Americans are right to be appalled at the vast swath of cyberespionage made possible by a flaw in SolarWinds software. Few worried about SolarWinds’ products prior to the breach. They were tools used for managing complex networks and critical for enterprise IT professionals. For most of us they’re just part of the ubiquitous and invisible plumbing we can ignore on our way to the data we need. We learned in recent weeks just how many depended on those tools—from the private sector to the U.S. government.
Sophisticated hackers, probably from a Russian intelligence service, compromised SolarWinds’ own network so badly that they rewrote the company’s code, inserting a backdoor that the company unknowingly distributed to its customers. A critical lesson to be learned is this: Every part of our information technology infrastructure can be turned against us. Just one bad component, even one we’ve never heard of, can expose all our data and open up our networks to hostile actors.
It took great stealth and sophistication to pull off the initial SolarWinds compromise and even more to exploit large numbers of SolarWinds customers. But that’s because SolarWinds is a U.S. company whose management can be trusted to obey U.S. law and protect its customers. Subverting that company’s code required stealth and talent.
It would have taken neither to compromise a component made by a company whose headquarters and management were located in Moscow. Instead of sneaking through its network, Russian intelligence would simply have ordered it to install the backdoor.
That may seem obvious, but we haven’t absorbed what it means: Before we trust the plumbing in our IT networks, we need to know where every component comes from. And if we don’t trust the country where it’s made, we need to treat the component as though it is designed to spy on us, at least until we’re sure it can’t.
That broader lesson was the subject of several months of study by a Homeland Security Advisory Council subcommittee on economic security on which we both served. The subcommittee’s report sounds the alarm about just how vulnerable our IT infrastructure has become, thanks to the globalization of the technology supply chain. Globalization has dramatically lowered technology costs, but at a high cost in security. Our networks are laden with components that could be the SolarWinds of next week or next year.
The subcommittee makes a dozen recommendations for what the Department of Homeland Security and the rest of the government should do to begin measuring and responding to supply chain risk. The response has been encouraging and bipartisan. We’ve given productive briefings to both the acting secretary of DHS and the DHS transition team, as well as majority and minority staffs in Congress.
Perhaps the most far-reaching change we recommended was to consolidate U.S. intelligence work on supply chain risks in a Joint Supply Chain Intelligence Center housed at DHS. The goal would be to pull together the information we have about risky suppliers—and to set priorities for intelligence collection aimed at verifying our suspicions about those suppliers.
In theory, the intelligence community is already looking for foreign spies trying to steal American secrets. But most of those counterintelligence efforts are aimed at protecting government secrets. We’ve been less productive at helping companies protect their networks, even though some, like the power grid, are essential to modern life. Traditional intelligence agencies are ambivalent about protecting U.S. corporations, fearful of accusations of favoritism. They are also uncomfortable handling a mix of information about Americans and foreigners, something any study of U.S. companies’ supply chains will have to do. The U.S Intelligence Community doesn’t have well-established mechanisms for sharing what it learns with U.S. companies and especially not for getting feedback from those companies about the shortcomings of the intelligence they share.
DHS, in contrast, has been forced from the beginning to deal with datasets that mix Americans and foreigners. It has had to make U.S. companies comfortable sharing information about their vulnerabilities, and it has obtained special legal protections to ease the companies’ liability and disclosure worries. DHS certainly doesn’t do any of this perfectly, but it has far more experience than others, and its trial and error has given it a practical sense of what works and what doesn’t. That’s probably why a surprising number of intelligence professionals told us that they too thought DHS was the logical center of public-private information sharing about supply chain risks.
We are pleased that the idea is gaining bipartisan strength in Congress. The National Defense Authorization Act for this year calls for existing counterintelligence agencies to give Congress a plan for strengthening supply chain intelligence. That first step was meant to show that Congress was taking supply chain intelligence seriously.
But that was before SolarWinds. After SolarWinds, we need to move forward with far more urgency. All the more so because Russia is far from our only challenge in this space. China poses an even bigger threat as it is already deeply embedded in U.S. supply chains and need not conjure up the creativity and skill that was needed to penetrate our most critical entities this time around.
When it comes to supply chains, visibility is rule number one. Unless you know yourself—and your potential adversaries—you are driving blind. Espionage is just one possible consequence. The same channel used to exploit could next time be used to disrupt and damage much more.
Frank Cilluffo is the director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security.
Stewart Baker, a former assistant secretary for policy at the Department of Homeland Security, practices law at Steptoe & Johnson LLP in Washington, D.C.
The views expressed in this article are the writers’ own.