"I liken it to other types of disaster recovery and contingency planning in both the government and the private sector," says Matt Ashburn, national security engagement lead at the web security firm Authentic8, who was formerly chief information security officer at the National Security Council. “Your whole goal is to maintain operations when there’s an unexpected event. Yet when the pandemic started this year, no one seemed prepared for it, everyone was scrambling. And supply chain attacks are similar—everyone knows about it and is aware of the risk, we know that our most advanced adversaries engage in this type of activity. But there has not been that concerted focus."
The recriminations came soon after the attacks were revealed, with US senators Ron Wyden (D-Oregon) and Sherrod Brown (D-Ohio) directing pointed questions at Treasury Secretary Steve Mnuchin in Congress about that department's preparedness and response. “As we learned in the NotPetya attacks, software supply chain attacks of this nature can have devastating and wide-ranging effects," said Senator Mark Warner (D-Virginia), vice chair of the Senate Intelligence Committee, in a separate statement on Monday. "We should make clear that there will be consequences for any broader impact on private networks, critical infrastructure, or other sensitive sectors.”The US has invested heavily in threat detection; a multibillion-dollar system known as Einstein patrols the federal government's networks for malware and indications of attack. But as a 2018 Government Accountability Office report detailed, Einstein is effective at identifying known threats. It's like a bouncer who keeps out everyone on their list, but turns a blind eye to names they don't recognize.
That made Einstein inadequate in the face of a sophisticated attack like Russia's. The hackers used their SolarWinds Orion backdoor to gain access to target networks. They then sat quietly for up to two weeks before very carefully and intentionally moving within victim networks to gain deeper control and exfiltrate data. Even in that potentially more visible phase of the attacks, they worked diligently to conceal their actions."This is a reckoning for sure," says Jake Williams, a former NSA hacker and founder of the security firm Rendition Infosec. "It's inherently so hard to address, because supply chain attacks are ridiculously difficult to detect. It's like the attacker teleports in there out of nowhere."
On Tuesday, the GAO publicly released another report, one that it had distributed within the government in October: “Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks.” By then, the Russian assault had been active for months. The agency found that none of the 23 agencies it looked at had implemented all seven fundamental best practices for cyberdefense it had identified. A majority of agencies hadn't implemented any at all.The supply chain problem—and Russia's hacking spree—is not unique to the US government. SolarWinds has said that as many as 18,000 customers were vulnerable to the hackers, who managed to infiltrate even the high-profile cybersecurity firm FireEye .