Ex-government officials urge US to take action to avoid another SolarWinds-style hack

The U.S. government requires dramatic updates to its current approach toward cybersecurity if Americans want to avoid the kind of cyber-espionage campaigns that have recently rocked the national security establishment, a panel of security practitioners told Congress Wednesday.  

During testimony in front of the House Homeland Security Committee, former top intelligence official Sue Gordon likened the state of data protection in the U.S. to the stock market crash of 1929, which triggered the Great Depression. The government responded to reckless behavior on Wall Street by creating oversight in the form of the U.S. Securities and Exchange Commission and requiring regular financial filings from publicly-listed companies.

Recent events in cyberspace — such as an alleged Russian espionage campaign involving the federal contractor SolarWinds and a Feb. 5 hack at a Florida water treatment facility — are proof that the U.S. faces a similar moment of reckoning in 2021, Gordon said. 

“We need to stop pretending like these attacks are beyond our ability to respond because they are happening digitally,” Gordon, the former principal executive of national intelligence, testified. She added that the government and corporate America remain isolated on the kinds of threats facing both sectors. 

“We have to change the incentive structure so that private companies that share information get something out of it, and the government can share information more usefully,” Gordon added. 

The hearing comes amid an ongoing investigation into how alleged Russian hackers used software from the federal contractor SolarWinds and other technologies as doorways into U.S. government networks. The incident, first publicized in December, involved breaches at the departments of Treasury, Justice, Homeland Security and the U.S. court system, along with a number of corporations.  

Anne Neuberger, who the White House recently named as a deputy national security adviser for cyber and emerging technology, will lead the U.S. response to the campaign, as the New York Times first reported.

Security researchers have since uncovered a range of hacking tools apparently leveraged in the spying effort, ranging from previously undocumented malicious code and breaching computers that demonstrated no previous sign of infection. Attackers also affected Microsoft and the security firms FireEye and Malwarebytes, among others. (The Russian government has denied involvement in the effort.)

“It will take months to fully understand the scope of the compromise and eradicate bad actors from our networks,” committee Chair Bennie Thompson, a Mississippi Democrat, said during the hearing. 

Chris Krebs, who served as the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, on Wednesday also hinted at the complexity of the security threats against American systems when he suggested a disgruntled employee was “very likely” behind a breach at a Feb. 5 water treatment facility in Florida. While a federal investigation into the incident — in which an attacker attempted to change the level of sodium hydroxide to a dangerous level for consumption — remains ongoing, Krebs also said an attacker outside the U.S. may have been the culprit. 

“This is why we do investigations,” he said.