How U.S. cyber policy changed after SolarWinds

In March of last year, thousands of companies and U.S. government agencies were sent a routine software update. This happened regularly with SolarWinds Orion software. There was no reason to suspect anything was wrong with the update.

What they couldn’t see at the time was a malicious piece of code buried deep within the update, a Trojan horse planted by Russian military hackers looking for a backdoor to important American computer networks. 

Nine months after that compromised software update, cybersecurity firm FireEye sounded the alarm. They had been hacked. Their crown jewels, what the company calls “Red Team tools,” had been stolen. FireEye suspected that anyone who had downloaded and installed the SolarWinds Orion update had been hacked too. 

The U.S. Treasury Department, Department of Justice, State Department, Energy Department, and the agency that protects and transports the U.S. nuclear arsenal, didn’t see the Russians rummaging through their computer networks for nine months. Businesses, including software titan Microsoft, also found their systems compromised by the update. SolarWinds says its products are used by 300,000 customers around the globe, and that 18,000 customers downloaded its compromised software update.

In February, 60 Minutes spoke to cybersecurity experts who said they believe the U.S. government’s strategy for cyber warfare is inadequate and does not effectively deter its adversaries in cyberspace, including Chris Inglis, who was later chosen by the Biden administration to become the nation’s first National Cyber Director.

A month after 60 Minutes first aired its report on SolarWinds, the Biden administration levied sanctions against Russia, blaming the Russian Foreign Intelligence Service (SVR) for the SolarWinds hack. President Biden has also taken executive action to bolster U.S. cybersecurity and spoken with Russian President Vladimir Putin about recent cyberattacks on the U.S., although Russia has denied responsibility for the hack.

NATIONAL CYBER DIRECTOR

Last month, the Senate confirmed Chris Inglis, a former deputy director of the National Security Agency, as National Cyber Director— a new White House role created this January when the National Defense Authorization Act passed in Congress. White House Advisor Jake Sullivan said Inglis would bring “deep expertise, experience and leadership” when the nomination was announced. 

In an interview with Bill Whitaker this February, Inglis said the separation between government and private enterprise, while bound by law and in line with American values, makes coordination on cyber defense difficult. Without a united line of defense, that separation can be exploited by an aggressor. 

“It turns out that a division of effort is actually an agreement to not collaborate,” he said. “One party’s attempting to defend their patch and another party’s defending their patch. Both sides are ignorant. And the aggressor can pick you off one at a time.”

He suggested greater collaboration between government and private business to identify and address cyber threats. “Unless there’s some collaboration of the defenders,” he explained, “No one person is going to have the god’s eye view of what’s happening in that network.”

Senate Homeland Security Committee Considers Nominees For Cybersecurity Posts
Chris Inglis, confirmed by the Senate to become the nation’s first National Cyber Director, testifies during his confirmation hearing in Washington, DC.  GETTY IMAGES

In an executive order this May, President Biden created strict new security standards that supply chain software companies like SolarWinds must meet to do business with the federal government. The order also requires those companies to maintain a vulnerability disclosure program and make automated security checks public.

“Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector,” President Biden said in the order. “The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”

In his confirmation hearing last month, Chris Inglis said hacks like SolarWinds “signal the urgent need to secure our national critical infrastructure” and that his duties as National Cyber Director would require “robust engagement” with the private sector. 

CONFRONTING RUSSIA

In April, President Biden ordered the Treasury to designate six Russian technology companies believed to be providing support to the Russian Intelligence Service (SVR). “We will continue to hold Russia accountable for its malicious cyber activities, such as the SolarWinds incident, by using all available policy and authorities,” the White House said. 

Last month, Biden met with Russian President Vladimir Putin in Geneva, Switzerland. They spoke for roughly three hours, discussing cybersecurity, arms control, and other topics. Biden said the meeting was “constructive.” Both leaders addressed reporters in separate news conferences afterward.

US-Russia Summit 2021 In Geneva
U.S. President Joe Biden and Russian President Vladimir Putin meet during the U.S.-Russia summit in Geneva, Switzerland.  GETTY IMAGES

Biden told reporters that Putin “knows I will take action” to stop Russia from engaging in hacking attacks, like those targeting SolarWinds. Biden added Putin “knows there are consequences” and said Russia’s credibility “shrinks” when it participates in cyberattacks. When asked if he was confident Putin would change his behavior, he said, “I’m not confident of anything.”

In a separate press conference, Mr. Putin said the two countries would engage in “consultations” related to cybersecurity but denied Russian responsibility for recent cyberattacks.

In a conversation with Bill Whitaker this February, James Lewis, a director at the Center for Strategic and International Studies, said fear of escalation has held the U.S. back from punishing Russia, and other nation-states, when they step out of line. “Escalation’s a reasonable concern. But it shouldn’t be enough to say, ‘Oh, we shouldn’t do anything because the Russians might be mad,'” he said. “The goal is to make them mad. The goal is to make them afraid. How do you punish the Russians without triggering a major conflict?”

He suggested the U.S. experiment with tactics to find creative ways of inflicting revenge on Russia. “Could you interfere with their media? Could you start putting stories in the Russian media?” he offered. “The one that bothers them the most is corruption because it creates the popular discontent in their own populations that they don’t want.” 

He said interfering with money allegedly stashed away in other financial systems by powerful Russians in government and business could be another deterrent. “We could interfere a little bit with their financial activities,” the Center for Strategic and International Studies’ Lewis suggested. “They have money squirreled all around the world.”

James Lewis retains hope that the Biden administration will be more willing to explore an offensive strategy with the Russians, and other nations like China, who attack the U.S. in cyberspace. “[Biden] could rethink how we use the exquisite capabilities that NSA and Cyber Command have to inflict pain on Russia and the others,” he said. “It’s risky. But if we don’t take risk, we’re not gonna be able to work our way out of this.”

The video above was originally published on February 14, 2021 and was produced by Will Croxton and Mabel Kabani. It was edited by Will Croxton.