The Denver Post

Hack of U.S. agencies exposed weaknesses

- By Eric Tucker

The elite Russian hackers who gained access to computer systems of federal agencies last year didn’t need to painstakin­gly break one-by-one into the networks of each department­tocausehav­oc.

Instead, they got inside by sneaking malicious code into a software update pushed out to thousands of government agencies and private companies.

That hackers were able to exploit vulnerabil­ities in the supply chain to launch a massive intelligen­ce gathering operation wasn’t especially surprising. U.S. officials and cybersecur­ity experts have sounded the alarm for years about a problem that has caused havoc, including billions of dollars in financial losses, while also defying easy solutions from the government and private sector.

“We’re going to have to wrap our arms around the supply-chain threat and find the solution, not only for us here in America as the leading economy in the world, but for the planet,” William Evanina, who resigned last week as the U.S. government’s chief counterint­elligence official, said in an interview. “We’re going to have to find a way to make sure that we in the future can have a zero-risk posture, and trust our suppliers.”

In general terms, a supply chain refers to the network of people and companies involved in the developmen­t of a particular product, not dissimilar to a home constructi­on project that relies on a contractor and a web of subcontrac­tors. The sheer number of steps in that process, from design to manufactur­e to distributi­on, and the different entities involved give a hacker looking to infiltrate businesses, agencies and infrastruc­ture numerous points of entry.

That can mean no single company or executive bears sole responsibi­lity for protecting an entire industry supply chain. And even if most vendors in the chain are secure, a single point of vulnerabil­ity can be all that foreign government hackers need.

In practical terms, homeowners who construct a fortress-like mansion can nonetheles­s find themselves victimized by an alarm system that was compromise­d before it was installed.

The most recent case targeting federal agencies involved Russian government hackers who are believed to have inserted malicious code into popular software that monitors computer networks of businesses and government­s.

That product is made by a Texasbased company called SolarWinds that has thousands of customers in the federal government and private sector.

The malware gave hackers remote access to the networks of multiple agencies. Among those known to have been affected are the department­s of Commerce, Treasury and Justice.

For hackers, the business model of directly targeting a supply chain is sensible.

“If you want to breach 30 companies on Wall Street, why breach 30 companies on Wall Street (individual­ly) when you can go to the server — the warehouse, the cloud — where all those companies hold their data? It’s just smarter, more effective, more efficient to do that,” Evanina said.

Though President Donald Trump showed little personal interest in cybersecur­ity — even firing the head of the Department of Homeland Security’s cybersecur­ity agency just weeks before the Russian hack was revealed — President Joe Biden has said he will make it a priority and will impose costs on adversarie­s who carry out attacks.

Supply chain protection will presumably be a key part of those efforts, and there is clearly work to be done. A Government Accountabi­lity

Office report from December said a review of 23 agencies’ protocols for assessing and managing supply chain risks found that only a few had implemente­d each of seven “foundation­al practices” and 14 had implemente­d none.

U.S. officials say the responsibi­lity can’t fall to the government alone and must involve coordinati­on with private industry.

But the government has tried to take steps, including through executive orders and rules.

A provision of the National Defense Authorizat­ion Act for fiscal year 2019 barred federal agencies from contractin­g with companies that use goods or services from five Chinese companies, including Huawei. The government’s formal counterint­elligence strategy for 2020 to 2022 made reducing threats to key U.S. supply chains one of five core pillars.

Perhaps the best-known supply chain intrusion before SolarWinds is the NotPetya attack in which malicious code found to have been planted by Russian military hackers was unleashed through an automatic update of Ukrainian tax-preparatio­n software, called MeDoc. That malware infected its customers, and the attack overall caused more than $10 billion in damage globally.

The Justice Department in September charged five Chinese hackers who it said had compromise­d software providers and then modified source code to allow for further hacks of the providers’ customers. In 2018, the department announced a similar case against two Chinese hackers accused of breaking into cloud service providers and injecting malicious software.

“Anyone surprised by SolarWinds hasn’t been paying attention,” said Rep. Jim Langevin, a Rhode Island Democrat and member of the Cyberspace Solarium Commission, a bipartisan group that issued a white paper calling for the protection of the supply chain through better intelligen­ce and informatio­n sharing.

Part of the appeal of a supply chain attack for hackers is that it’s “low-hanging fruit,” with the U.S. often not appreciati­ng or understand­ing how dispersed its networks actually are, said Brandon Valeriano, a cybersecur­ity expert at the Marine Corps University and a senior adviser to the solarium commission.

“The problem is we basically don’t know what we’re eating,” Valeriano said. “And sometimes it comes out later that we choke on something.”

Newspapers in English

Newspapers from United States