OIG Assesses CISA’s Cyber Response Post-SolarWinds

A review by the Office of Inspector General (OIG) has found that the Cybersecurity and Infrastructure Security Agency (CISA) has improved its ability to detect and mitigate risks from major cyber attacks since the SolarWinds breach discovery in 2020. The watchdog added however, that work remains to safeguard Federal networks. 

The SolarWinds Incident

In 2019, a threat actor, later identified as the Russian Foreign Intelligence Service, carried out a campaign of cyber attacks that breached computing networks at SolarWinds, a Texas-based network management software company. The threat actor conducted a software supply chain attack, taking advantage of security vulnerabilities to plant malware (malicious code) in a software update that SolarWinds sent to its clients. When a client installed an infected update, the malware would spread, allowing access to the client’s networks and systems. The attack was highly sophisticated and used new techniques and advanced tradecraft to remain undetected for more than a year.

Because the U.S. government widely uses SolarWinds software to monitor network activity on Federal systems, this incident allowed the threat actor to breach infected agency information systems. SolarWinds estimated that nearly 18,000 of its customers could have received a compromised software update. Of those, the threat actor targeted a subset of high-value customers to exploit, including DHS and multiple other Federal agencies, primarily for espionage. The operation was first detected and reported to CISA by a private sector cybersecurity firm.

CISA participated in a task force with other Federal agencies to coordinate a government-wide response to the SolarWinds breach. The task force worked from December 2020 through April 2021 to discover the impact and mitigate the effects of the cyberattack. After CISA completed its SolarWinds response, it prepared several after-action reports that identified lessons learned, capability gaps, and areas for improvement. CISA reported it needed a better communication process, more visibility into Federal agencies’ networks, and increased authority to find cyber threats on Federal networks.

The Department of Homeland Security…