Global incident response is underway in the aftermath of cyberattacks from the SolarWinds supply chain breach and Microsoft Exchange Server Zero-Days.
And it's always interesting to see what organizations, cybersecurity professionals, and governments are saying about these developing situations.
In all the noise, it was easy to miss a very intriguing "background briefing" from the White House a few days ago. In journalism, if something is "on background," it means you can use the information from the briefing but cannot attribute it to a specific person. That is the case in this situation.
The unnamed "Senior Administration Official" made some very intriguing statements about what has happened with the SolarWinds and Microsoft Exchange attacks and about what is going to happen in the near future. Let's take a look:
1. The incident response for SolarWinds:
"First, finding and expelling the adversary. We're in week three of a four-week remediation across the federal government. The compromised agencies all were tasked to do a particular set of activities and then were tasked to have an independent review of their work to ensure that we felt confident the adversary had been eradicated.
Most of the agencies have completed that independent review. For those who have not yet, they will complete it by the end of March."
2. What the U.S. government has learned from the SolarWinds attack:
"We've had regular Deputies meetings here at the White House on this topic—deputy heads of agencies, particularly the nine compromised agencies—and we've discussed the methodology throughout. In fact, we standardized the methodology for incident response based upon this. And we also made a decision on the key pieces of part two, which is 'Building Back Better to Modernize Federal Defenses.'"
3. Visibility is a U.S. government problem:
"As we talked about during a press event a number of weeks ago, we cannot defend a network if we can't see a network. And in our review of what caused SolarWinds, we saw significant gaps in modernization and in technology of cybersecurity across the federal government.
So we will be rolling out technology to address the specific gaps we identified, beginning with the nine compromised agencies. We want to make the federal government a leader, not a laggard, in cybersecurity. And we know we need to be able to defend against the adversaries who pursue the nation's diplomatic, law enforcement, and health efforts.
We also learned key lessons regarding visibility and market. Today, the cost of insecure technology is borne at the end: by incidence response and cleanup. And we really believe it will cost us a lot less if we build it right at the outset."
4. There are real-life analogies to what the U.S. government wants to achieve in cybersecurity and IoT security:
"I give two exemplars to help characterize what we want to do here. One is: Mayor Bloomberg, a number of years ago, when he wanted to address restaurant sanitation, he realized, you know, the health department kept rating restaurants, and it just wasn't changing anything. So he required restaurants to put a simple rating—A, B, C, D—in their front window to make a market—to make a market around health and sanitation.
And we're looking to do a very similar thing with cyber and the cybersecurity of software companies we buy software from.
And then, similarly, Singapore has an interesting model where they provide cybersecurity standards for different Internet of Things devices, like baby monitors, so that moms who want to buy secure products have a really easy way to put their money on it. And we don't have that in the U.S. today; we don't have that transparency so that people can make a market for cybersecurity.
There will be ideas coming in both of those in an executive action in the next couple of weeks—or in the next few weeks."
5. There will be a federal response to the SolarWinds supply chain attack:
"Finally, the third part of what we're doing about it is responding to the perpetrators of the attack. You can expect further announcements on that in weeks, not months."
6. Here's what the government thinks hackers are doing right now, following news of the Microsoft Exchange vulnerabilities and subsequent patch:
"As you all know, when any critical patch is released, criminal actors immediately begin to reverse-engineer it so they can exploit the underlying vulnerabilities. We're always in that race. Once they do, they'll be able to copy the attack to deploy ransomware and other potential disruptive attacks on an unpatched server. We really have a short window to get vulnerable servers patched, measured in hours, not days."
7. Visibility problems in the U.S. government strike again:
"From a 'them' and 'us' perspective, 'them': Yes, they appear to be sophisticated and capable. But they took advantages of weaknesses that were in that software from its creation. As we talked about a moment ago, insecure software and hardware is a key challenge we face.
And then, on our end: First, lack of domestic visibility. The U.S. government largely does not have visibility into U.S. infrastructure. And many of these actors operate out of U.S. infrastructure. And as we talked about, the 'us' part of really needing to start prioritizing security in the way we build and buy software; we can do innovation and security."
8. Instead of more government agencies, strong public-private partnerships are needed with the security industry:
"We believe the model for the U.S. government in addressing cybersecurity issues involves working closely with the private sector. We're not looking at additional authorities for any government agencies to do additional monitoring within the U.S. at this time.
We are focused on tightening the partnership between the U.S. government and the private sector, who does have visibility into the domestic industry and into private sector networks, to ensure we can rapidly share threat information and we can address the liability barriers and disincentives that disincentivize U.S. companies from both addressing some of these issues and rapidly sharing information when there are incidents."
9. The Microsoft Exchange attack incident response involves an apparent "first of its kind" effort:
"We've stood up a Unified Coordination Group, and we've done something totally different this time. Under the authority under which the Unified Coordination Group is stood up, it allows for private-sector participation.
For the first time, we've invited private-sector companies to participate in the Unified Coordination Group because we still believe that public-private partnership is foundational in cybersecurity, and we want to ensure we're taking every opportunity to include key private sector participants early and directly in our remediation efforts."
10. The response to these incidents is really a test of "response at scale," according to the senior administration official:
"And then, finally, I'm just struck by the professionalism of so many of the CIOs and CISOs, and other more technical parts of the federal government I've had the privilege of speaking with over the last few weeks. And I'm struck by the cooperative spirit of the private sector. No kidding.
These have been some really busy weeks to our industry, and I want to compliment so many of these companies who've taken time to jump on calls with us over the weekend, jump on calls to share their insights, to think creatively of how we can do defense at scale, and really think about how we move to a place where the kind of incidents we're talking about here, and the scope and scale of those incidents, become a thing of the past."
There is little doubt about that last statement because we've seen it ourselves: security leaders, security professionals, and security companies are willing to unite against a common enemy in urgent situations.
Situations like the Microsoft Exchange vulnerabilities and the SolarWinds supply chain attack.