The two biggest security breaches of my lifetime just happened in the past month.
The astonishing physical breach of the Capitol building in D.C. on January 6 promoted publicly in advance on extremist and mainstream social media, occurred simultaneously with similarly themed “demonstrations” by Trump extremists at state capitols around the nation. So, after covering cybersecurity for four years, I find it very tough to believe this all happened because the Department of Homeland Security, the FBI, and the National Security Agency combined somehow had no idea it was coming, or at least possible. Nor can I believe that the Capitol Police were somehow unprepared for hostile crowds, especially after their overwhelming response to last summer’s much, much milder protests.
It’s especially hard to believe no one was prepared for what happened after the President of the United States actively and publicly urged armed, bomb- and teargas-equipped rioters to assault the Capitol. Why it then took hours for the federal government’s huge security infrastructure to spring into action and come to the aid of police and Congress members is beyond me. It’s also beyond many law enforcement professionals.
Congress’ IT system may also have been breached
Trump has continually downplayed and trivialized the extent and severity of some foreign nation-states’ interference and cyber-espionage — here’s looking at you, Russia — even in the face of clear Russian nation-state-level involvement in some of the worst cyberattacks of recent memory.
He has also handicapped national security efforts by his ongoing struggles with the head of DHS’ Cybersecurity and Infrastructure Security Agency. Yet even after considering these ongoing problems with some of the nation’s security leaders, it’s still incomprehensible to many experts how any of Wednesday’s events could have happened.
Although members of Congress have said they will investigate these failures, it looks like the feds’ security team will have even more work to do to clean up after this mess. Because now, rumors are flying that computers and hard drives may have been stolen from Congressmembers’ offices, potentially compromising national security in many ways, and leaving a huge task of rebuilding that IT system,
The extent of looting in the Capitol is still unknown. But the fact that it happened at all — and that the building’s defenses were breached by armed invaders who threatened to execute lawmakers after conducting mock trials — is completely unacceptable from the standpoint of any security standards.
It’s an ill Wind that blows Solar
Meanwhile, the other enormous breach, revealed on the day I began vacation (of course!), is the now notorious, widespread, massive SolarWinds debacle. It, too, has endangered national security at multiple levels, in addition to threatening critical infrastructure, with malware.
One of the most disturbing aspects of the SolarWinds hack isn’t the fact that it’s compromised so many different agencies of the U.S. federal government, including the Department of Justice, as we’ve recently learned, or even that it has endangered so much of our critical infrastructure. To me, one of the worst things about it is the fact that the first hint of something wrong was made nearly a week before when one of the world’s largest cybersecurity firms, FireEye, revealed that attackers had gained access to its Red Team tools.
So, bad enough that the federal government didn’t even know it was being attacked, but a top security company’s own tools could be compromised.
And how was it achieved?
That’s some of the other worst things to me: 1) the vulnerabilities occur in SolarWinds’ Orion IT monitoring software, which is very widely used by thousands of governmental and commercial enterprises and therefore a relatively easy target, and 2) it was either preventable or, worst case, highly foreseeable, since it occurred via a software supply chain attack.
As we reported in December, and is widely known among security professionals, the software supply chain is extremely vulnerable to cyberattacks, primarily because of the many links in the chain that are potentially invisible or even unknown to the design engineer. Attacks are especially likely during and after firmware updates, which is precisely how the SolarWinds hack occurred: during updates of Orion software that were trojanized to deliver malware.
As each of these separate attack scenarios play out over the next several weeks, more will come to light about how and why they happened. Recent news, for example, indicates that the SolarWinds hack began earlier and is even more widespread than first reported, with 250 U.S. agencies and private enterprises affected. To what extent we will find out more about the security failures at the Capitol is anyone’s guess. But we need to find out, and soon.