May 1, 2021HHS limits the use of guidance documents in civil enforcement actions
Dec. 23, 2020
Cyberspace has increasingly become a critical concern for national security. As early as 1996, the Government Accountability Office (“GAO”) recognized the need to secure federal computer systems against data loss, misuse, and unauthorized access. See “Information Security: Opportunities for improved OMB Oversight of Agency Practices” GAO Publication No. 96-110 (September 1996).
Since the GAO’s report, several efforts have been made to secure the national cyber infrastructure. In recent years, those efforts include: (A) the Federal Information Security Management Act (“FISMA”) of 2002, signed into law by President Bush, requiring each federal agency to develop, document, and implement agency-wide information security programs (12 years later, a report by the GAO found that 23 of 24 major federal agencies had failed to implement appropriate security controls, leading to the 2014 amendment of FISMA authorizing the Department of Homeland Security to administer the implementation of security controls on all federal Executive Branch systems); (B) President Obama’s 2016 Presidential Policy Directive, entitled “United States Cyber Incident Coordination” establishing a framework for coordinating the response to cybersecurity incidents among federal departments and agencies; and (C) the Cybersecurity and Infrastructure Security Agency Act of 2018, signed into law by President Trump, establishing the CISA as the nation’s top cybersecurity agency.
Despite these efforts, it’s clear that government action to secure federal computer systems have not been enough. This is perhaps nowhere more apparent than the discovery of the recent data breach connected to SolarWinds believed to be perpetrated by Russian hacker group Cozy Bear.
The attack was discovered by U.S. cybersecurity company FireEye and announced on December 8, 2020. In the announcement, FireEye indicated that several software products (including those used to pinpoint security vulnerabilities) had been stolen in, what it believed to be, a state sponsored attack. The theft of these tools by state actors is especially significant because the tools could be used, in turn, to discover security vulnerabilities in other systems leading to the compromise of even more data. State actors could use this information to threaten or coerce other nation states, manipulate the global financial system, or otherwise affect geopolitical stability.
The attack on FireEye was sophisticated and involved at least two attack vectors at the time of this writing.
The first was linked to a vulnerability in a Microsoft authentication protocol, which would allow a remote attacker to breach an unpatched Active Directory domain controller and potentially grant administrative privileges to all associated networked resources. The vulnerability, which involves forging an authentication token, could be exploited without requiring hackers to steal any credentials beforehand. CISA issued Emergency Directive 20-04 on Sept. 18, 2020. The Directive does a few things—it: identified the vulnerability, dubbed “Zerologon”; supplied a validation script to detect its presence; and required agencies of the Federal Civilian Executive Branch to apply a Microsoft security patch to prevent exploitation within 72 hours. In an unrelated incident, the CISA Director, Christopher Krebs, was fired by President Trump on November 17, 2020. As of this writing, a Senate-confirmed replacement for Director Krebs has yet to be announced by the White House, leaving the nation’s top cybersecurity post—a post the Trump Administration created—vacant while events surrounding this hack unfold.
Once hackers obtained credentials through the Zerologon exploit, they proceeded to attack the software supply chain of an enterprise network performance monitoring (“NPM”) product called Orion, developed by U.S. software company SolarWinds. Targeting a product like Orion poses a unique threat for two reasons: First, Orion (and other NPM tools) are commonly used in large data centers where sensitive data is stored (a problem somewhat exacerbated by the prevalence of multi-tenant cloud solutions); and second, because networking monitoring is typically a system-wide endeavor that requires administrative access. Targeting Orion (and NPM tools like it) allowed hackers to exploit systemwide access under ostensibly legitimate administrative credentials, essentially gaining unauthorized access under the guise of legitimacy. While there are a variety of flavors of supply chain attacks, the type employed here involved infiltrating the software distribution process for Orion.
Using an ingress obtained by leveraging the Zerologon vulnerability, hackers gained access to Orion’s build system. In the build system, a remote access tool was planted that allowed hackers to inject their own malware into the software packaging process. Hackers could then piggyback their malware changes on genuine “over the air” or “OTA” updates (software upgrades, patches, or other modification delivered via the Internet) from SolarWinds. If the update was installed by an end user, the malware would be successfully deployed and could then receive commands from the hackers. Hackers might issue commands to: manipulate financial records; leak non-public data; or simply monitor communications in anticipation of the ideal time to strike (e.g., hackers infiltrating a defense contractor developing a new aircraft might wait for confirmation of a successful test flight before exfiltrating information).
