Responding to a cyber Pearl Harbor

The drama of Washington politics, including the bumpy transfer of power between political parties, understandably has seized public attention now. And the ongoing pandemic fills nearly the rest of the news diet.

But if the United States weren’t experiencing such unusual times, the massive hacking of U.S. government computer systems might be dominating the news media. Granted, most people are pretty oblivious as to just what goes on behind the scenes as they type away on their laptops. Information flows, coming and going. They may know that internet privacy has been a concern for a while, but aren’t sure exactly what’s at stake or what can be done about it.

At least one close observer has called the hack of U.S. government computer systems first exposed last month as nothing short of a Pearl Harbor moment, a sneak attack of huge and lasting importance.

A quick review: In December, Orion management software developed by the SolarWinds company was found to have been hacked, very likely by Russian agents. Orion is used by some 18,000 clients, mostly private corporations. But among the users penetrated were U.S. government agencies, including the Department of State, the Department of Homeland Security, the Pentagon, the Department of the Treasury, and the National Nuclear Security Administration. Even Microsoft’s ubiquitous Windows and Office programs may be compromised. 

The attack apparently was launched from within the U.S. enabling it to avoid sensors set up by the National Security Agency that look for threats originating abroad.

What does “hacked” mean? Passwords, user IDs, source code, and financial records would have been exposed to view. What’s not yet as clear is whether malware has been installed that could cause future vulnerabilities, such as corrupting databases or seizing control of power grids. 

The world of software development has put a priority on rapid innovation, ease of use, and shiny new features. Security has lagged behind, the necessary killjoy. The biggest change coming out of the SolarWinds debacle is likely to be a new insistence that security take a top priority.

Solutions won’t be easy or inexpensive. Government agencies will have to cleanse their systems. Numerous questions will need answers, security experts say: What were the goals of the attacks? Why was such vulnerable software chosen in the first place? What new security standards need to be implemented? What assurances will vendors give that their systems are secure, and what penalties should be imposed for their failure?

The software used by government often overlaps with that in use in the private sector. New security standards for software the government procures could increase security for products that all Americans use.

The National Defense Authorization Act recently passed by Congress contains some provisions that address cybervulnerabilities. And this week the FBI, the Cybersecurity and Infrastructure Security Agency, and other agencies joined forces to try to get a handle on a problem so pervasive that no one agency can cope with it.

The incoming Biden administration will have to act quickly. President-elect Joe Biden faces a list of formidable challenges that need immediate attention, headed by the pandemic and its economic fallout. But cybersecurity now must be high on the list too.