Threats

Today's D Brief: ‘Biggest breach in decades’; Lawmakers beg Trump to sign NDAA; Vaccine-notification snafu; Energy bans Chinese products; And a bit more.

Ben Watson

December 18, 2020

The D Brief

By Ben Watson

Senior Multimedia Editor, Defense One

December 18, 2020

The D Brief

“The biggest cybersecurity breach of federal networks in more than two decades.” That’s how the New York Times describes a massive cyber breach into U.S. public and private networks that now appears to have been made possible by more than just a vulnerable update server from the Texas-based network management firm, SolarWinds. That new twist comes from a critical update Thursday from the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency that warned “this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”

Most worrisome: “CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform,” CISA announced Thursday, with “Orion” referring to the problematic update server. “It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered.” Or, as David Sanger of the Times writes, “That suggests other software, also used by the government, has been infected and used for access by foreign spies.” Which means this could all get much messier and much more damaging.

Newly added to the list of known victims: The Energy Department, and the National Nuclear Security Administration, including “networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE," Politico reported Thursday.

Worth emphasizing: “The hackers have been able to do more damage at FERC than the other agencies,” Politico writes, and that could be an effort to disrupt the U.S. electric grid. As far as the Energy Department, an official there told the Times its “mission-essential national security functions” are not believed to have been affected by the breach.

The big picture, according to CISA: The U.S. is facing “an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence.”

President Donald Trump was briefed on the intrusions Thursday, CNN reported, though it’s unclear if that was the first time or simply a follow-up.

President-elect Biden shared his reaction in a statement Thursday (emphasis added): “My administration will make cybersecurity a top priority at every level of government,” he said after the CISA announcement. “But a good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place. We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.”

But what are “substantial costs” in the cyber domain? The U.S., after all, has a very poor track record of understanding both of those fundamental aspects of information warfare in the 21st century, as we reviewed in our three-part podcast series last year.

Imposing such costs “is much easier said than done, even beyond the hypocrisy in punishing others for doing to us what we do to them,” former Defense Department lawyer Jack Goldsmith writes today in a blog post.

“The main lawful options—economic sanctions, criminally charging and trying to arrest those involved, recruiting adversary hackers, and the like—have been tried for years in related contexts, and failed to stop the digital carnage. Anything more than these rather modest retaliatory steps threatens an escalatory response by the Russians that might leave the United States...This in a nutshell is why the Obama administration was so paralyzed in responding to various cyber intrusions.” More from Goldsmith, here.

One last thing: The Pentagon just abruptly stopped all transition coordination with the Biden administration, Axios reports today. The order comes from the Acting Defense Secretary Chris Miller, and it was issued Thursday evening, reportedly “shocking officials across the Defense Department.”

However, an unnamed defense official called it “a simple delay” because “DoD staff...were overwhelmed by the number of meetings." And that definitely sounds plausible amid an unprecedented cyber breach and enormous pressure for the U.S. military to help distribute a coronavirus vaccine. More from Axios, here.

From Defense One

SolarWinds Isn't the Only Way Hackers Entered Networks, CISA Says // Aaron Boyd, Nextgov: The agency warned that ejecting attackers from networks will be tough, especially because they can likely read the email of IT and cybersecurity employees.

Amid Massive Hack, Lawmakers Urge Trump to Sign Defense Bill with New Cybersecurity Legislation // Patrick Tucker: As the government scrambles to understand the widening compromise, legislation to shore up the nation’s cyber defenses sits unsigned on the President’s desk.

If You Don’t Hire Robots to Attack Your Networks, You’re Not Doing Security Right // Jonathan Reiber: Complying with DoD’s new cybersecurity regulations requires hard data, the kind that pretty much requires automation to compile.

Global Business Brief // Marcus Weisgerber: Adios, 2020! Here are people, programs, and budgets to watch for in 2021...

Welcome to this Friday edition of The D Brief from Ben Watson with Bradley Peniston. Send us tips from your community right here. And if you’re not already subscribed to The D Brief, you can do that here. On this day in 1939, the first air-to-air engagement of the Second World War began near the North Sea with the Battle of the Heligoland Bight.

