For years, US officials have warned about the dangers of cyberattacks involving the electronics supply chain. This week’s revelation that a growing number of US federal agencies were breached in a widespread attack by suspected Russian hackers shows how little they have followed their own advice.
Last year, for instance, the Cybersecurity and Infrastructure Security Agency, known as CISA, reported that federal agencies faced about 180 different threats from the digital supply chain, the hardware and software that goes into making up a computer network. CISA’s parent, the Department of Homeland Security, was among those agencies breached in the recent attack.
The attack involved code embedded in updates for widely used network-management software made by SolarWinds Corp, which provides administrators with tools to manage and update their computer networks. That has brought new superlatives to the discussion of supply-chain security. Lawmakers who received a classified briefing on the attack indicate that it is among the most serious in recent years. Senator Richard Blumenthal, the Connecticut Democrat, said in a tweet Tuesday that the briefing left him "deeply alarmed, in fact downright scared”. Dick Durbin, the Senate’s second highest-ranking Democrat, said on CNN Wednesday that the hack was "virtually a declaration of war”.
Despite those public pronouncements, a blistering report by a government watchdog that was completed in October and released Tuesday shows that the risks that led to these intrusions are far from new, and that US agencies have failed for years to implement recommended safeguards for their information technology supply chains.
Part of the problem: this issue is an IT department’s nightmare, and the interconnected nature of the global supply chain makes it nearly impossible to ensure that anyone’s doing it correctly.
The report, by the US Government Accountability Office, found that 14 out of the 23 surveyed federal agencies hadn’t implemented any of the "foundational practices” to protect their information and communications technology supply chains, and none of the agencies had implemented all of them. Those practices had been recommended in 2015 by the National Institute of Standards and Technology, and the following year, the Office of Management and Budget required the agencies to implement the changes.
The agencies that were surveyed included several – the departments of Commerce, Homeland Security, Treasury and State – that were breached as part of the recent attack, though the report doesn’t specific what particular agencies did – or didn’t do – with the recommendations.
"Supply chains are being targeted by increasingly sophisticated threat actors, including foreign cyber threat nations such as Russia, China, Iran and North Korea,” the report states. "Attacks by such entities are often especially sophisticated and difficult to detect.” The report warned of hackers inserting backdoors – methods used to get around normal security measures and gain access on a computer system – through the supply chain, and of the potentially dire consequences of a successful attack.
Hackers could "take control of federal information systems; decrease the availability of materials or services needed to develop systems; destroy systems, causing injury and loss of life, and compromising national security; or steal intellectual property and sensitive information”, the report says.
Representatives at GAO and OMB didn’t return messages seeking comment.
The report offers clues to a crucial question about the recent attack: how did the US government miss hackers in the computer networks of so many agencies?
Those hackers are believed to be tied to the Russian government, and their attacks have been described as highly sophisticated and difficult to detect. SolarWinds, whose customers include numerous US government agencies and Fortune 500 companies, said in a regulatory filing that about 18,000 customers downloaded the tampered software update.
It remains unclear what the hackers accessed, or how many agencies and other entities were successfully breached.
Because the supply chain for electronic components and software code is vast, closing any potential security holes can be among the most challenging assignments for large companies and government agencies, let alone for smaller organisations.
Software and firmware updates that are authenticated as legitimate and come directly from the company receive minimal scrutiny. They are routinely tested by IT departments to ensure compatibility with existing programs, not to look for backdoors.
For years, however, US intelligence agencies have used their own custom programs to look for malicious code embedded in such updates for military systems, and the government has tried standing up similar initiatives outside of the Department of Defense, according to one former National Security Agency official involved with the projects. The person requested anonymity to discuss classified intelligence programs.
The updates are installed on simulated computer networks and monitored for any unexpected attempts to connect to the internet, work that is partly a reflection of NSA’s knowledge of how it uses modified updates for intelligence gathering, the person said. But there are practical limitations of this approach outside of the intelligence community, including how long to look for suspicious activity. Some programs tested with civilian agencies monitored for a few hours or, at most, about a week, said the person.
The implant embedded in the malicious SolarWinds update stayed dormant for as many as two weeks before activating, according to an analysis from FireEye Inc, a cybersecurity firm that was also breached in the same global campaign that targeted US agencies.
The SolarWinds incident is far from the first supply-chain attack to surface publicly, but the scope of the attack and the level of access the hackers gained makes it especially damaging.
Part of the challenge in addressing supply-chain risks is the problem isn’t simply technical.
One example that national security officials cite often involves a "non-prosecution and security agreement” that the Department of Justice reached with a company called NetCracker Technology Corp in 2017. Like SolarWinds, NetCracker’s product helped organisations – including the Defense Department and telecommunications providers – map their networks and look for trouble spots, such as malfunctioning computers or outages.
With the help of a whistle-blower lawsuit, US investigators determined that NetCracker, which was working with the Defense Information Systems Agency, which oversees the Defense Department’s networks, violated the terms of its government contract by using programmers in Russia and Ukraine to customise and configure code for military projects and storing that code on servers in Moscow, which could potentially be accessed by the Russian government, according to the settlement.
The Pentagon removed NetCracker software from its networks in 2013 as a result of the violations. A representative from NetCracker, which is part of NEC Corp, a Japanese IT and electronics company, wasn’t immediately available for comment. – Bloomberg