Almost all large-scale IT operations deploy some type of NPM tool. By piggybacking their malware payload on a “pick-and-shovel” utility, rather than a more niche software product (e.g., as used in the 2010 Stuxnet worm which targeted the firmware of a specific model of controller used in weapons-grade uranium enrichment), the hackers cast a wide net on the information obtained. A blog published by Microsoft in the wake of the attack shows that 18% of the victims were federal agencies—specifically, those involved in finance, national security, health, and telecommunications, including the Department of Defense (which regulates the United States nuclear weapons program). Another 9% of the attacks found their way into government contractors’ systems—primarily defense contractors and national security organizations.
As of this writing, despite mounting evidence of the attack’s severity and the near certainty of Russia’s involvement, the Trump Administration has been somewhat slow to address the attacks. Incoming President-Elect Biden has vowed to make cybersecurity a top priority in his Administration. “We need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place [by] imposing substantial costs on those responsible for such malicious attacks,” he expressed in a statement released on December 17. Who Biden nominates for Director of CISA will offer an important signal for how seriously he intends to take this threat. The President-Elect has already nominated Alejandro Mayorkas, former Director of USCIS and Deputy Secretary of Homeland Security in the Obama Administration, as Secretary of Homeland Security (the parent agency of CISA). If confirmed by the Senate, Mayorkas would occupy a role that has been vacant since Kristjen Nielson resigned in April 2019.
In addition, Biden may pursue other remedies including maintaining, or even increasing, sanctions against the Russian Federation. In 2017, President Trump signed into law Countering America’s Adversaries Through Sanctions Act, Pub. L. 115-44 (2017), imposing sanctions on Russia after interference was discovered in the 2016 Presidential Election. The bill was approved nearly unanimously (passing in the House, 419-3; and in the Senate, 98-2) signaling bipartisan support for sanctions against U.S. adversaries in the field of cyberspace. Should Biden elect to maintain (or increase) sanctions through legislative avenues, it appears that he may enjoy bipartisan support.
In contrast, a more nuanced policy that rises to a level above tit-for-tat retaliation (like implementing cybersecurity controls for the myriad agencies of the Executive Branch or devising new strategies for responding to cyber incidents) may not enjoy similar support. In that case, control of the Senate, pending January’s Georgia runoffs, is key. If Republicans maintain control of the Senate, Biden may have his work cut out for him. Particularly if widespread reform of the nation’s information systems infrastructure proves to divide the Senate along party lines. Biden may be able to rally support for certain policy proposals by appealing to Senate Republicans who have openly supported a more active cybersecurity response (chief among them Senator Mitt Romney (R-UT)).
Even without support in the Senate, Biden has two other avenues for influencing cybersecurity policy: (a) budget proposals; and (b) Executive Orders.
While the actual appropriation of federal funds is the responsibility of Congress, the budget can be used to advise Congress as to the general contour of the Executive’s stance on certain policies. Biden may use budget proposals to call specific attention to the need for increased investment in national cybersecurity infrastructure. Industry groups, which use the proposed budget to identify issues to which the Executive is receptive, may deploy political capital in ways to encourage spending in IT infrastructure. With over 18,000 private companies’ data compromised in the breach (many of them large, IT services providers), it would be surprising for technologies companies to not have an opinion on cybersecurity spending policy. (See Current Report filed on Form 8-K, SolarWinds Corporation (Dec. 14, 2020)). Aside from the obvious data privacy and protection concerns, industry groups may seek to use the SolarWinds breach as an opportunity to generate business in the form of government contracts.
Finally, Biden may rely heavily on Executive Orders in his first 100 days in office to expeditiously manage the aftershocks of the 2020 cyber incident. Some actions, including imposing sanctions on foreign actors, regulating inter-agency digital communications, and forming an executive task force to investigate the extent of the damage, are ripe for Presidential response. While it is unclear at this point what actions, if any, President Trump will take, if the outgoing President remains muted, Biden may enter office with a clean slate without having to roll back or repeal the orders of his predecessor.
These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Internet subscribers and online readers should not act upon this information without seeking professional counsel.