The SolarWinds cyberattack about two years ago represented a new level of hacking sophistication, highlighting the need for the government and private sector to work together to bolster the country’s online resilience, America’s top cyber defense official said Wednesday.
In a panel discussion at the RSA conference, CISA Director Jen Easterly noted the attack, which allowed Russian hackers to insert malicious code throughout US IT, was discovered by the private sector cybersecurity company then known as FireEye, not the government. CISA is the Cybersecurity and Infrastructure Security Agency, the federal agency responsible for protecting the country against cyber threats.
“We certainly can’t do it alone,” Easterly said. “Quite frankly, given that most infrastructure is owned by the private sector … technology companies will see threats before the government does.”
The SolarWinds attack, which US intelligence agencies say likely originated in Russia, was discovered near the end of 2020 but is thought to have started at least as early as March of that year. Hackers penetrated systems at IT software provider SolarWinds and inserted malicious software into an update to the company’s popular Orion products.
Thousands of SolarWinds customers then installed the tainted update, giving the hackers the ability to access their systems. Federal agencies, major tech companies and hospitals were among the targeted organizations, though SolarWinds maintains only a few of those affected actually suffered any harm. The Russian government has denied involvement in the attack.
Sudhakar Ramakrishna, who was named CEO before the hack was discovered but didn’t start in that role until afterward, said the company’s response to the “incredibly sophisticated and incredibly novel” attack was unusual because the company emphasized transparency. It hit the ground right away, constantly collaborating with investigators and the government and communicating with its customers and employees.
He added that no silver bullets exist to address this type of attack but it did provide an opportunity to learn about how to improve security and better respond if something like this ever were to happen again.
Easterly said she thinks the biggest lesson of SolarWinds is that cybersecurity needs to be made a national priority, which is something she says she’s.
“We also have to be able to communicate it in a way that people understand what they need to do to keep themselves safe,” she said, adding that sometimes the tech industry isn’t very good at the communication part.