CISA is playing a central role in the response to the attacks, the existence of which first became publicly known Sunday. As the investigation got underway, CISA’s efforts yielded perhaps inevitable criticism from within the government about its speed in deploying incident response teams to help other agencies identify and contain any intrusions.
There is “massive frustration with CISA on a sluggish response to agency breaches,” said the first U.S. official.
Cybersecurity professionals have consistently warned that CISA — a two-year-old agency tasked with defending civilian federal networks from hackers, assisting agencies in recovering from breaches, and helping to defend critical infrastructure such as power plants and election systems — lacks enough personnel and resources to effectively fight massive digital fires inside the government. Only a small portion of the agency’s roughly 2,200 employees are tasked with that work.
“They are overwhelmed,” the U.S. official said.
CISA rejected the criticism.
“That’s inaccurate,” spokesperson Sara Sendek said, adding that the agency is confident that it has enough personnel to handle a potential surge in agencies reporting breaches. “CISA has been providing support and assistance to all of our federal partners who have requested it. There has been no delay in responding to any request.”
But a CISA employee, who spoke anonymously because they were not authorized to talk to reporters, acknowledged that the scope of the crisis could overtake the agency.
“We’re doing OK right now,” this person said, but “that seems likely to change. … Many agencies don’t know how on fire they are yet.”
The U.S. official said that CISA’s incident responders, who swoop into agencies to help them understand and mitigate breaches, were “too few.”
CISA’s incident response teams, including private contractors, are not as large as many people might assume, according to the CISA employee. “NSA we aren’t,” this person said, referring to the spy agency’s massive workforce.
Exactly how much the leadership void at CISA has affected its response remains unclear.
Krebs tweeted Sunday that he had “the utmost confidence” in his former employees, who “know how to do this.”
But some lawmakers are still worried.
“The firing of the extremely capable director of CISA in the middle of this moment of vulnerability, it undermines national security,” said Sen. Angus King (I-Maine), who co-chaired a congressionally chartered commission that recommended sweeping changes to the government’s cyber activities.
The attacks appear to have originated with a compromise of an IT vendor whose products are widely used across the federal government, raising new fears about the systemic risk posed by the government’s supply chain.
Investigators believe that the hackers added malicious code to software updates for an IT product used across the federal government, used that code to pry open doors into agency networks and then used a sophisticated technique to access federal workers’ emails.
Although the investigations remain in the very early stages, the breaches appear to have begun between March and June, when the hackers compromised the software company SolarWinds, which sells IT management products to hundreds of government and private-sector clients, including federal agencies and Fortune 500 companies.
By infecting the software updates that SolarWinds distributed to users of its Orion IT monitoring system, the hackers gained a foothold in those users’ networks. From there, they appear to have broken into victims’ Microsoft email servers by forging the authentication tokens that tell the system who should be granted access.
Late Sunday night, CISA issued a rare emergency directive ordering agencies to immediately disconnect all SolarWinds products from their networks.
SolarWinds believes that fewer than 18,000 of the 33,000 organizations that were eligible to receive Orion software updates during the relevant time period actually received the infected code, the company said Monday in a Securities and Exchange Commission filing. The company added that it planned to distribute a fix “on or prior to” Tuesday.
Orion products accounted for roughly 45 percent of SolarWinds’ total revenue during the first three quarters of 2020, the company said.
The manner in which the hackers breached government agencies by compromising a vendor in their supply chain is reminiscent of a global malware outbreak in 2017, known as NotPetya, the largest and most destructive digital attack in history. That incident began when Russian hackers infected the software updates of the Ukrainian tax software maker M.E.Doc. Security researchers believe that the Russians only intended to spy on certain Ukrainian targets, but the NotPetya malware quickly spread around the world, causing as much as $10 billion in damage for victims that included the shipping giant Maersk and the pharmaceutical titan Merck.
Security professionals do not expect a repeat of NotPetya this time. Everything about the recent breaches indicates an espionage operation rather than a destructive rampage, they said, and intelligence collection requires individual attention that even Moscow cannot apply to all of the hundreds of potentially compromised SolarWinds clients.
“No adversary has enough human resources to effectively exploit every potential victim,” tweeted Dmitri Alperovitch, the co-founder of the security firm CrowdStrike. “They pretty much HAVE to focus on those they care most about.”
Even so, companies in critical infrastructure sectors have begun assessing their systems to see if they, too, were affected. Executives in the electric power sector held a “situational awareness call” on Monday, and the Department of Health and Human Services held a conference call Monday afternoon with health care organizations to explain the SolarWinds vulnerability, according to an invitation seen by POLITICO.
Even after SolarWinds clients close that door, they will still need to check their systems for signs that the hackers got inside.
“These organizations are still going to have an uphill battle getting this actor out of their networks,” said John Hultquist, senior director of intelligence analysis at FireEye. “It won’t be easy.”
The first U.S. official agreed. “We are in very, very early days,” they said, “and there’s a sense that … the news is going to get worse.”
Daniel Lippman and Martin Matishak contributed to this report.