Today's D Brief: ‘Biggest breach in decades’; Lawmakers beg Trump to sign NDAA; Vaccine-notification snafu; Energy bans Chinese products; And a bit more.

“The biggest cybersecurity breach of federal networks in more than two decades.” That’s how the New York Times describes a massive cyber breach into U.S. public and private networks that now appears to have been made possible by more than just a vulnerable update server from the Texas-based network management firm, SolarWinds. That new twist comes from a critical update Thursday from the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency that warned “this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”

Most worrisome: “CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform,” CISA announced Thursday, with “Orion” referring to the problematic update server. “It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered.” Or, as David Sanger of the Times writes, “That suggests other software, also used by the government, has been infected and used for access by foreign spies.” Which means this could all get much messier and much more damaging. 

Newly added to the list of known victims: The Energy Department, and the National Nuclear Security Administration, including “networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE," Politico reported Thursday.

Worth emphasizing: “The hackers have been able to do more damage at FERC than the other agencies,” Politico writes, and that could be an effort to disrupt the U.S. electric grid. As far as the Energy Department, an official there told the Times its “mission-essential national security functions” are not believed to have been affected by the breach.

The big picture, according to CISA: The U.S. is facing “an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence.”

President Donald Trump was briefed on the intrusions Thursday, CNN reported, though it’s unclear if that was the first time or simply a follow-up. 

President-elect Biden shared his reaction in a statement Thursday (emphasis added): “My administration will make cybersecurity a top priority at every level of government,” he said after the CISA announcement. “But a good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place. We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.”

But what are “substantial costs” in the cyber domain? The U.S., after all, has a very poor track record of understanding both of those fundamental aspects of information warfare in the 21st century, as we reviewed in our three-part podcast series last year.

Imposing such costs “is much easier said than done, even beyond the hypocrisy in punishing others for doing to us what we do to them,” former Defense Department lawyer Jack Goldsmith writes today in a blog post. 

“The main lawful options—economic sanctions, criminally charging and trying to arrest those involved, recruiting adversary hackers, and the like—have been tried for years in related contexts, and failed to stop the digital carnage. Anything more than these rather modest retaliatory steps threatens an escalatory response by the Russians that might leave the United States...This in a nutshell is why the Obama administration was so paralyzed in responding to various cyber intrusions.” More from Goldsmith, here

One last thing: The Pentagon just abruptly stopped all transition coordination with the Biden administration, Axios reports today. The order comes from the Acting Defense Secretary Chris Miller, and it was issued Thursday evening, reportedly “shocking officials across the Defense Department.”

However, an unnamed defense official called it “a simple delay” because “DoD staff...were overwhelmed by the number of meetings." And that definitely sounds plausible amid an unprecedented cyber breach and enormous pressure for the U.S. military to help distribute a coronavirus vaccine. More from Axios, here


From Defense One

SolarWinds Isn't the Only Way Hackers Entered Networks, CISA Says // Aaron Boyd, Nextgov: The agency warned that ejecting attackers from networks will be tough, especially because they can likely read the email of IT and cybersecurity employees.

Amid Massive Hack, Lawmakers Urge Trump to Sign Defense Bill with New Cybersecurity Legislation // Patrick Tucker: As the government scrambles to understand the widening compromise, legislation to shore up the nation’s cyber defenses sits unsigned on the President’s desk.

If You Don’t Hire Robots to Attack Your Networks, You’re Not Doing Security Right // Jonathan Reiber: Complying with DoD’s new cybersecurity regulations requires hard data, the kind that pretty much requires automation to compile.

Global Business Brief // Marcus Weisgerber: Adios, 2020! Here are people, programs, and budgets to watch for in 2021...

Welcome to this Friday edition of The D Brief from Ben Watson with Bradley Peniston. Send us tips from your community right here. And if you’re not already subscribed to The D Brief, you can do that here. On this day in 1939, the first air-to-air engagement of the Second World War began near the North Sea with the Battle of the Heligoland Bight.


