Russia’s SolarWinds hack in the fall of 2020 is shaping up to be the largest known theft of sensitive government information in history. Everyone knew the federal government’s outdated and poorly organized networks had security flaws. Across the federal government, IT experts spend billions each year building fences around “soft spots” on their network – unsupported software, hacked email accounts, and custom code that hasn’t been extensively tested for flaws.
But instead of finding a hole in the fence’s periphery, Russia cut a giant hole through the front gate. They targeted SolarWinds, a company whose software had privileged access to the servers of both the federal government and some of the largest businesses in the country. And they used Office365, the largest cloud platform in the world, to help them break in.
It will take years to learn the fallout of this attack, but we learned a few lessons immediately. Here are three facts that will matter to anyone with a federal contract (and states are likely to follow soon).
Cybersecurity is getting much more attention from the highest levels of government.
The House Armed Services committee launched a new cybersecurity subcommittee in early February. House leaders wanted to make sure that a multitude of new cybersecurity policy provisions in the 2021 annual defense bill are executed. One of those provisions creates a new 75-person Office of the National Cyber Director (ONCD) – and the Director reports directly to the President’s Chief of Staff.
Nobody providing services or software to the government is immune to attack.
If other nations can break through Microsoft’s defenses, they can breach anyone. It’s what happens next that determines the extent of the damage. Government agencies will still require contractors to have software and processes in place to deter successful attacks – but they’ll also want contractors to have processes in place to detect attacks, stop them quickly and report on the damage done.
Businesses with government contracts can expect more cybersecurity regulations soon.
Government contractors must adhere to NIST 800-171 already. But this framework was expanded in early February by the newly-issued NIST 800-172. The Defense Department’s CMMC framework will also demand heightened safeguards for defense contractors as it comes into force in the near future. And these changes all happened before the ONCD Director has even been nominated. A new wave of regulatory compliance is coming quickly, and many government suppliers will likely be caught flatfooted due to the speed of the changes.