The consequences of the SolarWinds Orion hack are far from clear, but analysts and lawmakers say that officials at CISA and NSA made notable strides to improve the government's cybersecurity posture.
Trump pauses at a 2018 rally. (Photo credit: Evan El-Amin/ Shutterstock.com)
The SolarWinds hack, first detected in December 2020, colors any assessment of the cybersecurity legacy of the administration of President Donald Trump. During Trump's last days in office, as the president pressed to overturn the results of the November election, the federal government scrambled to contain the fallout from an ongoing intelligence operation believed to be the worst intrusion in the country's history.
Trump's critics have roundly pointed to the hack as a climax of an administration that has not taken cybersecurity seriously.
"This assault happened on Donald Trump's watch when he wasn't watching," President-elect Joe Biden said during a December press conference. "The Trump administration failed to prioritize cybersecurity."
Trump declined to support the intelligence community's attribution of the hack to Russia, and suggested via Twitter – the social network from which he's now permanently banned – that China might have had a hand in the breach.
Trump's dismissal of the attribution in the SolarWinds breach echoed his comments in a 2016 debate with rival Hillary Clinton, in which Trump downplayed the possibility that Russia was behind the hack of Democratic National Committee.
"I mean, it could be Russia, but it could also be China. It could also be lots of other people," Trump said. "It also could be somebody sitting on their bed that weighs 400 pounds, okay."
Analysts and lawmakers told FCW – in an article reported before the Jan. 6 insurrection at the U.S. Capitol -- that the Trump administration's legacy on cybersecurity is more complicated than a single hack. While leadership (and subject matter knowledge) at the top was lacking, people such as Chris Krebs, Gen. Paul Nakasone and others have improved the federal government's cybersecurity posture.
"It's a mixed report on the successes under the Trump administration," said Rep. Jim Langevin (D-R.I.), who is active on cybersecurity issues in the House of Representatives.
The Cybersecurity and Infrastructure Security Agency is one of the newest agencies within the federal government, formally created by legislation signed by Trump in 2018. But its role in the 2020 elections brought it to national prominence in the months leading up to Nov 3.
Since the Democratic National Committee's systems were compromised in 2016, questions of election security have become synonymous with cybersecurity. This in turn made CISA the go-to agency for states requiring assistance. CISA's part in doing that has won it bipartisan praise.
Sen. Angus King (I-Maine) characterized the agency as "an extraordinary success story" in part because of CISA's ability to gain the states' trust.
"I recall sitting in hearings with [state election officials] back in 2017 and they were very resistant to federal involvement in elections. They were almost hostile," he told FCW.
The agency's first director, Chris Krebs, a former Microsoft executive and senior DHS official who headed CISA's predecessor agency, became equally synonymous with the agency's success. "Chris Krebs and CISA overcame that" resistance, King said
Rep. Michael Gallagher (R-Wis.), when asked about the administration's cybersecurity legacy, said, "I think what's gone right has been CISA in general and Chris Krebs in particular."
Ari Schwartz, a cybersecurity official at the National Security Council during the Obama administration, said CISA brought new credibility to DHS.
"DHS had lacked credibility for years and years and one thing you can say about what Chris Krebs has done is he certainly has got a lot more credibility for CISA as a cybersecurity institution than what the pieces of it had," Schwartz said.
Trump's decision to fire the CISA chief after the Nov. 3 election prompted bipartisan rebukes.
But CISA's responsibility extends beyond election security. It has also become an authority for programs within the government designed to improve cybersecurity.
Easing out legacy policy
Margie Graves, the former deputy federal CIO, who left her post at the White House's Office of Management and Budget in December 2019, said the administration has also made significant progress on programs such as the Trusted Internet Connection.
TIC, originally created in 2007, is designed to monitor incoming and outgoing agency data. Earlier versions of TIC sought to reduce the number of entry and exit points for data.
"It became a different kind of problem to where you had a single point of ingress and egress that was causing operational issues with latency problems," said Graves.
This led to a change in how the government sought to use TIC: provide agencies with the tools to manage their security points rather than directing specific implementation measures.
"It opened up the aperture to allow other tools to be used," said Suzette Kent, the federal chief information officer from January 2018 to June 2020.
"The tools had to be proven to CISA. They had to go through use-case examination. They had to meet the same outcomes … it further helped us advance some of our cloud protocols because we could use more modern tools to achieve that same thing versus running everything through the same pipe," Kent continued.
However, the progress on issues such as TIC, identity, credential and access management and vulnerability disclosure policies were not predicated on partisan support, Graves said
"The policies that we changed and the accomplishments that we achieved were going to happen because it was the right thing to do," she said.
Those policies and changes "were necessary building blocks and foundational elements of running effective technology, whether you're red or blue didn't make much difference," Graves added. "What did make a difference is any administration – this one or any other – putting their blessing behind certain things getting done."
Graves cited the Modernizing Government Technology Act, which established working capital funds for certain agencies to use on IT projects, as an example.
