America Responds to SolarWinds, But What Comes Next?

On September 4, 2019, hackers infiltrated the networks of Austin-based software company SolarWinds. Five months later, the hackers injected a malicious code known as SUNBURST within the SolarWinds Orion network management platform, which allowed the hackers to scan protected user data. By December 12, 2020, Solarwinds became aware of the infiltration and worked to respond in concert with U.S. government officials and agencies. 

But by then, the damage was done.

On January 5, 2021, the Cyber Unified Coordination Group (UCG)—a task force that includes the FBI, CISA, ODNI, and NSA—released a statement saying that 18,000 public and private sector customers had been affected by the breach, including government agencies such as the Departments of State, Defense, Energy, Treasury, and Commerce, as well as major companies including Microsoft, Lockheed Martin, Visa, and Mastercard. Microsoft President Brad Smith would later tell 60 Minutes that “from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen.”

The Biden administration attributes the attack to the SVR, Russia’s Foreign Intelligence Service, but officially, the Russian government claims no responsibility. Nevertheless, on April 15, 2021, the Biden administration announced measures against the Russian government in response to the SolarWinds hack (as well as Russia’s continued occupation of Crimea and interference in U.S. elections). These new measures include sanctions against individuals and entities, the expulsion of officials from Russia’s diplomatic mission in the United States, and a U.S. Treasury directive that “provides authority for the U.S. government to expand sovereign debt sanctions on Russia as appropriate.”

The implications of this hack will take years to fully comprehend. According to Brandon Wales, the Acting Director of CISA, a “strategic recovery” from the breach could take federal agencies between 12 to 18 months. And an analysis from BitSight and Kovr estimates “the insured losses to be $90,000,000, which includes incident response and forensic services for companies who were impacted by this incident and have cyber insurance coverage.”

Ultimately, the most significant consequence of the SolarWinds breach is that it revealed how deficient America’s cybersecurity strategy is. And worse, now our adversaries know this too.

The Biden administration has signaled its intent to make cybersecurity a national priority due to several breaches in recent years. On April 12, 2021, President Biden nominated Chris Inglis to be White House National Cyber Director and Jen Easterly to be the director of the Cybersecurity and Infrastructure Security Agency (CISA). Biden is also expected to issue several cyber-focused executive orders in the coming weeks.

On February 21, 2021, during an appearance on CBS’s Face the Nation, Biden’s National Security Advisor Jake Sullivan hinted that America’s response to the suspected Russian government-backed attack, which Sullivan said would happen within “weeks, not months,” will include a “mix of tools seen and unseen.” Now that the U.S. government has announced certain economic and diplomatic measures against Russia, The New Center wanted to provide a brief overview of what other options it might pursue.

“Seen Elements”

  • Internal: Reviewing and overhauling U.S. cybersecurity infrastructure and policies in order to better anticipate and respond to future cyber attacks.
  • Diplomatic: Establishing a more robust international cyber framework through engagement with allies and adversaries.
  • Commercial: Mandating cyberthreat information-sharing between the public and private sector and holding companies liable for failing to enact appropriate cybersecurity standards.

“Unseen Elements”

  • Covert Action: A counterattack on Russian critical infrastructure akin to the Stuxnet computer worm used to damage Iran’s nuclear program. Much like the “Operation Olympic Games” campaign from which Stuxnet originated, this action would likely not be acknowledged by the U.S. government.