Many state governments are receiving fewer COVID-vaccine doses than they expected, thanks to a Pentagon notification system that hasn’t been updated in months, McClatchy reported Thursday. The system, called Tiberius, was created over the summer and seeded with notional — and, it turns out, quite optimistic — numbers. “The problem is that they kept those exercising and planning modules in there, and that’s what people were looking at as late as last week,” a federal official told McClatchy. Read on, here.
TSA leaders are pleading with local and airport health authorities for the vaccine because the agency was not prioritized by the White House’s Operation Warp Speed effort, the Washington Post reports. “The virus has taken a heavy toll on the agency, with more than 4,000 employees testing positive and more than 800 of its staff currently sick. Eleven employees have died.” More, here.
COVID, by the numbers: “At least 3,293 new coronavirus deaths and 238,189 new cases were reported in the United States on Dec. 17,” the New York Times reports. That brings the 7-day daily average to nearly 2,600 — which is one coronavirus-infected person dying every 33 seconds.

Cybersecurity-minded lawmakers pleaded with Trump to sign the NDAA, which would create a White House cyber director. In a Thursday interview, Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wisc., called on the president to sign the 2022 Defense Authorization Act now on his desk. (You can watch that interview here.) Notes Defense One’s Patrick Tucker: “The White House did have a cybersecurity coordinator, a role filled by former NSA hacker Rob Joyce, but former National Security Advisor John Bolton got rid of the position.” Read that, here.

If Trump vetoes the NDAA, the Senate may try to override it on Jan. 3, the top Republican on the Armed Services Committee told reporters Thursday. Trump has until Dec. 23 to veto the annual defense authorization bill — which would be a first.
Reminder: Trump has threatened to veto the bill because it: 

  • Allows the removal of Confederate officers’ names from 10 U.S. military bases. 
  • Limits his ability to remove U.S. forces from Afghanistan, Iraq, Germany, and Korea. 
  • Does not repeal an unrelated measure (known as Section 230) that would reduce social media companies’ liability protections — protections that could, e.g., let Trump tweet with fewer restrictions when misleading his audience intentionally or by accident. 

Here’s Trump tweeting a preview of his NDAA veto on Thursday: “I will Veto the Defense Bill, which will make China very unhappy. They love it. Must have Section 230 termination, protect our National Monuments and allow for removal of military from far away, and very unappreciative, lands. Thank you!”

The U.S. military measured perceived racism and discrimination in the ranks, but is keeping the results secret. That’s what Reuters discovered after repeatedly requesting the latest data — from 2017 in a report titled the “Workplace and Equal Opportunity Survey of Active Duty Members” — via the Freedom of Information Act, and getting that request rejected.
Why reject the FOIA from Reuters? Because the survey data contains “information of a pre-decisional, deliberative nature,” Defense Department officials said, and added that they plan to send the data to Congress in the next several weeks; though they did not say why the data had not been sent yet.
The problem this presents now: That survey “data is already so old that the Pentagon is now in the awkward position of having to start planning for another survey in the ongoing 2021 fiscal year,” Reuters reports, “which ends on Sept. 30.” More here.

The Energy Department just banned certain Chinese-made products from use at “electric utilities that supply critical defense facilities,” Reuters reported Thursday from the office of Secretary Dan Brouillette. “It was not immediately clear which defense sites were considered critical.” Tiny bit more, here.  

North Korea may be making bomb parts in the outskirts of Pyongyang, researchers at the 38 North project suggest in a new report Reuters previewed ahead of its release today. 

Naval officials grilled on new sea-services strategy. On Thursday, flag officers took questions from reporters on the new tri-service strategy document. Reporters and analysts noted a lack of detail pertaining to the strategy’s newly aggressive stance on “day-to-day competition” as well as its intention to “carefully manage its resources.” Wrote Navy Times’ Geoff Ziezulewicz, “That aspiration sharply contrasts with the current state of the Navy’s surface fleet, which has seen record-breaking cruises and looming back-to-back deployments of two aircraft carriers this year, all in peacetime.” Read on, here.

And finally this week: More than 300 schoolboys were returned Thursday night after they were kidnapped in Nigeria last week by gunmen who claimed to be with the terrorist group Boko Haram, the Wall Street Journal reports. Unfortunately, “Many of the details around the kidnapping, in a remote agricultural area with poor communication, remain murky, including the total number of victims and the true identity of their captors.”
Like the Chibook girls kidnapping six years ago, these abductions triggered a wave of alarm across the region, “reignit[ing] fears over school security across the whole of Nigeria’s north. Boarding schools across four states have closed in response and it is unclear when they will open again.” More from the Journal, here.

Have a safe weekend, everyone. And we’ll see you again on Monday!

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.