The legislation was signed by Trump in December 2017 as part of the Fiscal Year 2018 National Defense Authorization Act, but the bill first reached the House floor in 2016. It lost traction in the Senate due to scoring from the non-partisan Congressional Budget Office. Graves and her team spent the first several months of Trump's presidency briefing the new administration on what elements needed political support before the MGT Act became law.
Cybersecurity and national security
As the administration prepared to sign the legislation that would create CISA, John Bolton, Trump's former national security advisor, made headlines when he eliminated the cybersecurity coordinator position resident in the National Security Council.
Bolton viewed the move as a way to get rid of bureaucracy, while critics argued it deprioritized cybersecurity as an issue. The 2021 National Defense Authorization Act effectively counteracts Bolton's decision by establishing a Senate-confirmed position inside the White House as the principal advisor to the president on cybersecurity issues.
"The president – under his administration, he eliminated the cybersecurity coordinator at the White House," Langevin said. The Trump administration also eliminated the "cyber coordinator position at the state department – another big mistake."
Schwartz, the former NSC official, said the coordinator was able to resolve the "total land grab" among agencies declaring their jurisdictions on cybersecurity as a means of boosting their annual budgets.
"The Obama administration spent a lot of time ironing that stuff out and that was the reason this coordinator was needed, because new issues pop up all the time in this space," he said. "You need someone to kind of work those things out at a level that people will listen to."
The new national cyber director, and other recommendations from the congressional Cyber Solarium Commission, garnered bipartisan support.
"The whole purpose of the NSC is to provide coordination among government agencies on issues of national security for the benefit of the president. All these ideas about czars ignore the reality that that's what the NSC process is supposed to help the president do," Bolton told FCW.
When asked to comment on the new role coming under Biden, Bolton said, "That's even worse."
The administration in 2018 also published its National Cyber Strategy, which several lawmakers praised in interviews with FCW, while all issuing a similar critique: it was not comprehensive.
"You had the 2018 strategy, and then you had the DOD strategy, and then you had a lot of the authorities that we unleashed in Congress," said Gallagher, a co-chair of the Solarium Commission. "You [had] three different lines of effort that were all good and generally going in the right now direction, but [they] didn't necessarily talk to each other."
The administration's strategy also did not incorporate the Defense Department's "Defend Forward" initiative, a concept touted by Nakasone, the National Security Agency director and chief of U.S. Cyber Command, that states the U.S. must aggressively pursue adversarial networks as a way to foresee future attacks to domestic entities.
The Washington Post reportedin February 2019 the NSA conducted an operation, led by Nakasone, to shut down the Internet Research Agency, a Russian company believed to be associated with the Kremlin and responsible for attempting to sow discord in U.S. politics, on the day of the 2018 elections.
While the government's offensive cyber operations are rarely discussed publicly, the revelation that the U.S. intelligence community and the Pentagon personally shutdown a Kremlin-sponsored entity became a public show of force for how Nakasone could "defend forward." The move was in some ways also a demonstration of the administration's efforts to reduce the bureaucratic decision-making processes that could hamper an offensive operation.
It's not clear whether the Trump administration truly conducted more offensive cyber operations than in previous years, but its public posture suggests it did.
"The public perception is that it's gone up," said Christopher Painter, a former cybersecurity official at the State Department. "There were leaks … on things like the disruption of the Internet Research Agency during the 2018 elections. There were more forward statements by Gen. Nakasone on using all capabilities, so the perception is certainly that it's gone up, but the reality is I'm not sure."
However, if the government wants to deter adversarial attacks from actors such as the Russian intelligence service believed to have breached SolarWinds Orion, then more transparency is required.
"Deterrence I think is still important," Painter said. "For that to work I think you need to be more transparent -- not transparent about individual operations, but basically say we're doing this. Tell the adversary we're doing this [and we] will stop doing this when you stop."
A 'trade chit'
Trump personally has targeted Chinese companies such as Huawei, levying sanctions against them and accusing them of conducting espionage on behalf of the Chinese government.
"We don't want their [Huawei] equipment in the United States because they spy on us," Trump said in August. "And any country that uses it, we're not going to do anything in terms of sharing intelligence. Huawei is a disaster."
The hardline push has largely earned applause domestically where other Republicans have taken equally hawkish stances on China and the threat it poses to the United States.
Schwartz praised the administration for bringing more attention to the issue, but said the White House has at times lost credibility for treating it as a "trade chit."
"If you're going to treat it as a trade chit – that this is a trade issue, then it's not a national security issue," he said.
The administration "has done a disservice to our position on this because we've continually gone and asked our allies for favors related to this issue … and at the same time pushed them away on these issues as well."
These inconsistencies have caused confusion, he argued.
Painter added, "the tactics that were used… of threatening our allies that we wouldn't share intelligence with them unless they adopted our way of thinking just shoots ourselves in the foot."
NEXT STORY: Mayorkas calls for review of Einstein, CDM