- The SolarWinds hack compromised at least nine federal agencies and 100 private sector companies, said Deputy National Security Advisor Anne Neuberger during a White House press briefing Wednesday on the ongoing investigation.
- "As a country, we choose to have both privacy and security," which limits the government's visibility into private sector networks, she said. The SolarWinds attack took place in the U.S. and the lack of visibility makes it difficult for U.S. intelligence to observe the foreign adversarial activity. "Even within federal networks, culture, and authorities inhibit visibility, which is something we need to address," said Neuberger.
- The scope of the attack, across sectors, indicates it's "more than an isolated case of espionage," she said. "It's fundamentally of concern for the ability for this to become disruptive."
The SolarWinds hack accelerated public and private collaboration. However, "there are legal barriers and disincentives to the private sector sharing information with the government, that is something we need to overcome," said Neuberger.
The White House tapped Neuberger earlier this month to lead the Biden administration's response to the SolarWinds supply chain attack. Her leadership in the investigation comes as the White House has yet to name a national cyber director.
The investigation is expected to take months, though Neuberger didn't rule out a longer timeframe. "It's wise when planning in cybersecurity to consider the worst case, particularly when you're dealing with such a sophisticated attacker."
Neuberger did not provide an estimated cost of recovery, though part of the expenses will come down to improving visibility. The Biden administration has proposed $9 billion for the Technology Modernization Fund, directed partially toward the Cybersecurity & Information Security Agency (CISA) and the General Services Administration (GSA) shared services initiative. Another $690 million is dedicated to support CISA's piloting of "new shared security and cloud computing services."
Neuberger outlined three response priorities:
- Attributing the attack and "expelling" the adversary
- Using the Biden administration's Build Back Better plan for modernizing federal defenses
- Considering responsive actions to the perpetrators
Expelling the actors behind the attack will take coordination between agencies and President Joe Biden's National Security Council. The modernization will be outlined in an upcoming executive order with "likely eight" things to address security gaps highlighted by the SolarWinds hack, said Neuberger.
The "likely" Russian actors behind the attack are believed to have taken "months to plan and execute this compromise. It'll take us some time to uncover this layer by layer," she said.
This isn't the first time Russia-based actors launched cyberattacks on the U.S. or its allies, most notably the attack on the Democratic National Committee in 2016. There were at least two Russia-based groups working on the DNC hack but in separate operations. Because of the continuation of Russian cyber activity, the White House is "considering holistically what those activities were" before it finalizes its response and repercussions, said Neuberger.
The anonymity of cyberattacks, and a reluctance to attribute attacks, has shielded cybercriminals from law enforcement. To mitigate future attacks, the Cyberspace Solarium Commission (CSC) calls for "defending forward" as the next frontier of cybersecurity.
Defending forward is a security practice aimed at reducing the frequency and severity of attacks, including imposing harsher penalties and operational disruption shy of kinetic conflict. The concept is meant to deescalate cyber incidents before reaching retaliatory measures.