SolarWinds hack blights the Trump administration's cybersecurity record

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
By Justin Katz,
Cybersecurity Reporter

By Justin Katz

|

The consequences of the SolarWinds Orion hack are far from clear, but analysts and lawmakers say that officials at CISA and NSA made notable strides to improve the government's cybersecurity posture.

WILKES-BARRE, PA - AUGUST 2, 2018: Donald Trump, President of the United States pauses with a concerned expression while delivering a speech at a campaign rally held at the Mohegan Sun Arena. Editorial credit: Evan El-Amin / Shutterstock.com image number 1515374468
 

Trump pauses at a 2018 rally. (Photo credit: Evan El-Amin/ Shutterstock.com)

The SolarWinds hack, first detected in December 2020, colors any assessment of the cybersecurity legacy of the administration of President Donald Trump. During Trump's last days in office, as the president pressed to overturn the results of the November election, the federal government scrambled to contain the fallout from an ongoing intelligence operation believed to be the worst intrusion in the country's history.

Trump's critics have roundly pointed to the hack as a climax of an administration that has not taken cybersecurity seriously.

"This assault happened on Donald Trump's watch when he wasn't watching," President-elect Joe Biden said during a December press conference. "The Trump administration failed to prioritize cybersecurity."

Trump declined to support the intelligence community's attribution of the hack to Russia, and suggested via Twitter – the social network from which he's now permanently banned – that China might have had a hand in the breach.

Trump's dismissal of the attribution in the SolarWinds breach echoed his comments in a 2016 debate with rival Hillary Clinton, in which Trump downplayed the possibility that Russia was behind the hack of Democratic National Committee.

"I mean, it could be Russia, but it could also be China. It could also be lots of other people," Trump said. "It also could be somebody sitting on their bed that weighs 400 pounds, okay."

Analysts and lawmakers told FCW – in an article reported before the Jan. 6 insurrection at the U.S. Capitol -- that the Trump administration's legacy on cybersecurity is more complicated than a single hack. While leadership (and subject matter knowledge) at the top was lacking, people such as Chris Krebs, Gen. Paul Nakasone and others have improved the federal government's cybersecurity posture.

"It's a mixed report on the successes under the Trump administration," said Rep. Jim Langevin (D-R.I.), who is active on cybersecurity issues in the House of Representatives.

CISA launches

The Cybersecurity and Infrastructure Security Agency is one of the newest agencies within the federal government, formally created by legislation signed by Trump in 2018. But its role in the 2020 elections brought it to national prominence in the months leading up to Nov 3.

Since the Democratic National Committee's systems were compromised in 2016, questions of election security have become synonymous with cybersecurity. This in turn made CISA the go-to agency for states requiring assistance. CISA's part in doing that has won it bipartisan praise.

Sen. Angus King (I-Maine) characterized the agency as "an extraordinary success story" in part because of CISA's ability to gain the states' trust.

"I recall sitting in hearings with [state election officials] back in 2017 and they were very resistant to federal involvement in elections. They were almost hostile," he told FCW.

The agency's first director, Chris Krebs, a former Microsoft executive and senior DHS official who headed CISA's predecessor agency, became equally synonymous with the agency's success. "Chris Krebs and CISA overcame that" resistance, King said

Rep. Michael Gallagher (R-Wis.), when asked about the administration's cybersecurity legacy, said, "I think what's gone right has been CISA in general and Chris Krebs in particular."

Ari Schwartz, a cybersecurity official at the National Security Council during the Obama administration, said CISA brought new credibility to DHS.

"DHS had lacked credibility for years and years and one thing you can say about what Chris Krebs has done is he certainly has got a lot more credibility for CISA as a cybersecurity institution than what the pieces of it had," Schwartz said.

Trump's decision to fire the CISA chief after the Nov. 3 election prompted bipartisan rebukes.

But CISA's responsibility extends beyond election security. It has also become an authority for programs within the government designed to improve cybersecurity.

Easing out legacy policy

Margie Graves, the former deputy federal CIO, who left her post at the White House's Office of Management and Budget in December 2019, said the administration has also made significant progress on programs such as the Trusted Internet Connection.

TIC, originally created in 2007, is designed to monitor incoming and outgoing agency data. Earlier versions of TIC sought to reduce the number of entry and exit points for data.

"It became a different kind of problem to where you had a single point of ingress and egress that was causing operational issues with latency problems," said Graves.

This led to a change in how the government sought to use TIC: provide agencies with the tools to manage their security points rather than directing specific implementation measures.

"It opened up the aperture to allow other tools to be used," said Suzette Kent, the federal chief information officer from January 2018 to June 2020.

"The tools had to be proven to CISA. They had to go through use-case examination. They had to meet the same outcomes … it further helped us advance some of our cloud protocols because we could use more modern tools to achieve that same thing versus running everything through the same pipe," Kent continued.

However, the progress on issues such as TIC, identity, credential and access management and vulnerability disclosure policies were not predicated on partisan support, Graves said

"The policies that we changed and the accomplishments that we achieved were going to happen because it was the right thing to do," she said.

