As details of the most audacious hack on the U.S. government in recent memory continued to stun lawmakers and the public, a government watchdog released a blistering report saying that federal agencies have failed to implement key safeguards for their information technology supply chains.
The report by the U.S. Government Accountability Office was completed in October but only made public on Tuesday in the wake of the recent attacks, which are believed to be the work of elite Russian hackers. It found that 14 out of the 23 surveyed federal agencies hadn’t implemented any of the “foundational practices” to protect their “information and communications technology” supply chains that were recommended in 2015 by a government standards group.
None of the agencies had implemented all the recommended changes. Among the agencies surveyed were several that were hacked by suspected Russian attackers: Commerce, Treasury and State.
Lawmakers who received a recent classified briefing on the attack indicate that it is among the most serious in recent years. Senator Richard Blumenthal, the Connecticut Democrat, said in a tweet Tuesday that the briefing left him “deeply alarmed, in fact downright scared.” Dick Durbin, the Senate’s second highest-ranking Democrat, said on CNN Wednesday that the hack was “virtually a declaration of war.”
The Office of Management and Budget required the agencies in 2016 to implement the recommendations, which were made by the National Institute of Standards and Technology, according to the GAO.
“Supply chains are being targeted by increasingly sophisticated threat actors, including foreign cyber threat nations such as Russia, China, Iran and North Korea,” the report states. “Attacks by such entities are often especially sophisticated and difficult to detect.” The report warns of hackers inserting a so-called ‘backdoor’ into the supply chain, which appears to be exactly what happened in the attack on federal agencies.
The report offers the first clues to a crucial question about the recent cyber-attack: how did the U.S. government miss hackers in the computer networks of so many agencies?
Those hackers are believed to be tied to the Russian government, and they also breached the Department of Homeland Security and parts of the Pentagon, according to a person familiar with the matter. The hackers installed a malicious vulnerability, or backdoor, in a popular software product made by information technology provider SolarWinds, whose customers include numerous U.S. government agencies and Fortune 500 companies, according to the company and cybersecurity experts.
It remains unclear what the hackers accessed, or how many agencies and other entities were successfully breached.
Representatives at GAO and OMB didn’t return a message seeking comment.
The GAO report also warned of the potentially dire consequences of a successful supply chain attack.
“For example, threat actors could take control of federal information systems; decrease the availability of materials or services needed to develop systems; destroy systems, causing injury and loss of life, and compromising national security; or steal intellectual property and sensitive information,” the report says.
Federal agencies remain vulnerable to supply chain attacks until they implement all the recommend changes, the GAO said. Until then, according to the report, “They will continue to be vulnerable to malicious actors that could exploit the ICT supply chain risks to disrupt mission operations, cause harm to individuals or steal intellectual property.”