Many state governments are receiving fewer COVID-vaccine doses than they expected, thanks to a Pentagon notification system that hasn’t been updated in months, McClatchy reported Thursday. The system, called Tiberius, was created over the summer and seeded with notional — and, it turns out, quite optimistic — numbers. “The problem is that they kept those exercising and planning modules in there, and that’s what people were looking at as late as last week,” a federal official told McClatchy. Read on, here.
TSA leaders are pleading with local and airport health authorities for the vaccine because the agency was not prioritized by the White House’s Operation Warp Speed effort, the Washington Post reports. “The virus has taken a heavy toll on the agency, with more than 4,000 employees testing positive and more than 800 of its staff currently sick. Eleven employees have died.” More, here.
COVID, by the numbers: “At least 3,293 new coronavirus deaths and 238,189 new cases were reported in the United States on Dec. 17,” the New York Times reports. That brings the 7-day daily average to nearly 2,600 — which is one coronavirus-infected person dying every 33 seconds.

Cybersecurity-minded lawmakers pleaded with Trump to sign the NDAA, which would create a White House cyber director. In a Thursday interview, Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wisc., called on the president to sign the 2022 Defense Authorization Act now on his desk. (You can watch that interview here.) Notes Defense One’s Patrick Tucker: “The White House did have a cybersecurity coordinator, a role filled by former NSA hacker Rob Joyce, but former National Security Advisor John Bolton got rid of the position.” Read that, here.

If Trump vetoes the NDAA, the Senate may try to override it on Jan. 3, the top Republican on the Armed Services Committee told reporters Thursday. Trump has until Dec. 23 to veto the annual defense authorization bill — which would be a first.
Reminder: Trump has threatened to veto the bill because it:

Allows the removal of Confederate officers’ names from 10 U.S. military bases.
Limits his ability to remove U.S. forces from Afghanistan, Iraq, Germany, and Korea.
Does not repeal an unrelated measure (known as Section 230) that would reduce social media companies’ liability protections — protections that could, e.g., let Trump tweet with fewer restrictions when misleading his audience intentionally or by accident.

Here’s Trump tweeting a preview of his NDAA veto on Thursday: “I will Veto the Defense Bill, which will make China very unhappy. They love it. Must have Section 230 termination, protect our National Monuments and allow for removal of military from far away, and very unappreciative, lands. Thank you!”

The U.S. military measured perceived racism and discrimination in the ranks, but is keeping the results secret. That’s what Reuters discovered after repeatedly requesting the latest data — from 2017 in a report titled the “Workplace and Equal Opportunity Survey of Active Duty Members” — via the Freedom of Information Act, and getting that request rejected.
Why reject the FOIA from Reuters? Because the survey data contains “information of a pre-decisional, deliberative nature,” Defense Department officials said, and added that they plan to send the data to Congress in the next several weeks; though they did not say why the data had not been sent yet.
The problem this presents now: That survey “data is already so old that the Pentagon is now in the awkward position of having to start planning for another survey in the ongoing 2021 fiscal year,” Reuters reports, “which ends on Sept. 30.” More here.

The Energy Department just banned certain Chinese-made products from use at “electric utilities that supply critical defense facilities,” Reuters reported Thursday from the office of Secretary Dan Brouillette. “It was not immediately clear which defense sites were considered critical.” Tiny bit more, here.

North Korea may be making bomb parts in the outskirts of Pyongyang, researchers at the 38 North project suggest in a new report Reuters previewed ahead of its release today.

Naval officials grilled on new sea-services strategy. On Thursday, flag officers took questions from reporters on the new tri-service strategy document. Reporters and analysts noted a lack of detail pertaining to the strategy’s newly aggressive stance on “day-to-day competition” as well as its intention to “carefully manage its resources.” Wrote Navy Times’ Geoff Ziezulewicz, “That aspiration sharply contrasts with the current state of the Navy’s surface fleet, which has seen record-breaking cruises and looming back-to-back deployments of two aircraft carriers this year, all in peacetime.” Read on, here.

And finally this week: More than 300 schoolboys were returned Thursday night after they were kidnapped in Nigeria last week by gunmen who claimed to be with the terrorist group Boko Haram, the Wall Street Journal reports. Unfortunately, “Many of the details around the kidnapping, in a remote agricultural area with poor communication, remain murky, including the total number of victims and the true identity of their captors.”
Like the Chibook girls kidnapping six years ago, these abductions triggered a wave of alarm across the region, “reignit[ing] fears over school security across the whole of Nigeria’s north. Boarding schools across four states have closed in response and it is unclear when they will open again.” More from the Journal, here.

Have a safe weekend, everyone. And we’ll see you again on Monday!

NEXT STORY: SolarWinds Isn't the Only Way Hackers Entered Networks, CISA Says