The costs and consequences of the Russia-backed hack of government and private sector networks via a breach of SolarWinds Orion products are continuing to grow more than a month after the exploit was publicly disclosed, a senior official with the Cybersecurity and Infrastructure Security Agency (CISA) said today.
“There is no bigger risk” facing critical infrastructure sectors than attacks on their supply chains, said Bob Kolasky, who heads the National Risk Management Center (NRMC) at CISA, at an online event organized by FCW.
“We are all living and dealing with the consequences of perhaps the most significant software supply chain attack” in history, Kolasky said referring to the SolarWinds breach.
The costs of that breach – which impacted thousands of systems, and the “follow-on” exploits of the attack which have been seen in smaller numbers – “are significant and growing every day,” Kolasky said. Simply understanding the full range of consequences of that exploit, he said, is likely to take a long time.
At CISA, the NRMC is working to support remediation efforts stemming from the SolarWinds hack, including for Federal government agencies, he said.
ICT SCRM Task Force Extension
Elsewhere during his remarks today, Kolasky talked about the value of partnerships between government and industry in the fight to protect supply chains.
One of the primary organizations in that effort is the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force set up by NRMC more than two years ago for the government and industry to develop consensus strategies to improve ICT supply chain security.
He said today that the task force, which he called “a good place for industry to cooperate with government,” is going to be rechartered for another six months
Kolasky said that the Federal Acquisition Security Council – established in 2018 with participation from numerous Federal agencies including CISA, the Defense Department (DoD), Office of Management and Budget (OMB), and the General Services Administration (GSA) – is also key to Federal efforts to reduce supply chain risk.
The combination of those efforts, he said, “leaves us in a good place for the Federal interagency effort to take on this challenge collectively.” He continued, “it’s a collective shield – it’s all of us working together.”
Along those lines, Kolasky said NRMC is due to publish on its website over the next week or two a new version of its overall threat evaluation guide that serves as a reference for supply chain risk managers. The update, he said, follows NRMC’s evaluation of a “couple hundred” reference threats that risk managers may consider, overlayed with possible consequences from those threats.