.[11]
Nevertheless, of the SolarWinds breach has been labeled the worst cyberattack in history, against the United State government.[12] It is true that the United States government and has been hacked in the past.[13] However, the SolarWinds breach remains unique in its scope and stealth.[14] The fact that the malware was able to infiltrate so many administrative bodies, while remaining undetected for an extended period of time is like nothing the United States has ever experienced.[15] With the malicious code installed as early as March of 2020, Russian operatives had free reign to collect government data from the nation’s top agencies until the malware was discovered in December of 2020.[16] As the former counsel to the National Security, Glenn Gerstell, put it: “[i]t’s as if you wake up one morning and suddenly realize that a burglar has been going in and out of your house for the last six months.”[17]
Perhaps even more unsettling is the fact that we will not know the true extent of the damage resulting from the SolarWinds breach for months–or even years–to come.[18] Because elaborate coding can be nearly impossible to eradicate, fragments of the Russian malware likely remain despite the government’s best efforts to purge it form their systems.[19] Consequentially, these Russian sponsored hackers almost certainly retain at least some degree of access to
America’s government information, even today.[20]
Although the exposure of the United States government’s cyber vulnerability has certainly invoked feelings of disbelief among Americans, the fact that a breach occurred is unsurprising. In past years, the United States has focused primarily upon conducting its own cyberespionage, as opposed to defending against it.[21] Specifically, the Trump administration has paid little attention to the lurking threat of a cyberattack over the past four years.[22] By contrast, the Biden Administration has named restoring the nation’s cybersecurity as an upmost priority.[23] How specifically President Biden and his team will address the fallout remains unknown, but one thing is for certain: they will have their work cut out for them.
[1] Alyza Sebenius, et. al., U.S. Agencies Exposed in Attack by Suspected Russian Hackers, BLOOMBERG (Dec. 14, 2020, 2:37 PM), https://www.bloomberg.com/news/articles/2020-12-14/u-s-government-agencies-attacked-by-hackers-in-software-update.
[2] Id.; Kari Paul & Lois Beckett, What we know – and still don’t know – about the worst-ever US government cyber attack, GUARDIAN (Dec. 19, 2020, 2:57 PM), https://www.theguardian.com/technology/2020/dec/18/orion-hack-solarwinds-explainer-us-government.
[3] Isabella Jibilian, Here’s a simple explanation of how the massive SolarWinds hack happened and why it’s such a big deal, BUS. INSIDER (Dec. 24, 2020, 12:38 PM), https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12#:~:text=Beginning%20as%20early%20as%20March,spy%20on%20companies%20and%20organizations.
[4] Id.
[5] Lucian Constantin, SolarWinds attack explained: And why it was so hard to detect, CSO (Dec. 15, 2020, 3:44 AM), https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html.
[6] Jacob Silverman, It’s Too Easy to Hack the U.S. Government, TNR (Dec. 14, 2020), https://newrepublic.com/article/160550/solarwinds-treasury-government-hacked-russia.
[7] Jibilian, supra note 3.
[8] Kelsey Vlamis, Here’s a list of the Untied States agencies and companies that were reportedly hacked in the suspected Russian cyberattack, BUS. INSIDER (Dec. 19, 2020, 1:26 AM), https://www.businessinsider.com/list-of-the-agencies-companies-hacked-in-solarwinds-russian-cyberattack-2020-12.
[9] Id.
[10] Constantin, supra note 5.
[11] Oliver O’Connell, Hackers targeted US nuclear weapons agency in massive cybersecurity breach, reports say, INDEPENDENT (Dec. 18, 2020 2:50 PM), https://www.independent.co.uk/news/world/americas/us-politics/hackers-nuclear-weapons-cybersecurity-b1775864.html.
[12] Herb Lin, Reflections on the SolarWinds Breach, LAWFARE (Dec. 22, 2020, 8:01 AM), https://www.lawfareblog.com/reflections-solarwinds-breach; Paul & Beckett, supra note 2.
[13] Zachary Cohen, et. al., Massive hack of US government launches search for answers as Russia named top suspect, CNN (Dec. 16, 2020, 9:31 PM), https://www.cnn.com/2020/12/16/politics/us-government-agencies-hack-uncertainty/index.html.
[14] Paul & Beckett, supra note 2.
[15] See id.
[16] Laura Hautala, SolarWinds hack officially blamed on Russia: What you need to know, CNET (Jan. 5, 2021, 4:32 PM), https://www.cnet.com/news/solarwinds-hack-officially-blamed-on-russia-what-you-need-to-know/.
[17] Bill Chappell, et. al. What We Know About Russia’s Alleged Hack Of The U.S. Government And Tech Companies, NPR (Dec. 21, 2020, 6:15 PM), https://www.npr.org/2020/12/15/946776718/u-s-scrambles-to-understand-major-computer-hack-but-says-little.
[18] Lin, supra note 12; Jibilian, supra note 3.
[19] Id.
[20] Id.
[21] Silverman, supra note 6.
[22] Kari Paul, What you need to know about the biggest hack of the US government in years, GUARDIAN (Dec. 15, 2020, 6:05 PM), https://www.theguardian.com/technology/2020/dec/15/orion-hack-solar-winds-explained-us-treasury-commerce-department.
[23] Howard Solomon, Joe Biden’s cybersecurity priorities: Fixing damage from SolarWinds attack, working with allies, ITWORLDCANADA (Jan. 20, 2021), https://www.itworldcanada.com/article/bidens-cybersecurity-priorities-fixing-damage-from-solarwinds-attack-working-with-allies/44106.