Nearly lost in the tumult of the Jan. 6 insurrection at the Capitol and the excitement of Joe Biden‘s inauguration is the continuing fallout from the massive data breach of SolarWinds Corp. by suspected Russian hackers. As the new team settles into office, what can it do to keep the nation safe in cyberspace?
Let’s begin with the scale of the hack. SolarWinds was a prime vendor to tens of thousands of clients, including hundreds of Fortune 500 enterprises and nearly the entire US government. It says at least 18,000 entities were affected.
SolarWinds provides an important service: ensuring that software versions are updated in a timely and efficient manner for their clients. This gave it access to customers‘ entire networks and databases. By breaking into SolarWinds, the hackers -- allegedly the Russian unit known as Cozy Bear -- had instant access to that huge roster of firms.
To use a military analogy, the initial attack on SolarWinds was a carpet-bombing, which had immediate (if undetected) effects across the entire field of battle. What happened next was more pernicious: A series of precision-guided strikes directed at top cybersecurity firms such as FireEye, and at key nodes throughout the US infrastructure. This included financial institutions, utilities (disclosure: I serve on the board of a public utility, American Water), defense companies and government entities including the Departments of Homeland Security, State and Commerce.
The scale of the attack is breathtaking, and there is still a great deal we are uncertain about. This is partly because of the sophistication and level of resources available for the hackers (Cozy Bear allegedly has Kremlin support) and because there is still a limited culture of sharing the results of hacks between elements of the public and private sector.
Unlike the airline industry, where a single commercial airliner going down sparks a public accounting and detailed information-sharing between airlines and national governments, cyber still has something of a “keep your cards close to the vest” approach. This is particularly true of software providers such as SolarWinds, which are operating in highly competitive markets.
Despite the offensive advantages of cybercriminals, the US can collectively do a better job at defense. SolarWinds was a clear demonstration that technology alone cannot solve cybersecurity problems. The Department of Homeland Security’s sophisticated Einstein intrusion-detection system didn‘t keep hackers from going unnoticed for almost a year.
This means US firms and the government must put a greater priority on supply-chain security and third-party risk management to root out attackers at the initial source of compromise. This time it was SolarWinds, but there are thousands of other software suppliers that could be next.
The Biden administration faces plenty of pressing international security issues: returning to the Iran nuclear deal (or not); restarting negotiations with North Korea; developing a coherent strategy to deal with China; creating a stronger partnership with India; recovering a smooth relationship with the European Union, among many others. But the challenge that concerns me the most is the cybersecurity vulnerabilities of critical infrastructure and democratic institutions from external state and nongovernmental actors.
At the top of the to-do list is getting out the excellent report of the federal Cyberspace Solarium Commission and following the majority of its recommendations. Released last July, it is full of very specific and sensible ideas for improving America’s cybersecurity policy.
The commission‘s executive director, retired Adm. Mark Montgomery, should be called into the administration at a high level -- his energy and understanding of both the cyber landscape and the mechanisms of the federal government are unparalleled. The organizational ideas in the report include getting serious representation of cyberspace experts into the White House and a position on the National Security Council staff with enough authority to require Senate confirmation.
Other ideas from the bipartisan commission -- led by Senator Angus King, Independent of Maine, and Representative Mike Gallagher, a Wisconsin Republican -- include greater scrutiny of risks posed by the emergence of quantum computing, allowing Defense Department personnel to get government funding for cybersecurity education, and encouraging higher levels of private-public collaboration to increase the security and resilience of the national critical infrastructure.
The administration should also create a full-fledged Cyber Force. The Trump administration correctly created a Space Force, recognizing how much of national security relies on the ability to operate in space, and that securing it requires specific skills concentrated in a single organization. Likewise, we are overdue for an elite, independent branch of the armed forces in which all the personnel wake up every morning thinking about defending the nation in cyberspace.
A long-overdue step is splitting up the National Security Agency and the US Cyber Command. The former is an intelligence-gathering entity that should be led by a senior civilian, preferably one with both legal and cybersecurity training. The latter is a military combatant command under a four-star officer. Both are now led by the same person, the Pentagon’s head of Cyber Command. But each is far too large, vital and fundamentally different in mission to share a leader.
Obviously, the pair of agencies would continue to share information and be deeply entwined, much as with the Central Intelligence Agency and Defense Department. But over time, each would be strengthened by a formal split. Congress has already authorized this separation, but the secretary of defense has to certify the change.
There are many other ideas for the new administration to explore, from a national cyber-insurance structure (like national flood insurance) to mandating higher levels of transparency from companies when they are hacked. Those are longer-term conversations. But the SolarWinds hack shows that public and private entities need to move smartly to enhance the level of protection in cyberspace. The Solarium Commission report, creating a Cyber Force, and splitting up the NSA and Cyber Command are good places to start.
James Stavridis
James Stavridis is a Bloomberg Opinion columnist. He is a retired US Navy admiral and former supreme allied commander of NATO, and dean emeritus of the Fletcher School of Law and Diplomacy at Tufts University. He is also an operating executive consultant at the Carlyle Group and chairs the board of counselors at McLarty Associates. -- Ed.
(Bloomberg)