Striking back: 4 ways the Biden administration should respond to SolarWinds
Now that Joe Biden has taken office, he’s got to figure out how to dig the country out of a spectacular, smoldering crater.
For about as long as the coronavirus pandemic ravaged the United States, another sinister invasion was taking place—except in secret. This incursion was an audacious, silent cyberattack that infiltrated, ransacked, and subverted at least 10 government agencies and potentially hundreds of corporations.
The President is inheriting a mess, to put it mildly. “It’s not Pearl Harbor. It’s not an act of war,” stresses Mark Montgomery, head of the Cyberspace Solarium Commission, a federal cybersecurity task force. “But it was a brutal act of espionage that is going to cost us a lot of money”—many, many billions, he says—”to recover from.”
Biden is entering the fray with no illusions, if little clarity, about the magnitude of the challenge he faces. “There’s still so much we don’t know, including the full scope of the breach or the extent of the damage it has caused. But we know this much; this attack constitutes a grave risk to our national security,” the then President-elect said in December after the hack’s discovery. Echoing Biden’s avowal, a National Security Council spokesperson tells Fortune the administration will be “elevating [cybersecurity] as an imperative across the government from day one” and will “hold accountable those responsible for attacks.”
Toward that end, Biden’s team has earmarked $10 billion of pandemic relief for additional IT spending. Assuming Congress approves it, more than two-thirds will go to the Homeland Security Department’s top cyber outfit to improve incident response and network monitoring across government. Biden has already made a number of calculated appointments to deal with the situation, including plucking Anne Neuberger, an NSA honcho, for a new cyber advisory role on his National Security Council, and the latest defense legislation gives him some powerful new tools.
If America is going to pull out of the ever-widening gyre that is the SolarWinds hack, the new Commander-in-Chief has to stay focused. Below, you’ll find four policy recommendations, sourced from public- and private-sector cybersecurity experts, that should top his list.
1. Rallying behind a National Cyber Director
On Jan. 1, Congress passed the $740 billion National Defense Authorization Act (NDAA) for 2021, overturning a veto by President Trump. In addition to approving the Pentagon’s annual budget, the hefty piece of legislation contains some profoundly significant cyber policy initiatives. Most notably, the law approves the creation of a new executive branch role: the Office of the National Cyber Director. This office, with a staff of up to 75, is set to be the President’s “principal adviser” and policy coordinator on all cybersecurity-related matters.
Of more than two dozen Solarium Commission recommendations adopted in the NDAA, the directorship may be the most significant, says Solarium’s Montgomery. In cyberdefense, as in many other policy arenas, a spaghetti-tangle of agencies have overlapping responsibilities.
The hope is that the new office can give federal policy the cohesion it has lacked. The President doesn’t have time to drop in on the Small Business Administration to check on its cybersecurity efforts, or to manage relationships between municipal water authorities and the EPA, Montgomery says. “In the end, you need someone who is accountable.”
To be effective, the cyber director will need to work in concert with other agencies. An elevated “cyber bureau” at the State Department would be a key accompaniment: Together, the two could more persuasively corral allies, exert influence abroad, and push for bright, red “do not cross” lines on the Internet—like no plundering of intellectual property, interfering with elections, sabotaging public utilities, or harming civilians.
Michael Daniel, President Obama’s cyber czar and now head of the industry group Cyber Threat Alliance, says the U.S. needs to be more consistent and explicit if it is to establish international rules of the road in cyberspace. As for SolarWinds, he says, America and its allies need to signal to the perpetrators that “anything that goes beyond espionage that we find”—like data destruction or physical damage—“we reserve the right to escalate.”
Of course, the U.S. conducts espionage too, Daniel acknowledges. But there should be no tolerance for other nations’ operations that “get too big, too bold,” he says.
At press time, the rumored top contender for director was Jen Easterly, head of resilience at Morgan Stanley and a former NSA official who helped establish the U.S. military’s Cyber Command. Whomever Biden puts in charge will set the tone for all that follows.
2. Strengthening CISA, the White House’s liaison to business
Shortly before the SolarWinds’ hacking revelation, Trump ousted Chris Krebs, founding director of the Cybersecurity and Infrastructure Security Agency, or CISA, the agency that serves as the government’s primary cyber-focused interface with private industry. Krebs, a veteran of Microsoft, had earned plaudits for building CISA, and for his role in keeping the 2020 elections free of foreign interference. He lost his job in a dispute over the President’s baseless election fraud allegations.
The two-year-old CISA was already fighting to be “invited to the adult table in intelligence discussions,” says Kiersten Todt, managing director of the nonprofit Cyber Readiness Institute. Krebs’s dismissal would further handicap the agency most responsible for helping companies recover from hacks. (Krebs has since been hired by SolarWinds to help the company with its unenviable attempt to bounce back from its eponymous hack.)
But even as it absorbs its loss, CISA has gained new powers under the NDAA. For one, the agency got clearance to create a “cyber planning office” that will more closely and proactively coordinate with the private sector. That includes creating playbooks for how to respond to big hacks, putting in place economic continuity plans, and running tabletop exercises with corporations on code red situations. Such exercises would help big companies and cybersecurity firms plan for, say, what to do if Iran hacks a utility to poison local water supplies, the Kremlin causes citywide blackouts, or China fries our roughly three-dozen GPS satellites. “Bodies like CISA matter because they’re trying to develop the philosophies and the methodologies and practices that we need share” to increase our collective defenses, says Vasu Jakkal, Microsoft’s chief security marketer.
