The SolarWinds hack was a major attack that affected thousands of companies as well as multiple government agencies. The size and nature of the attack demanded a strong response, which the government has provided in the form of several important changes to United States cyber policy.
Understanding the SolarWinds Attack
SolarWinds is a Texas-based software company that provides network management and monitoring tools for thousands of organizations globally, including several governments. One of SolarWinds’ most popular products is an IT monitoring system called Orion.
Between March and June of 2020, malicious actors inserted a back door into the Orion software. When SolarWinds customers downloaded the latest version of the Orion software, malicious actors gained access to those organizations’ systems.
It is estimated that more than 18,000 systems downloaded the infected software, compromising about a hundred different companies and a dozen government agencies. Affected companies include Cisco, Intel, and Microsoft, while affected agencies include the departments of Energy, Homeland Security, Justice, and Treasury, as well as the Pentagon. The hack allowed the attackers to view, steal, or delete sensitive data on the compromised systems.
Government officials and industry experts believe that the attackers were supported and directed by the SVR, the Russian intelligence service equivalent to our CIA. The breadth of the attack was one of the largest of its kind to date.
How U.S. Cyber Policy Changed After the Attack
News of the SolarWinds cyberattack went public in December, and since then the government has been slowly unveiling its response. So far, this response has consisted of three key changes to the country’s cyber policy – a new National Cyber Director, new cybersecurity standards for software contractors, and new sanctions on the country behind the attack, Russia.
1. First National Cyber Director
The first change to U.S. cyber policy came in January with the passing of the National Defense Authorization Act of 2021. Included in this legislation was the creation of a new National Cyber Director post, reporting directly to the president. In April, President Biden nominated Chris Inglis, a former deputy director of the National Security Agency (NSA), to the new post. Inglis was unanimously confirmed by Congress on June 18.
As National Cyber Director, Inglis serves as the president’s senior advisor on all cyber-related issues. The new post does not replace the head of the existing Cybersecurity and Infrastructure Agency (CISA) in the Department of Homeland Security, but rather supplements what that agency does.
Inglis will be responsible for creating a consistent and unified direction for the country’s cyber policy and operations. He will advise not only the office of the president, but also Congress, other government agencies, and the private sector. He will lead the government’s responds to future cyberattacks and issue new rules and regulations regarding cybersecurity.
2. Sanctions on Russia
The second change to U.S. cyber policy came in April, when President Biden announced sanctions against Russia and several Russian technology companies. In issuing the sanctions, the White House said that they would “continue to hold Russia accountable for its malicious cyber activities, such as the SolarWinds incident.”
The White House formally named the Russian Foreign Intelligence Service (SVR) as the initiator of the SolarWinds attack. The official response included the following actions:
- Designating six Russian tech companies for providing support to Russian intelligence services
- Prohibiting U.S. financial institutions from participating in the market for Russian bonds
- Sanctioning 32 Russian entities and individuals for using disinformation in an attempt to interfere with the 2020 U.S. presidential election
- Expelling 10 staffers from the Russian diplomatic mission in Washington
For its part, Russia denied that it played any part in the SolarWinds attack and said that it will respond in a similar fashion.
3. New Cybersecurity Standards for Critical Software
The final change to U.S. cyber policy came on May 12. On that date, in response to SolarWinds and similar attacks, the Biden administration issued an Executive Order on Improving the Nation’s Cybersecurity. It includes a number of important directives, such as removing barriers to the sharing of threat information, adopting Zero Trust Architecture in all government systems, and establishing a Cyber Safety Review Board. The Order also establishes new standards for companies that contract with the federal government for what the government deems critical software.
The Director of the National Institute for Standards and Technology (NIST) is charged with developing these new standards, designed to strengthen the security of the nation’s software supply chain. These standards are expected to include the deployment of encryption, multi-factor authentication, endpoint detection and response tools, and other cybersecurity tools to check for and mediate known and potential vulnerabilities.
The NIST guidelines will be issued within the next year. At that point, the OMB will require companies supplying software to the federal government to comply with all of the new security requirements.
Will These Policy Changes Be Effective?
Fighting cybercrime is a constant challenge. While these policy changes cannot, on their own, eliminate the risk of future cyberattacks, they do send a warning that the U.S. government takes the problem seriously and is prepared to act in response to attacks on the country’s infrastructure and economy.
Protect your organization from cyberattack by downloading Wickr, the communication and collaboration platform secured by end-to-end encryption.