The Biden administration is coming under increasing pressure to address U.S. cybersecurity vulnerabilities following the Microsoft breach that has quickly been viewed as a massive threat to the U.S.
Officials are still trying to wrap their heads around the extent of the cyberattack more than two weeks after the U.S. tech giant announced it was hit.
Complicating matters is the fact that the breach comes as the administration continues to gauge the widening fallout of what has become known as the SolarWinds hack. The two incidents, likely linked to nation-state activity, are painting a grim picture of the cybersecurity threats facing U.S. businesses and the federal government.
“I am incredibly concerned that our infrastructure is at huge risk, and that is not just the technology, but the people who protect and defend the infrastructure,” said Theresa Payton, White House chief information officer during the George W. Bush administration who’s now CEO of the cybersecurity consultancy group Fortalice.
U.S. intelligence agencies said in January that sophisticated Russian hackers were “likely” behind an attack on IT group SolarWinds that leveraged software vulnerabilities to infiltrate up to 18,000 of the company’s customers for a year, along with other avenues to gain entrance.
A White House official said in February that nine federal agencies and 100 private sector groups had been compromised by the breach, with a high likelihood more would be found as the investigation continued.
But as the federal government was making headway in its investigation, Microsoft announced previously unknown vulnerabilities earlier this month that allowed a state-sponsored Chinese hacking group access to thousands of networks of victims running Microsoft’s Exchange Server.
The incident has only worsened in the weeks since, with Microsoft warning in a blog post earlier this week that thousands of servers around the world had still not been patched, presenting prime opportunities for cyber criminals to exploit. Microsoft cited data on unpatched servers from RiskIQ, with the group tweeting that as of Sunday, almost 70,000 servers were vulnerable.
“While this began as a nation-state attack, the vulnerabilities are being exploited by other criminal organizations, including new ransomware attacks, with the potential for other malicious activities,” Microsoft wrote. “This is now what we consider a broad attack, and the severity of these exploits means protecting your systems is critical.”
The Trump administration took initial steps to address the SolarWinds incident when it was first discovered in December, setting up a “cyber unified coordination group” to respond to the breach, consisting of the FBI, the Office of the Director of National Intelligence, the National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA).
National security adviser Jake Sullivan announced last week the Biden administration had established a similar group to address the Microsoft vulnerabilities and noted that while he could not formally attribute the incident to China, the administration would come forward with an attribution in the future.
“It is still ongoing, in the sense that we are still gathering information,” Sullivan said of the Microsoft Exchange Server investigation. “We are still trying to determine the scope and scale. It is significant, but the precise number of systems that have been exposed by this vulnerability and have been exploited, either by nation-state threat actors or ransomware hackers or others — that is something that we are urgently working with the private sector to determine.”
CISA sent out an alert with the FBI last week warning that the Microsoft vulnerabilities presented a “serious risk” to both government and the private sector.
The government’s response to the other hack, against SolarWinds, could offer clues to how it may respond to the Microsoft one.
A senior administration official told reporters last week that a response to the likely Russian hackers who carried out the SolarWinds hack would come in “weeks, not months,” and that federal agencies were in the midst of carrying out a process to “eradicate” the hackers from their systems, set to wrap up at the end of March.
“In our review of what caused SolarWinds, we saw significant gaps in modernization and in technology of cybersecurity across the federal government,” the official said. “We will be rolling out technology to address the specific gaps we identified, beginning with the nine compromised agencies. We want to make the federal government a leader, not a laggard, in cybersecurity.”
For cybersecurity leaders on Capitol Hill and in the private sector, those kinds of actions underscore the difference in administrations.
While the Trump administration took a number of steps to secure the nation against attacks, such as creating CISA and working to push back against Chinese malicious actions, other steps essentially pushed cybersecurity concerns lower on the list of priorities.
The administration eliminated the White House cybersecurity coordinator position and merged the State Department’s cybersecurity office with another, and former President Trump fired former CISA Director Christopher Krebs shortly before the discovery of the SolarWinds hack, with other senior agency leaders pressured to step down at the same time.
Rep. John Katko (R-N.Y.), the ranking member on the House Homeland Security Committee, which is investigating the SolarWinds hack alongside the House Oversight and Reform Committee, strongly urged President Biden last week to nominate a director for CISA in the face of the escalating cybersecurity threats.
“Now more than ever we need permanent political leadership at the helm of our nation’s lead federal cybersecurity agency,” Katko wrote in a letter to Biden.
Sen. Angus King (I-Maine), a leader on cybersecurity issues on Capitol Hill, said in a statement provided to The Hill that he was worried both incidents could be even more destructive than officials have acknowledged.
“One of the things that bothers me about the SolarWinds and the Exchange hacks is that they appear on the surface to be espionage — merely exfiltration of information,” King said. “But I’m nagged by the idea that all of the expertise and effort and time that went into these hacks, it strikes me as intuitively likely that there is more to be known about what they have done.”
Payton noted that in the face of these threats, the Biden administration had an opportunity to take the lead on cybersecurity and potentially establish more international cooperation to hit back against foreign nations that use cyberspace as an avenue of attack.
The U.S. took a step in that direction last week, with Sullivan announcing that the U.S., Japan, Australia and India would set up a cybersecurity-focused working group as a way to address cyberattacks against all four nations.
“The Trump administration was far more focused on supply chain threats from China, and maybe missed an opportunity,” Payton said. “The Biden administration does have an opportunity to focus on supply chain threats and international cooperation, and hopefully this will be the United States’ moment.”