A sophisticated exploit of SolarWinds network management software will take the Biden administration months to fully investigate, but will result in agencies “building back better” through IT modernization efforts, its lead investigator said Wednesday.
Anne Neuberger, the administration’s deputy national security advisor for cybersecurity and emerging technology, said in a White House press briefing that the breach compromised the networks of nine agencies and about 100 private-sector companies.
About 18,000 companies downloaded the malicious update that made the breach possible.
Neuberger, the National Security Agency’s former cybersecurity director, said the administration is still in the “beginning stages” of understanding the scope and scale of the compromise, and that the investigation may uncover additional compromises.
While the full cost and impact of the breach is not yet known, Neuberger said the cyber incident highlighted the investments the administration needs to make to increase network visibility and mitigate future cyber incidents.
“If you can’t see a network, you can’t defend a network, and federal networks’ cybersecurity need investment and more of an integrated approach to detect and block such threats,” she said.
Meanwhile, Neuberger said President Joe Biden is working on an executive action that will assist in agencies’ response to the incident.
Technology companies affected by the SolarWinds breach offer products that, if compromised, could be used to launch additional intrusions, Neuberger warned. In response to that threat, Neuberger added, the administration will need greater information sharing between the public and private sectors.
“There’s active sharing going on in both directions: government sharing its insights with private sector entities — both who have been compromised and those who have broader visibility — and private sector entities sharing their insights to ensure we can together scope and scale what occurred,” she said.
The Cybersecurity and Infrastructure Security Agency, through its National Risk Management Center, has built inroads with the private-sector owners of national infrastructure. However, Neuberger said the federal government is still limited to acting on threat information that companies provide.
“There are legal barriers and disincentives to the private sector sharing information with the government. That is something we need to overcome,” she said.
While the investigation remains ongoing, Neuberger said hackers likely of Russian origin launched the “broad and indiscriminate effort” to compromise government and private sector networks. The techniques used, she added, has led investigators to believe that files and emails on affected networks have been compromised.
Members of the House Homeland Security Committee recently expressed concern with CISA’s lack of “centralized visibility” into civilian federal networks, but Congress, through the National Defense Authorization Act, has given the agency new authorities.
Former CISA Director Chris Krebs told the committee that the agency could provide that cyber support as a shared service through its Quality Service Management Office.