As COVID-19 spread across the United States over the past ten months, another threat to U.S. security and prosperity had simultaneously infiltrated the nation, only more quietly and under the radar: the massive SolarWinds software breach that impacted up to 18,000 client organizations.
Fellow - Center for Strategic and International Studies
Former Research Analyst - The Brookings Institution
SolarWinds is a highly sophisticated “supply chain attack” in which foreign hackers accessed a U.S. software company and installed malware in a software update accessible to government agencies, private companies, non-profits, and even major security firms like Microsoft. In mid-December 2020, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Office of the Director of National Intelligence (ODNI) announced that multiple federal agencies using SolarWinds software had experienced “significant and ongoing” threats since March 2020. These include the Departments of Defense, Energy, Commerce, and State, as well as other public and private sector organizations, effectively exposing critical infrastructure to currently undetermined risks and damages.
Divisions in Trump’s approach to Russia and cybersecurity
Following the SolarWinds discovery, several senior Trump administration officials pointed to Russia as the likely perpetrator, and Republican members of Congress called for immediate retaliatory actions. Trump, in contrast, cast doubt on Russia’s involvement and described the breach as “far greater in the Fake News Media than in actuality.”
In this regard, SolarWinds demonstrates a certain dissonance between President Trump and much of the rest of the government. Rather than fortify federal networks following the SolarWinds discovery, Trump instead vetoed the 2021 National Defense Authorization Act (NDAA) over seemingly unrelated criticisms of Section 230 and social media companies. Then, on January 1, Congress voted to override Trump’s veto, with approximately 150 Republican members breaking from the president. The 2021 NDAA, now law, includes provisions to establish a new White House cyber director position, grant additional authority to CISA, and require a review of the Cybersecurity Maturity Model Certification.
But dissonance is nothing new for Trump: his presidency has long been characterized by contradictions and conflict with cybersecurity professionals within his own administration. A recent example occurred on November 12, when CISA published a statement by election officials affirming that no evidence of fraud or compromise was found during the 2020 elections. Instead of viewing election security as an accomplishment, Trump retaliated to the statement by firing CISA Director Christopher Krebs. Even before then, Trump’s presidency saw the departures of three national security advisers and eight deputy national security advisers, not to mention CISA Assistant Director Jeanette Manfra and Homeland Security Advisor Tom Bossert.
Under Trump, the White House has lacked coordination and clarity on its own policies—an issue exacerbated by the elimination of the White House cyber coordinator position. Although Trump signed executive orders in 2017 and 2019—one to strengthen critical infrastructure and federal networks and the other to support cybersecurity personnel within federal agencies—neither came with substantial follow-up action. The White House released a National Cyber Strategy in 2018, but there was uncertainty on how this document complemented the Defense Department’s Cyber Strategy and Command Vision for the U.S. Cyber Command, which respectively called for “persistent engagement” and “defend forward” strategies to proactively stop cyber threats. Both of these terms are ambiguous in practice, especially on how they apply to Russia—after all, Trump has avoided criticizing Russia, and these strategies did not prevent the SolarWinds attack.
A new cybersecurity agenda for the Biden administration
Since the SolarWinds investigation will continue to unfold over the next few months, the federal government’s response—and any associated policy changes—will default to the Biden administration. And so, in contrast to Trump’s passivity, we can expect concrete changes in approach to SolarWinds after January 20, for three key reasons.
First, Biden—unlike Trump—has vowed to make response to SolarWinds “a top priority from the moment we take office” and invest in cybersecurity infrastructure and personnel, improve private sector partnerships, and work with U.S. allies to take action against parties that carry out cyberattacks. Biden had already nominated several agency leaders who are experienced with cyberattacks, including Alejandro Mayorkas for DHS, Avril Haines for ODNI, and Lloyd Austin for DoD, and other political appointments are forthcoming. Critically, the White House cyber director and National Security Council will be responsible for improving coordination among agencies in order to better detect and mitigate future risks. As part of a follow-up response to SolarWinds, federal agencies may also consider providing updated cybersecurity guidelines or resources for private companies.
Second, Congress voted to override Trump’s recent veto of the 2021 NDAA, and is likely to work with Biden on a SolarWinds response. Members from both parties requested information about the SolarWinds attack from the FBI, CISA, ODNI, and DHS and stated intentions to work on bipartisan cybersecurity legislation in 2021. The latter could also tie into negotiations over comprehensive federal privacy legislation, as many privacy bills in the 116th Congress would require companies to implement “reasonable” cybersecurity measures (most notably, the SAFE DATA Act and COPRA). Other areas of congressional focus may include strengthening the Department of Homeland Security’s EINSTEIN program, continuing to fund and implement CISA’s Continuous Diagnostics and Mitigation program, and facilitating the recruitment and retention of IT personnel in the federal government.
Third, the U.S. relationship with Russia will shift once Trump is no longer in office. Both nations will likely seek to bolster their security and threat deterrence mechanisms. Biden vowed to impose “substantial costs” on the parties responsible for SolarWinds, and incoming White House Chief of Staff Ron Klain hinted that such actions could go “beyond sanctions.” Meanwhile, for the Biden administration to deter future state-sponsored cyberattacks, it will need to cultivate existing geopolitical relationships beyond response to any single cyber incident. Forward-looking collaboration with U.S. allies on cybersecurity issues might involve establishing common principles, sharing resources, and cooperating on deterrence strategies.
Above all, the Biden administration is likely to make a point of a multifaceted, well-funded, and strategic approach to cybersecurity threats that are only becoming more complex and far-reaching. Many top priorities for the Biden administration—infrastructure, international trade, pandemic response, broadband deployment, election integrity—will depend on it.
Microsoft is a general, unrestricted donor to the Brookings Institution. The findings, interpretations and conclusions in this piece are solely those of the author and not influenced by any donation.