Published by The Lawfare Institute
in Cooperation With
The SolarWinds hack exposed shortcomings in the U.S. government’s capacity to respond to cyberattacks. In a hard-hitting, far-reaching, and nearly undetectable attack, the perpetrators behind the SolarWinds intrusion secretly inserted malicious code into a software update and subsequently programmed it to appear legitimate. Among the victims were critical government agencies at the state, local, and federal levels, in addition to major private companies such as Microsoft.
Crucially, the incident went undetected for months, and federal agencies became aware only when the private threat intelligence company FireEye revealed it had also been targeted. FireEye’s analysis of the events began to reveal the extent of the attack, but details continue to emerge over a month after the incident. The federal government has scrambled to determine the scope and scale of the incident. Remediation efforts will likely take months, and the true impact of the intrusion may not be known for years as the intelligence community continues to assess what information the perpetrators were able to glean and what they intend to do with it.
The federal government, especially on the civilian side, is currently under-resourced and overwhelmed in its ability to detect and mitigate cyberattacks. Although federal cybersecurity leaders are currently focused on remediating the current crisis, additional steps must be taken to overcome systemic barriers to adequate detection and response efforts to better secure the U.S. government in cyberspace. Specifically, a “cyber state of distress” is needed.
In theory, the Federal Emergency Management Agency (FEMA) has mechanisms for providing aid and recovery assistance in response to a cyber incident that approaches the level of a natural disaster, but to date, no cyber incident—including SolarWinds—has crossed that threshold. Additionally, the mechanisms for cyber incident response, outlined under Presidential Policy Directive 41, fail to give federal agencies the authority, funding or resources needed to assist non-federal entities in the event of a significant cyber incident.
The Department of Homeland Security, in particular, has a critical role in securing the United States in cyberspace, as the department is responsible for developing and overseeing the implementation of all federal agency information security policies and practices (44 U.S.C. § 3553). Additionally, Section 1705 of the National Defense Authorization Act for Fiscal Year 2021 specifies that the secretary of homeland security is responsible for identifying threats and vulnerabilities within federal information systems and for providing services, functions, and capabilities to assist any agency with information security protection. The secretary is also responsible for maintaining secure technology tools and platforms to help agencies with their information security functions. However, the mandate alone is insufficient, and the Department of Homeland Security lacks the capacity to fulfill its mission to respond to and recover from cyber incidents.
Despite these structural shortcomings, the March 2020 Cyberspace Solarium Commission report presented numerous recommendations for the U.S government to ameliorate this gap in cyberspace. The most relevant among these is the recommendation for Congress to establish the authority for the secretary of homeland security to declare a “cyber state of distress.” The declaration would trigger the availability of additional resources through an associated “cyber response and recovery fund.” This fund would be used to assist state, local, tribal and territorial (SLTT) governments and the private sector in responding to incidents that fall below the level of a FEMA-covered disaster but are more exigent than would be covered by current non-emergency technical assistance and cyber incident response programs.
Specifically, these funds would not be used for direct financial assistance to affected entities but, rather, would be used to scale up or augment the capabilities of federal civilian authorities to provide technical assistance and incident response. The Cyberspace Solarium Commission report further specifies that the funds provided through triggering the recovery fund could include enabling standby contracts with private-sector cybersecurity services or incident responders, as well as funding Department of Defense personnel providing defense support of civil authorities.
In practice, federal leaders could invoke a cyber state of distress either in response to a cyber event or in preparation for a cyber incident whose significance is above “routine.” Specifically, this would refer to a single incident or group of related cyber incidents that are “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” Another major consideration when preparing to make the declaration should be whether or not the incident exceeds the capacity of civil authorities to provide effective assistance to the private sector and SLTT governments in preparation, response or recovery efforts.
SolarWinds is one example of what would be considered a “significant cyber incident,” but there are prior examples that would have fallen within the threshold. Consider the 2017 NotPetya malware attacks. Within hours of the malware’s first appearance in Ukraine, it spread rapidly to machines across the world, from hospitals in Pennsylvania to a chocolate factory in Tasmania. NotPetya also severely crippled several major multinational companies, including the integrated shipping company Maersk, pharmaceutical company Merck and FedEx’s European subsidiary TNT Express. Following the attacks, former Homeland Security adviser Tom Bossert estimated that the NotPetya malware attacks resulted in more than $10 billion in damages. Beyond the monetary damages, however, NotPetya wiped away critical documents, sabotaged records, and created widespread panic in just a few hours.
The new Office of the National Cyber Director is an important step in the right direction for the country, as the national cyber director will both ensure that cybersecurity receives much-needed policy attention and facilitate greater coordination among departments and agencies. However, as the United States has become more technologically advanced and the critical infrastructure that supports the country’s national security has come under increasing risk of cyberattacks, the federal government must ensure that the authorities to conduct incident response and mitigation activities are matched with the capability to complete the mission. The ability to declare a cyber state of distress and activate the cyber response and recovery fund would help increase the capacity of federal civilian authorities to support critical infrastructure in response and recovery efforts. Additionally, the declaration of a state of distress would invoke current authority that establishes the secretary of homeland security as the principal federal officer responsible for coordinating the incident response, recovery and management efforts. Ensuring that the United States has the operational capacity to respond to and recover from significant cyber incidents will help promote national cyber resilience and decrease the likelihood that cyber incidents have severe, cascading, and ongoing effects on national security, the economy, and public health and safety.
SolarWinds, though severe, is but one of the cyber threats the United States must contend with in the coming days, months and years. The United States requires sufficient national capacity and preparedness to both respond to and recover from the next malicious cyberattack. Establishing a cyber state of distress is critical to providing the flexibility the U.S. government needs to achieve resilience and security.