December 16, 2020 | Policy Brief

Russian Hackers Target U.S. Government Agencies

December 16, 2020 | Policy Brief

Russian Hackers Target U.S. Government Agencies

Multiple news reports from this past weekend indicate that hackers working for Russian intelligence breached networks and monitored email traffic at a number of U.S. federal agencies – including the Treasury Department, the Commerce Department’s National Telecommunications and Information Administration, the State Department, and the Department of Homeland Security (DHS) – as well as numerous businesses and the cybersecurity firm FireEye. The massive scope of the breach reflects the scale of the cybersecurity challenges facing the incoming administration.

Investigators uncovered the campaign, which dates at least to the spring of 2020, while investigating a hack of FireEye’s systems. After publicly acknowledging the breach, FireEye reportedly shared information on the hack with Microsoft and the National Security Agency (NSA) in order to determine how the hackers accessed FireEye’s network. An analysis of the data revealed that the hackers compromised SolarWinds’ Orion software, a network-management service.

Identifying the software that the hackers exploited allowed the U.S. government to recognize the full scope of the campaign’s impact. SolarWinds claims that over 300,000 customers use its services worldwide, including all branches of the U.S. military, the Pentagon, the NSA, and NATO. This makes the Russian breach particularly devastating, and it may be that the compromise was limited only by the capacity of the adversary to process pilfered data.

Fortunately, a number of cybersecurity provisions in this year’s National Defense Authorization Act (NDAA) will help address some of the factors that contributed to the success of the Russian hack. For example, Section 1705 of the NDAA grants DHS’ Cybersecurity and Infrastructure Security Agency (CISA) the authority to conduct threat hunting on federal networks, which would help to expedite remediation efforts while actively looking for vulnerabilities.

Another NDAA provision, Section 1715, establishes a joint cyber planning office in DHS to facilitate comprehensive planning of defensive cyber campaigns across the federal government. Such an office could have played a significant role in the response and remediation efforts following the SolarWinds breach.

The Biden administration should also fast-track the establishment of the national cyber director (NCD) position and supporting staff within the Executive Office of the President as one of the administration’s first actions upon taking office in January. Established by Section 1752 of the NDAA, the NCD will serve as the principal advisor to the president on cybersecurity matters and will lead the response efforts across the federal government to an incident such as this hack. The NCD will also oversee cybersecurity coordination with the private sector as well as state, local, territorial, and tribal governments to ensure the uniformity of the U.S. response in cyberspace.

Finally, with an NCD in office, the United States will be better positioned to assess the scope of a hacking campaign and rapidly attribute its source. The NCD will be able to coordinate with the National Security Council to send a clear response back to the foreign government involved that Washington will not tolerate such attacks.

Even though the U.S. presidential inauguration is still weeks away, the fallout from the Russian hacking campaign will undoubtedly be one of the first challenges that the Biden administration’s cyber team will need to tackle. It will likely also be left to the incoming administration to determine how to hold Russia to account for its actions. By appointing an NCD and strengthening CISA, the Biden administration can send a resolute message to Moscow that Washington is ready to fight back from more secure networks.

Mark Montgomery is senior director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Trevor Logan is a cyber research analyst. For more analysis from Mark, Trevor, and CCTI, please subscribe HERE. Follow Mark and Trevor on Twitter @MarkCMontgomery and @TrevorLoganFDD. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.


Cyber Russia