Cybersecurity experts fear the SolarWinds hack laid the groundwork for a larger attack that the federal government is not prepared to handle.
After attackers exploited vulnerabilities in SolarWinds’ computer network management software to breach federal systems, a race began to fortify cyber defenses before additional attacks damage critical infrastructure and cause economic instability.
Some possible real-world effects of a large-scale hack include knocking people offline, disrupting the electric grid and blinding air traffic control, cybersecurity experts said.
Gilman Louie, CEO of cybersecurity company LookingGlass, said the SolarWinds hack was a wake-up call to government agencies and corporate networks, but the worst may be yet to come.
“SolarWinds was a terrible attack, but at the same time, most of us believe that’s a reconnaissance set of activities. Well, you only recon if you’re planning to do something or preparing to do something much worse,” Mr. Louie said. “So the fear is when’s the other shoe going to drop? There’s a race right now.”
SolarWinds still does not know when its systems were first breached, according to CEO Sudhakar Ramakrishna, despite news of the hack becoming public late last year. The U.S. government estimated 18,000 public- and private-sector customers were affected, including the Treasury Department, State Department and parts of the Pentagon.
Intelligence officials say they think Russia was behind the hack.
The government’s glaring cybersecurity vulnerabilities attracted Mr. Louie to LookingGlass’ operations side last fall, rather than as a board member or an investor as he is at the eponymous Alsop Louie venture capital firm. He previously worked at the intelligence community-funded In-Q-Tel.
LookingGlass, which touts the Cybersecurity and Infrastructure Security Agency and Department of Defense as users, is quickly adding cybersecurity professionals with federal government experience to its ranks as the SolarWinds hack fallout spreads.
William P. Crowell, a former U.S. National Security Agency deputy director in the Clinton administration, joined LookingGlass’s board last week and thinks the government misunderstands how adversaries use cyberattacks.
Mr. Crowell, who is also a partner at Alsop Louie, said most attacks that are both successful and stealthy hit the seams of computer networks because information technology security systems are incredibly fragmented.
“One of the things that we really have to pay attention to is what I call the security of the security systems — sometimes people who make security tools don’t spend as much time protecting their own tool as they should,” Mr. Crowell said. “We’re going to have to double down on how we test cybersecurity software and hardware because it’s part of the kill chain, it can be part of how a system gets attacked.”
SolarWinds has yet to uncover how its security tools failed, but it thinks the most likely answer is a zero-day attack, meaning a cyberattack that exploits a previously unknown vulnerability.
“Together with our third-party forensic investigators, we’re pursuing numerous theories but currently believe the most likely attack vectors came through a compromise of credentials and/or access through a third-party application via an at-the-time zero-day vulnerability,” Mr. Ramakrishna said last week. “Investigations are still ongoing and … our investigations will be ongoing for at least several more weeks, and possibly months.”
Some cybersecurity experts share a less grim view of the aftershocks of the SolarWinds fiasco.
David Evenden, a former NSA analyst, said the hackers would be foolish if they did not leverage the information they gained. Still, he doubted they would carry out a synchronized attack campaign against critical infrastructure and systems.
“At this point, unless they have organized boots on the ground to take over countries, the most valuable asset cyberattackers can gain access to is information, and I think they widely obtained that in this breach,” Mr. Evenden said. “In my opinion, if the access obtained is used in future campaigns they will likely be independent of one another, even if the operators on keyboards are the same people or part of the same organization.”
The cybersecurity problems facing the federal government and other critical networks have grown since the discovery of the SolarWinds hack, and President Biden has proposed to spend $9 billion on modernizing tech and cybersecurity in coronavirus relief legislation.
Mr. Louie said the $9 billion is a “necessary first step” but preventing nation-state adversaries from getting America’s keys to the kingdom will be far more expensive.