The nine Federal agencies whose networks were compromised in the Russia-backed hack via SolarWinds Orion products are close to finishing their remediation reviews, and the government is planning new deployments of unspecified security and IT modernization technologies to avoid a repeat of the intrusions, a senior Biden administration official said during a background briefing on March 12.
The official also said the administration will seek closer cooperation with the private sector in better sharing cyber threat data, rather than seeking new legal authority to monitor U.S.-based networks to get ahead of hacking activities.
Nine Fed Agencies Making Remediation Progress
“We’re in week three of a four-week remediation across the Federal government,” the official said.
Anne Neuberger, the White House’s deputy national security advisor for cyber and emerging technology who is leading the government’s response to the SolarWinds hack, said last month that the attack “compromised” nine Federal government networks.
The senior administration official who spoke on March 12 said that the “compromised agencies all were tasked to do a particular set of activities and then were tasked to have an independent review of their work to ensure that we felt confident the adversary had been eradicated.”
“Most of the agencies have completed that independent review,” the official said, adding, “for those who have not yet, they will complete it by the end of March.”
New Tech Deployments on the Way
The official said the administration will be adding new technologies at the nine compromised agencies in the “near term,” and at more agencies after that, to improve security. While the official offered no specifics on the type or magnitude of those deployments, the official indicated the new technologies would have the effect of increasing network visibility.
“We cannot defend a network if we can’t see a network,” said the official adding, “in our review of what caused SolarWinds, we saw significant gaps in modernization and in technology of cybersecurity across the Federal government.”
“We will be rolling out technology to address the specific gaps we identified, beginning with the nine compromised agencies,” the official said. “We want to make the Federal government a leader, not a laggard, in cybersecurity.”
The new technologies, the official said, “will be rolled out in the near term, beginning … with the nine compromised agencies and then more broadly across the Federal government to ensure we have the visibility we need to have trust in our networks, that we can protect the important work the Federal government does on behalf of the American people.”
Asked about the broader aim for Federal IT modernization, the official replied that “what we want to do is move to best-of-breed commercial technology and take advantage of the innovation of our private sector.” The official continued, “I think we don’t even need to build something new from the ground up when we think that there is much stronger, innovative technology available that we can move to – including cloud, including security implemented in the cloud, zero-trust principles, and other related areas.”
The official also said the administration was considering steps to “make a market” around the cybersecurity of software that the government buys from the private sector, and increase transparency to the public about security so that people can make informed decisions.
“There will be ideas coming in both of those in an executive action” over the next few weeks, as well as an announcement of action against the SolarWinds hack perpetrators in the same time frame, the official pledged.
Tighter Private Sector Cooperation Sought
The administration official also commented on the more recently reported Microsoft Exchange hack, and the heightened possibility of ransomware attacks if users don’t quickly patch and remediate.
The impact of the hack is “concerning” regarding datasets and ransomware, the official said, but also because threat actors in this case operated from U.S. locations, where intelligence agencies have less visibility into domestic networks.
While reiterating that putting a bigger priority on “security in the way we build and buy software,” is important to the administration, the official said the government wants to do that through cooperation with the private sector, rather than seeking authority to do more monitoring of U.S. based networks.
“We are focusing on tightening the partnership between the U.S. government and the private sector, who does have visibility into the domestic industry and into private sector networks, to ensure we can rapidly share threat information and we can address the liability barriers and disincentives that disincentivize U.S. companies from both addressing some of these issues and rapidly sharing information when there are incidents,” the official said.
In particular, the official said, tighter cooperation is being sought with “a small number of key companies who have broad visibilities: Internet service providers, cloud providers, some of the cybersecurity providers. They really see the larger number of victims.”
“We believe the model for the U.S. government in addressing cybersecurity issues involves working more closely with the private sector,” the official said. “We’re not looking at additional authorities for any government agencies to do additional monitoring within the U.S. at this time.”
The official said that efforts to remediate the Microsoft Exchange hack are being led from the National Security Council, and through a Unified Coordination Group that also includes private sector entities in addition to Federal security and intelligence agencies.
“We want to ensure that we are taking every opportunity to include key private sector participants early and directly in our remediation efforts,” the official said.