The NDAA boosts the authority of CISA in other ways as well. Crucially, CISA will be permitted to hunt down threats on federal networks, where who knows how many hackers are crawling. The SolarWinds hack ought to be viewed “as a long-term penetration of our most valuable networks,” says Dmitri Alperovitch, founder of Silverado Policy Accelerator, a security-focused think tank. Staffing up a squad of top-notch search-and-destroyers “is something they need to start leveraging literally on day one,” says Alperovitch, also a cofounder and former tech chief of the cybersecurity company CrowdStrike.
Word is that Biden intends to tap Rob Silvers, a former Obama official who helped negotiate a major trade-secret–stealing truce with China in 2015, as CISA’s new leader. If he’s confirmed, he’ll be a close partner to the national cyber director.
3. Setting better standards
Too often cost-conscious companies nick cybersecurity from their budgets first.
Ian Thornton-Trump says he experienced just that agony firsthand when the digital defense advice he gave to SolarWinds—whose widespread network monitoring tool Orion became ground zero for the hackstravaganza—went ignored a few years ago. (A SolarWinds spokesperson said, “We believe our investment in security has consistently been appropriate for a company of our size” and that the company is now “fortifying and implementing additional security practices.“)
Thornton-Trump, now chief information security officer at cyber firm Cyjax, believes companies should keep up to snuff when it comes to certain basics, he tells Fortune. That could include requiring businesses to perform regular audits and penetration testing, which gauge how permeable a company’s systems might be to a hack. He looks to the cybersecurity standards set by the New York Department of Financial Services, which came into full effect in 2019 and apply to financial firms operating in the state, as a solid precedent.
(Reaching for carrot over stick, Thornton-Trump suggests that the government offer tax rebates to companies that perform third-party attestations proving they’ve abided by the rules.)
Thornton-Trump also proposes requiring companies spend a certain share of their revenue on security controls. A 2019 study by Deloitte and FS-ISAC, a security-focused consortium for the financial industry, found that financial firms spend on average 10% of their IT budgets, or about 0.6% of their revenue, on cybersecurity. That’s roughly $2,150 per employee. While there’s no one-size-fits-all approach—and compliance doesn’t equal security, any worth-their-salt security pro will tell you—the figure is not a bad rule of thumb.
Similar standards-setting is underway in the government. The Department of Defense asks its suppliers to comply with a “cyber maturity model certification” that aims to assure some basic level of data safeguarding.
Solarium’s Montgomery hopes the government will establish a nonprofit bureau of cyber statistics—similar to Underwriters Laboratories, which tests and grades consumer products. That hypothetical organization could become an essential source of data for the nascent cyber insurance industry, a key lever for pushing the private sector to adopt better cybersecurity practices. It could also eventually rate software and software components based on their cybersafety—a grading system that could nudge sloppier tech companies to step up their game.
4. Fewer secrets: Passing a data breach notification law
In the U.S. at present, companies have to disclose breaches only when they compromise certain types of data, like people’s personal information. Most electronic break-ins—including ones featuring high-stakes stolen trade secrets, financial losses, or worse outcomes—therefore go unreported.
That’s got to change, cybersecurity experts say, and the bar for public disclosure must be lowered. A national data breach disclosure law, akin to what Europe requires, would force companies to report any significant network intrusions to the government. If CISA can get a clearer picture of widespread hacking campaigns, it can better help coordinate responses. Down the line, obliging publicly traded companies to file cybersecurity-related metrics to the Securities and Exchange Commission, as they already do in accounting, will let stakeholders better assess risk.
If there’s “less of a scarlet letter around a breach and a greater willingness to talk about them,” says Amit Yoran, CEO of cybersecurity firm Tenable and former president of RSA, then “you’ll have more informed investors, and, as a nation, we’ll have a better understanding of how many of these breaches are actually occurring and what the cost is.”
“It’s too easy for companies to argue their way out of disclosures under SEC guidance now, and the cottage legal industry that’s formed around it is doing nobody any good,” says Robert Knake, an ex–National Security Council member.
The trick is to make sure stronger disclosure requirements don’t stop companies from rooting out intrusions in the first place, a possible negative outcome Knake says is like taking “an ostrichlike approach.” Companies might prefer to stick their heads in the proverbial sand rather than spend money looking for hacks they’ll have to tell the world about.
Companies that specialize in cyber “threat intel” are also wary about rules that might require them to disclose the hacks they unearth—in part because their business models are often based on selling warnings exclusively to clients. Suzanne Spaulding, a cybersecurity expert and a member of the Solarium Commission who supports such rules, says, “The concern over the years from companies has been, if I’m a good actor, and I disclose, but my competitor finds a way to hide it, that’s a competitive disadvantage.”
For the broader business community, stronger disclosure rules might have to go hand in hand with formalized audit and penetration-testing guidelines. Because if more hackings, like SolarWinds, can be brought out of the shadows, then sunlight can work its disinfecting magic.
This article appears in the February/March 2021 issue of Fortune with the headline, “Striking back: How the Biden White House should respond to SolarWinds.”