At a glance.
- Congress overrides NDAA veto; cyber provisions feature prominently in the legislation.
- Cyberespionage: tactics and goals in the SolarWinds incident.
- CISA's guidance on Solorigate response.
NDAA passes, bringing cyber changes.
Last week Congress overrode a presidential veto of the National Defense Authorization Act, a first for the body, as Federal News Network reports. US President Trump had objected to the absence of Section 230 revisions, renaming of military bases, and roadblocks to his goal of returning troops from Berlin and Kabul.
C4ISRNET describes the Act as “a sweeping piece of national cyber legislation with major revisions to government bureaucracy and structure.” As we’ve seen, the NDAA directs the Defense Department to conduct a cyber mission force structure assessment, which will likely result in an increase to the force’s resources. A CyberCom purchasing cap is lifted, and reporting rules surrounding “sensitive military cyber operations” are revised to allow initiatives against non-state actors without Congressional oversight. Hunt forward also apparently received a vote of confidence; the policy will be formalized with standardized roles and metrics.
The Wall Street Journal says Russia’s cyber operations have grown more sophisticated over the past decade as the country has shifted its attentions from former Soviet states to Western marks. Estonia, Ukraine, and Georgia took early hits in the 2000’s before France, Germany, and the US came under heavy fire. Cyber operations allow espionage and battlespace preparation on a budget, a necessity given that Moscow’s GDP is eclipsed by Rome’s. A Russian military journal published a fun fact at the turn of the decade: just 600 men and $100 million would be needed to achieve “complete destruction” of US (or Russian) “information infrastructures.” US warnings and sanctions have not curbed Russia’s cyber enthusiasm. As one Moscow scholar put it, “The Russian government says, ‘Yes we understand that you don’t like what we are doing, but we don’t really care.’”
US officials are still puzzling out Moscow’s motives for the latest operation, which at last count impacted roughly two-hundred-fifty organizations, according to the New York Times. Solorigate could be a straightforward espionage campaign, an attempt to backdoor critical infrastructure, or an effort to intimidate the next Administration. What is known is that NSA, DHS, and CyberCom intelligence and defenses were insufficient, and Washington failed to establish persuasive deterrents.
In mid-December, the US Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, requiring federal agencies to mitigate Solorigate’s threat by disconnecting infected software, resetting credentials, and eliminating persistence mechanisms. At the end of the month, BleepingComputer reported CISA’s supplemental guidance to “update the SolarWinds Orion platform to the latest version” following NSA’s assurance that the update was secure.