Like many disasters, 2020′s federal government data breach wasn’t the result of any single failure, but the accumulation of compounding failures.
Top of the list is a failure of communication. Information about the breach, its scope, its damage, and which agencies and organizations were affected has dripped out over the course of weeks. Had companies been required to report cyberattacks in a timely manner, the impacted agencies and other private companies might have been able to act more quickly, triggering a whole-of-government federal response to the attack.
But that didn’t happen, in part because of the failure of government agencies to set out reasonable cybersecurity guidelines for their contractors and suppliers, like SolarWinds. Developing appropriate cybersecurity standards that all agencies and corporations should be held to is obviously not an easy task, and one that requires public-private collaboration. But that should be all the more urgent following this attack.
Even when new rules are in place, the government will have to do a much better job of enforcing them. We’ve seen in some of the Defense Department’s existing cybersecurity standards for the defense industrial base that requirements aren’t always enforced, leaving many, if not most, companies far short of the standards.
There’s a lot to be done and a lot that will be done following this attack. But the need for urgency should be clear: The Biden administration must accelerate these efforts, ensure existing standards are enforced and establish stronger ones.
News of the breach moved fast, but not fast enough. FireEye was the first company to announce its systems had been breached on Dec. 8, 2020. While investigating that incident, it discovered the SolarWinds supply chain attack and notified the National Security Agency. On Dec. 13, the breaches of the Treasury and Commerce departments became public. On Dec. 15, FireEye confirmed that the agencies were victims of the same attack it had experienced, pointing to a SolarWinds Orion software update as the culprit.
Nearly a week after the issue was first discovered, the floodgates opened as thousands of businesses and dozens of government agencies began to investigate their own systems for signs of intrusion and theft, and remediate the vulnerabilities.
Obviously this was a sophisticated attack, and uncovering exactly how it was perpetrated took time. But better reporting requirements would have alerted the many victims much sooner. The attackers had reportedly been in government and business systems for months, but the faster everyone is made aware of a threat, the better they are able to prevent further damage.
The Department of Defense already has requirements in place for the defense industrial base to report cybersecurity incidents within 72 hours. Reports must present the affected data and all related data from the 90 days leading up to the incident, along with any infected software, as well as conduct a thorough systems review and identify ways to prevent future breaches.
Had this reporting system been in place across all government agencies, the drip of information and revelations of the SolarWinds attack could have been a swifter, more coordinated response.
To implement better reporting requirements, we need better cybersecurity requirements in general for all government contractors and suppliers. Those handling sensitive government data must be held to higher cybersecurity standards. To do so responsibly will require public-private partnerships to arrive at reasonable but effective guidelines.
One example of how to proceed is the Cybersecurity Maturity Model Certification, or CMMC, a new set of guidelines from the DoD. This effort is the result of a yearslong collaborative process between the DoD and industry that has produced requirements that each prime and subcontractor must meet, at one of five different levels depending on their exposure to sensitive information.
CMMC is a bipartisan effort whose development has spanned both Republican and Democratic administrations and it will measurably improve our national cybersecurity posture. President Joe Biden should throw the full weight of his power behind it and accelerate its implementation.
I’m always the last person to call for more regulation, but in the same way that cars need seat belts for safety, businesses that have access to government data must have safeguards against cyberattacks. The threats we face from an emboldened Russia and China will only increase in number and severity, making better standards an urgent priority.
While better reporting requirements and a public-private partnership to establish new standards are both sorely needed, the lack of them is hardly the biggest failure of government. The biggest failure is the absolute lack of enforcement of existing standards.
Last year, before the SolarWinds attack, the DoD finally cracked down on the defense industrial base, requiring proof that it met existing standards — standards it was supposed to have been in compliance with for years.
The DoD was basically calling the defense industrial base’s bluff. For years, the DoD accepted self-attestation that a company was compliant with the rules, and the risk of an audit was statistically low. When the DoD instituted a new policy to confirm that everyone was actually doing what they said they were doing, many had to scramble. Prime contractors sent letters to their subcontractors requiring them to submit proof of compliance in just weeks. It wouldn’t have come to that if the standards had been enforced from Day One.
We’ll never be completely safe from cybersecurity attacks, especially from foreign threats. But we can take the proper steps to implement a baseline of security and reporting requirements that allow for coordinated defense against those attacks — and then enforce those standards.
With the SolarWinds attack still reverberating, the Biden administration should take this opportunity to hit the gas on stronger protections that keep our government, our businesses and our citizens safe.
Eric Noonan is the CEO of CyberSheath. He previously served as the global chief information security officer at BAE Systems and is a former CIA officer and Marine.