GAO: SolarWinds, Exchange Hacks Reveal Info-Sharing GapsAuditors: Government Improved Collaboration in Response to Nation-State Attacks
Auditors at the U.S. Government Accountability Office say in a new report that the federal government's response to both the SolarWinds software supply chain attack in late 2020 and the exploitation of Microsoft Exchange Servers just months later sharpened its coordination efforts with the private sector, but exposed gaps in its information-sharing abilities.
The report, issued by Nick Marinos, managing director of information technology and cybersecurity at the GAO, and Jennifer R. Franks, the office's director of information technology and cybersecurity, describes the federal response to the two high-profile cybersecurity incidents.
"Recent incidents highlight the significant cyberthreats facing the nation and the range of consequences that these attacks pose," the GAO auditors say.
'An Unacceptable Risk'
The auditors also acknowledge that the zero-day Microsoft Exchange Server vulnerabilities had the "potential to affect email servers across the federal government and provide malicious threat actors with unauthorized remote access."
The U.S. Cybersecurity and Infrastructure Security Agency confirmed in the wake of both attacks that the incidents "posed an unacceptable risk to federal civilian executive branch agencies."
In its report, the GAO reviewed descriptions, press releases, response plans, statements, guidance and after-action reports issued by related agencies - including the Department of Homeland Security and CISA, the Department of Justice and the FBI, and the Office of the Director of National Intelligence - with support from the National Security Agency.
The hack of SolarWinds' network management software - widely used within the U.S. government - was later attributed to the Russian Foreign Intelligence Service, an agency tasked with espionage efforts outside the Russian Federation. Its breach affected some 100 organizations globally and nine federal agencies.
The GAO determined that 19 federal agencies did not classify SolarWinds as a major cyber incident reportable to federal officials. Some agencies said the attack did not meet reporting requirements established by the Office of Management and Budget; two others said they did not report it because they determined no data or systems had been compromised. Sixteen agencies did not provide further explanation.
Chinese government affiliates then exploited a vulnerability in the Microsoft Exchange Server in early 2021, doubling federal efforts to shore up the nation's cyber posture. The White House later said "with a high degree of confidence" that the threat actors had been affiliated with China's Ministry of State Security. Vulnerabilities allowed threat actors to make authenticated connections to Microsoft Exchange Servers from unauthorized external sources and then leverage other vulnerabilities to escalate account privileges and install web shells that enabled remote access.
Both events spurred President Joe Biden to issue a cybersecurity executive order in May 2021, heralding a widespread revamping of federal IT security.
Forming UCGs, Lessons Learned
GAO auditors now point to several steps taken to respond to the cyberattacks, including the formation of two Cyber Unified Coordination Groups, or UCGs, for each occurrence. The groups consisted of officials from CISA, the FBI and the ODNI, with support from the NSA.
Those involved in the incident response, the GAO says, identified several lessons from their investigations, including:
- Coordinating with the private sector led to greater efficiencies.
- A centralized forum for interagency and private sector discussions led to improved coordination.
- Information sharing among agencies "was often slow, difficult, and time-consuming."
- Collecting evidence was "limited due to varying levels of data preservation at agencies."
More specifically, the three UCG agencies said that coordination with the private sector helped identify the scale of the SolarWinds incident quickly, provided increased visibility on patching and exploitation with the Microsoft Exchange vulnerabilities and provided an opportunity for the government to "build trust" with the private sector.
Federal incident responders also said a "regular cadence of meetings" - first weekly and then less often - was an effective way to share information.
Still, for some security experts, these GAO findings are not exactly revelatory.
"The overall theme of [this report] is what we've known for a decade: Information sharing is critical. However, the federal government's ability to do it within and outside of government is still wanting," says John Bambenek, principal threat hunter at the firm Netenrich. "I am not overly hopeful that the pace of change [here] is anywhere remotely aligned with the seriousness of the threats."
Several agencies indicated numerous "challenges" with their response.
An official from ODNI's Cyber Executive Office told auditors that "information sharing … was difficult and time-consuming, as there were different classification levels for information." A senior technical director from CISA's Cybersecurity Division told auditors that sharing data received from law enforcement agencies was "challenging." And both officials said a shared channel - aside from email - would have been more beneficial.
ODNI told the GAO that dissemination "should have been an automated process" rather than a manual one. Agencies indicated that "varying levels of data log preservation … and a lack of data collection tools [also] limited evidence collection."
The GAO says eight agencies stated that "gaps in network and log coverage prevented them from quickly responding to the incidents." Five agencies said they were unable to respond using existing tools and needed to acquire new tools or modify their configuration. Agencies also cited "significant gaps" in log data retention. Some agencies, GAO found, held log data for 90 or 180 days, while others maintained no logs.
Nevertheless, some security experts suggest that CISA's work across both incidents, with its partners, likely prevented further damage.
"This GAO assessment again shows the terrific progress CISA has made in a very short period of time," says Roger Grimes, a data-driven defense evangelist for the security firm KnowBe4. "I think CISA and the other agencies involved [in the incident response] should take a bow. … [And CISA] is moving and reacting in real time like a private business, not like a typical government agency.
"If this is what CISA and the other agencies did last year in response to the two biggest nation-state cybersecurity threats we have ever faced, then it gives me hope for the future."
Initiatives now underway also continue to refine the government's response processes. For instance, in August 2021, CISA stood up its Joint Cyber Defense Collaborative, an effort to develop defense operations alongside interagency partners, the private sector, and state, local, tribal and territorial governments. In the wake of the widespread Apache Log4j vulnerability that was disclosed in December 2021 - a flaw that CISA Director Jen Easterly called the worst she has seen in her career - the agency credited the new JCDC with compiling helpful technical analyses. In fact, enough information was collected to inform a December joint advisory among Five Eyes nations, Easterly said last week (see: CISA: Federal Response to Log4j Has Been 'Exceptional').
GAO officials also indicate that Biden's executive order, which in part required agencies to identify all devices connected to their networks and implement logging practices, will help address these visibility concerns.
The GAO says it's made 3,700 cybersecurity recommendations since 2010 and as of November 2021, 900 of them "had not yet been fully implemented."