Russia suspected in hacks targeting frail U.S. supply chains
For years, U.S. officials have warned about the dangers of cyberattacks involving the electronics supply chain. This week’s revelation that a growing number of federal agencies were breached in a widespread attack by suspected Russian hackers shows how little they have followed their own advice.
Last year, for instance, the Cybersecurity and Infrastructure Security Agency, known as CISA, reported that federal agencies faced about 180 different threats from the digital supply chain, the hardware and software that goes into making up a computer network. CISA’s parent, the Department of Homeland Security, was among those agencies breached in the recent attack.
The attack involved code embedded in updates for widely used network-management software made by SolarWinds Corp., which provides administrators with tools to manage and update their computer networks.
Lawmakers who received a classified briefing on the attack indicate that it is among the most serious in recent years. Sen. Richard Blumenthal, D-Conn., said in a tweet Tuesday that the briefing left him “deeply alarmed, in fact downright scared.” Dick Durbin, the Senate’s second highest-ranking Democrat, said on CNN Wednesday that the hack was “virtually a declaration of war.”
Despite those public pronouncements, a blistering report by a government watchdog that was completed in October and released Tuesday shows that the risks that led to these intrusions are far from new, and that U.S. agencies have failed for years to implement recommended safeguards for their information technology supply chains.
Part of the problem: This issue is an IT department’s nightmare, and the interconnected nature of the global supply chain makes it nearly impossible to ensure that anyone’s doing it correctly.
The report, by the U.S. Government Accountability Office, found that 14 out of the 23 surveyed federal agencies hadn’t implemented any of the “foundational practices” to protect their information and communications technology supply chains, and none of the agencies had implemented all of them. Those practices had been recommended in 2015 by the National Institute of Standards and Technology, and the following year, the Office of Management and Budget required the agencies to implement the changes.
The agencies that were surveyed included several — the departments of Commerce, Homeland Security, Treasury and State — that were breached as part of the recent attack, though the report doesn’t specify what particular agencies did — or didn’t do — with the recommendations. “Supply chains are being targeted by increasingly sophisticated threat actors, including foreign cyber threat nations such as Russia, China, Iran and North Korea,” the report states. “Attacks by such entities are often especially sophisticated and difficult to detect.”
The report warned of hackers inserting backdoors — methods used to get around normal security measures and gain access on a computer system — through the supply chain, and of the potentially dire consequences of a successful attack.
Hackers could “take control of federal information systems, decrease the availability of materials or services needed to develop systems and destroy systems, causing injury and loss of life, and compromising national security.”