Those policies and changes "were necessary building blocks and foundational elements of running effective technology, whether you're red or blue didn't make much difference," Graves added. "What did make a difference is any administration – this one or any other – putting their blessing behind certain things getting done."

Graves cited the Modernizing Government Technology Act, which established working capital funds for certain agencies to use on IT projects, as an example.

The legislation was signed by Trump in December 2017 as part of the Fiscal Year 2018 National Defense Authorization Act, but the bill first reached the House floor in 2016. It lost traction in the Senate due to scoring from the non-partisan Congressional Budget Office. Graves and her team spent the first several months of Trump's presidency briefing the new administration on what elements needed political support before the MGT Act became law.

Cybersecurity and national security

As the administration prepared to sign the legislation that would create CISA, John Bolton, Trump's former national security advisor, made headlines when he eliminated the cybersecurity coordinator position resident in the National Security Council.

Bolton viewed the move as a way to get rid of bureaucracy, while critics argued it deprioritized cybersecurity as an issue. The 2021 National Defense Authorization Act effectively counteracts Bolton's decision by establishing a Senate-confirmed position inside the White House as the principal advisor to the president on cybersecurity issues.

"The president – under his administration, he eliminated the cybersecurity coordinator at the White House," Langevin said. The Trump administration also eliminated the "cyber coordinator position at the state department – another big mistake."

Schwartz, the former NSC official, said the coordinator was able to resolve the "total land grab" among agencies declaring their jurisdictions on cybersecurity as a means of boosting their annual budgets.

"The Obama administration spent a lot of time ironing that stuff out and that was the reason this coordinator was needed, because new issues pop up all the time in this space," he said. "You need someone to kind of work those things out at a level that people will listen to."

The new national cyber director, and other recommendations from the congressional Cyber Solarium Commission, garnered bipartisan support.

"The whole purpose of the NSC is to provide coordination among government agencies on issues of national security for the benefit of the president. All these ideas about czars ignore the reality that that's what the NSC process is supposed to help the president do," Bolton told FCW.

When asked to comment on the new role coming under Biden, Bolton said, "That's even worse."

The administration in 2018 also published its National Cyber Strategy, which several lawmakers praised in interviews with FCW, while all issuing a similar critique: it was not comprehensive.

"You had the 2018 strategy, and then you had the DOD strategy, and then you had a lot of the authorities that we unleashed in Congress," said Gallagher, a co-chair of the Solarium Commission. "You [had] three different lines of effort that were all good and generally going in the right now direction, but [they] didn't necessarily talk to each other."

The administration's strategy also did not incorporate the Defense Department's "Defend Forward" initiative, a concept touted by Nakasone, the National Security Agency director and chief of U.S. Cyber Command, that states the U.S. must aggressively pursue adversarial networks as a way to foresee future attacks to domestic entities.

The Washington Post reportedin February 2019 the NSA conducted an operation, led by Nakasone, to shut down the Internet Research Agency, a Russian company believed to be associated with the Kremlin and responsible for attempting to sow discord in U.S. politics, on the day of the 2018 elections.

While the government's offensive cyber operations are rarely discussed publicly, the revelation that the U.S. intelligence community and the Pentagon personally shutdown a Kremlin-sponsored entity became a public show of force for how Nakasone could "defend forward." The move was in some ways also a demonstration of the administration's efforts to reduce the bureaucratic decision-making processes that could hamper an offensive operation.

It's not clear whether the Trump administration truly conducted more offensive cyber operations than in previous years, but its public posture suggests it did.

"The public perception is that it's gone up," said Christopher Painter, a former cybersecurity official at the State Department. "There were leaks … on things like the disruption of the Internet Research Agency during the 2018 elections. There were more forward statements by Gen. Nakasone on using all capabilities, so the perception is certainly that it's gone up, but the reality is I'm not sure."

However, if the government wants to deter adversarial attacks from actors such as the Russian intelligence service believed to have breached SolarWinds Orion, then more transparency is required.

"Deterrence I think is still important," Painter said. "For that to work I think you need to be more transparent -- not transparent about individual operations, but basically say we're doing this. Tell the adversary we're doing this [and we] will stop doing this when you stop."

A 'trade chit'

Trump personally has targeted Chinese companies such as Huawei, levying sanctions against them and accusing them of conducting espionage on behalf of the Chinese government.

"We don't want their [Huawei] equipment in the United States because they spy on us," Trump said in August. "And any country that uses it, we're not going to do anything in terms of sharing intelligence. Huawei is a disaster."

The hardline push has largely earned applause domestically where other Republicans have taken equally hawkish stances on China and the threat it poses to the United States.

Schwartz praised the administration for bringing more attention to the issue, but said the White House has at times lost credibility for treating it as a "trade chit."

"If you're going to treat it as a trade chit – that this is a trade issue, then it's not a national security issue," he said.

The administration "has done a disservice to our position on this because we've continually gone and asked our allies for favors related to this issue … and at the same time pushed them away on these issues as well."

These inconsistencies have caused confusion, he argued.

Painter added, "the tactics that were used… of threatening our allies that we wouldn't share intelligence with them unless they adopted our way of thinking just shoots ourselves in the foot."

NEXT STORY: Mayorkas calls for review of Einstein, CDM

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.