White House Taps Neuberger to Lead SolarWinds ProbeDeputy National Security Adviser Anne Neuberger to Oversee Investigation
The Biden administration has appointed Anne Neuberger, the deputy national security adviser for cyber and emerging technology, to coordinate the investigation into the cyberattack that targeted SolarWinds and other organizations, following criticism from two senators that the probe has lacked coordination and transparency.
On Wednesday, Emily Horne, a spokeswoman for the National Security Council. confirmed Neuberger was coordinating the ongoing investigation by the Cyber Unified Coordination Group, which includes four agencies.
"In the first weeks of the Biden administration, Neuberger has held a series of consultations with both Democratic and Republican members of Congress on our approach to SolarWinds specifically and our cybersecurity strategy broadly," she said. "We look forward to continuing to work with Congress on these issues."
The announcement comes after Virginia Democratic Sen. Mark Warner and Florida Republican Sen. Marco Rubio sent a letter Tuesday to the four agencies heading the investigation, calling for the designation of a leader for the effort. They asserted that there's been a lack of coordination among the investigators and that briefings to lawmakers "convey a disjointed and disorganized response to confronting the breach" (see: Senators Demand More Coordination in SolarWinds Investigation).
Following the announcement of Neuberger's appointment, Warner, the chairman of the Senate Intelligence Committee, and Rubio, the vice chairman, issued a statement praising her role in coordinating the investigation and sorting through the intelligence.
"The federal government’s response to date to the SolarWinds breach has lacked the leadership and coordination warranted by a significant cyber event, so it is welcome news that the Biden administration has selected Anne Neuberger to lead the response," the senators note. "The committee looks forward to getting regular briefings from Ms. Neuberger and working with her to ensure we fully confront and mitigate this incident as quickly as possible."
Before joining the White House earlier this year as part of the National Security Council, Neuberger headed the U.S. National Security Agency's Cybersecurity Directorate since it was created in 2019 and was in charge of the NSA's effort to counter Russian interference in the 2020 U.S. election (see: Biden Fills 3 Cybersecurity Positions).
The Road Ahead
Greg Touhill, a retired U.S. Air Force brigadier general who served as the country's first federal CISO, says Neuberger's background in intelligence and cybersecurity make her well qualified to coordinate the investigation, which includes examining how the hackers who hit the software firm SolarWinds also targeted federal agencies and a variety of companies.
"There's a lot to do regarding this investigation, including discovering the facts and circumstances behind this incident, determining the breadth and depth of the current and potential damage, assessing the risk to the nation, identifying a strategy to reduce the risk and executing that strategy well," Touhill says. "It is essential to have a fully authorized and empowered capable leader to orchestrate these activities quickly and well."
The four agencies investigating the SolarWinds supply chain attack are the FBI, the Office of the Director of National Intelligence, the NSA and the U.S. Cybersecurity and Infrastructure Security Agency.
While the inquiry is still in its early stages, the investigators believe the attack likely was the work of a hacking group with ties to Russia and was part of a coordinated cyberespionage campaign (see: SolarWinds Attack: Pointing a Finger at Russia).
The investigators are exploring whether the attackers used attack vectors besides SolarWinds to target businesses and federal agencies, including the Treasury, Homeland Security, Energy and Commerce departments (see: SolarWinds Hackers Cast a Wide Net).
By appointing Neuberger to oversee the investigation, the Biden administration might be signaling how it wants to respond to the incident, says Mike Hamilton, a former vice chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council.
"Because this act appears to be a mix of espionage and compromise of a growing number of security companies, the response is going to have to be nuanced and likely include some retaliation that might never be known publicly - which is something many in the information security community have been waiting for," Hamilton says.
Touhill says that, ideally, the federal CISO should lead the investigation, but that would require action by Congress.
"Unfortunately, in the federal government, the role of the CISO has yet to be fully authorized and empowered in legislation," Touhill says. "Until the Congress acts to formally define their expectations for and authorization of a federal CISO, we will continue to see delays in designating officials to lead cyber incident response, such as we've seen here."
In January, the Biden administration appointed former Obama cybersecurity official Chris DeRusha as federal CISO.
While the investigation into SolarWinds remains ongoing, more details have come to light in the past several weeks.
Microsoft's security team recently said that the Office 365 suite of products did not serve as an initial entry point for the hackers who targeted SolarWinds.
SolarWinds CEO Sudhakar Ramakrishna noted that the investigation could not point to a specific vulnerability in Office 365 as part of the attack, but he said that the hackers may have compromised an email account that allowed them to gain initial access into the network before planting a backdoor into a software update for the company's Orion network monitoring platform.
Acting CISA Director Brandon Wales told The Wall Street Journal that the SolarWinds attackers likely gained access to targets using a multitude of methods, including password spraying.
On Wednesday, the House Homeland Security Committee held a lengthy hearing about cyberthreats to the U.S., including the SolarWinds supply chain attack. Testifiers included Chris Krebs, the former director of CISA who is now consulting with SolarWinds, as well as Dmitri Alperovitch, executive chairman of Silverado Policy Accelerator, who is also the former CTO of security firm CrowdStrike.
Alperovitch said that as a result of the SolarWinds supply chain attack, the federal government and corporations should rethink their cybersecurity plans.
"This event highlights the need for a broader paradigm shift and a new approach to cyber strategy," Alperovitch said. "Both private and government organizations should adopt what we in the cybersecurity industry call an 'assumption of breach' mindset, where defenders actively hunt on their networks for any presence of an adversary, believing that they're already there. The only safe assumption in cyber is that networks are never safe."