The Biden administration is grappling with two major cyber incidents in its first 50 days in office, underscoring the challenge the new White House faces from foreign actors.
Russia and China are suspected in the two incidents, which may have compromised thousands of federal, state and private groups for long periods of time before discovery. The effect has been to move cybersecurity up the list of the administration’s priorities.
“If they had thought they weren’t going to do it, I think that option has been removed, I think they have to prioritize cybersecurity,” Mark Montgomery, senior fellow at the Foundation for Defense of Democracies, told The Hill on Monday.
The first compromise, which has become known as the SolarWinds hack, involved what U.S. intelligence agencies have described as “likely” sophisticated Russian hackers exploiting software from IT group SolarWinds to breach at least nine federal agencies and 100 private sector groups. The hack was revealed in December while former President Trump was in office.
The second comprise was announced last week by Microsoft, which said a Chinese state-sponsored hacking group had exploited previously unknown vulnerabilities in its Exchange Server email application. Thousands of groups were potentially compromised as early as January, including U.S. local governments and private sector groups.
The full scope of both incidents remains unclear, particularly in regards to the Microsoft vulnerabilities, which The Wall Street Journal reported earlier this week may have compromised up to 250,000 Microsoft customers.
Ben Read, the director of Analysis at FireEye’s Mandiant Threat Intelligence, told The Hill that his company was seeing “a lot of instances” of the Microsoft vulnerabilities being exploited, and noted the difficulty in the government responding to this many potential compromises.
“It’s a very hard problem anytime you have to respond to tens of thousands of distinct incidents,” Read said. “A problem like this is difficult, but I have seen continued work and engagement, and it has been a priority for the administration and the government in general.”
White House press secretary Jen Psaki has repeatedly told reporters that the administration will respond in “weeks, not months” in pushing back against Russia for the SolarWinds hack.
The New York Times reported earlier this week that this response will kick off over the next few weeks, with the U.S. launching a series of “clandestine” actions against Russia, along with imposing sanctions and Biden signing an executive order to bolster federal cybersecurity.
While the administration has had weeks to formulate a response to Russia, the investigation into the Chinese exploitation of Microsoft vulnerabilities is just beginning.
The White House National Security Council put out a tweet last week strongly encouraging groups running Microsoft Exchange Server to “take immediate measures to determine if they were already targeted.”
The warning came days after the Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to investigate for compromise and immediately implement a patch against the vulnerabilities.
In addition, The Washington Post reported that federal officials would meet this week to discuss establishing a “cyber unified coordination group” to respond to the Microsoft incident, which would be similar to a group established in December to respond to the Russian activity.
The White House did not respond to The Hill’s request for comment on these actions.
Biden is facing the new challenges with key posts in his administration open.
The president appointed former National Security Agency cyber lead Anne Neuberger to serve as deputy national security advisor for cyber and emerging technology, but he had not yet formally nominated individuals to serve as White House cyber czar, recently established by the annual defense funding bill, and to lead CISA.
“The recent cybersecurity breaches underscore the immediate need to bolster our defenses,” Rep. Jim Langevin (D-R.I.), a key leader in the push to establish the cyber czar position, told The Hill on Monday. “The Biden administration is certainly placing an emphasis on the issue … however, the president needs to appoint a National Cyber Director as soon as possible to lead strategy implementation and ensure a whole-of-government response to significant cyber incidents.”
Michael Daniel, who served as White House cybersecurity coordinator during the Obama administration, stressed that filling these roles was essential to preventing these types of breaches.
“There is no substitute for getting people into jobs who develop policy proposals and then implementing those ideas,” Daniel, who currently serves as president and CEO of the Cyber Threat Alliance, told The Hill. “The administration deserves credit for prioritizing filling cybersecurity positions, but it needs to press forward with filling the remaining positions as expeditiously as possible.”
In addition to leadership concerns, a spokesperson for House Homeland Security Committee ranking member John Katko (R-N.Y.) told The Hill that Katko was pushing the Biden administration to be “more transparent and over communicate the actions they are taking and why with Congress and the American people” on cybersecurity.
The timing for the cybersecurity incidents also comes as Biden is working to establish his own foreign policy goals and relationships, including balancing holding nations such as Russia and China accountable for their actions, but also working collaboratively when possible.
As Biden continues to form his foreign policy objectives, leaders are calling on him to integrate cybersecurity as a major priority in the face of the new foreign malicious activity.
“We need to have some common standards or ‘rules of the road’ when it comes to cyber,” Senate Intelligence Committee Chairman Mark Warner (D-Va.) tweeted Monday. “And we need to be able to warn our adversaries that if you violate them, there will be consequences. Period.”
Daniel urged the administration to take “calculated risks” early in responding to the attacks.
“You cannot separate activity in cyberspace from its overall geopolitical context,” Daniel said. “Therefore, in addressing the threats from foreign nations in cyberspace, the administration needs to include those threats in its overall assessment of the situation with a given country and then incorporate any responses to the cyber activity into the overall engagement with that country.”
Montgomery noted that responding to foreign cyber threats would take a combination of public-private partnerships and “defending forward,” such as through sanctions and military activities.
“Neither one of them work alone, but hopefully together, they can create a more effective defense, and a more secure environment,” Montgomery said.