The Defense Department certainly wasn’t immune from the recent global-scale cyber vulnerabilities involving SolarWinds and Microsoft Exchange software. But after months of scouring their own networks for signs of compromise, Defense officials say they’ve found no evidence that adversaries managed to use the security flaws to steal data or do anything else malicious.
Testifying Wednesday before the Senate Armed Services Committee, David McKeown, DoD’s chief information security officer, shed new light on DoD’s potential exposure to the SolarWinds hack. He said the department had been running 1,500 instances of the company’s Orion software. Of those, 560 were running a version that included a backdoor inserted by hackers suspected to be working for the Russian government.
But McKeown said none of the department’s sensors have shown any indication that the backdoor was ever utilized before the vulnerability was discovered and the potential entry point was closed.
“In a few instances we sent out hunt teams to do a more thorough examination to make sure. And to date, no compromise,” he said.
DoD thinks the same is true of a separate set of vulnerabilities on Microsoft’s Exchange Server platform. Although the military is almost exclusively reliant on Exchange for its email services, McKeown said there’s no evidence that those vulnerabilities were ever successfully used by would-be intruders on DoD networks.
“We quickly enumerated those servers, focusing on those servers that were public facing. There were very few that were, but we quickly patched those and found no indicators of compromise,” he said, adding that the department is continuing to look for signs of intrusion via the so-called “Hafnium” hack.
“The operations associated with [both vulnerabilities] are still ongoing. We’re keeping that open, and we’ve been working with both vendors on the patches and deploying those,” McKeown said. “I think we’ve finished all of our work as far as hunting, going out there where we thought maybe compromise existed. If somebody in the community comes up with more indicators of compromise, as soon as we get those, we check it across the environment. So I would say it’s going to be ongoing for some time.”
If it turns out to be the case that DoD truly did dodge the potential implications of both of the serious cybersecurity vulnerabilities, it will be largely because of improvements the department has made in recent years to how it commands and controls its disparate IT networks, said Rob Joyce, the director of cybersecurity at the National Security Agency.
Although DoD’s visibility over its own networks still is far from perfect, it at least has the ability to order the military services and Defense agencies to fix cyber problems quickly via directives from U.S. Cyber Command and Joint Force Headquarters-DoD Information Networks (JFHQ-DoDIN).
“The consolidation of the capabilities to defend the DoDIN gave us a huge advantage in speed to be able to order the modification and protection changes necessary for any specific threat,” Joyce said. “It also gave a hierarchy to report back the state of activities. So for instance, when there’s a vulnerability in Microsoft Exchange, there can be a cascaded order to go down to say, ‘issue the patch and run these checks to find out if you’re exploited and report back up.’ You have to know your network to defend your network, and the changes the department has been making have really upped the bar in the ability to know the network, which directly translates into the ability to keep people out.”
But even if the SolarWinds and Microsoft vulnerabilities don’t appear to have been successfully exploited, the mere fact that they were present on DoD networks for an indeterminate period of time only adds urgency to the department’s push to move its security posture from one that’s focused on defending the perimeters of its networks to a true “zero trust” model, officials said.
In February, DoD officials approved an initial “reference architecture” to begin implementing zero trust across all of their networks; they’re now revising their broader cybersecurity plans to incorporate those principles. As a general matter, the concept assumes that vulnerabilities exist on military networks and intruders are already inside, so additional steps need to be taken to make sure they can’t move laterally from system-to-system once they’ve gained a foothold.
“If a device is behaving unusually using non-standard credentials, or someone is attempting to access from a location where they do not normally work, or at a time when they are not normally in the office, all of these processes will be centrally monitored by an automated system,” McKeown said. “If something does not match up, our system will automatically challenge the user and machine to provide additional credentials. Access to the network beyond that device will be blocked, and sensitive data will remain safely encrypted. The events associated with the attack will be constantly tracked, and our human defenders will be notified so they can monitor specific suspicious behaviors, alert the local network operator of potential attack, and take additional actions to repel and deter the attacker.”
The department has conducted at least two large-scale zero trust pilot programs so far — one each in 2019 and 2020. DoD is constructing a third, planned for this year, which will focus on what Defense officials say will be a “cyber contested” environment involving “regional adversaries.”
“We will also continue to engage with Congress, federal civilian departments and agencies, the private sector, and our allies, to promote a whole-of-community unified defense,” McKeown said. “We view the DoD as a leader and partner in this implementation of a zero trust framework and a pioneer of the cyber capabilities that makes such a framework possible.”