The ongoing “Sunburst” cyber-espionage campaign that resulted in the SolarWinds Orion and Microsoft Exchange breaches represents a strategic failure by the U.S., rather than simple IT inadequacy, according to a report by the Atlantic Council.
The report flags “deficiencies in risk management,” “linchpin cloud technologies” that are difficult to defend, and security policies governing the Federal supply chain that have moved too slowly to keep pace with the changing risk landscape.
“The Sunburst cyber-espionage campaign was a startling reminder of the United States’ collective cyber insecurity and the inadequacy of current US strategy to compete in a dynamic intelligence contest in cyberspace,” the report’s executive summary says. “The compromise of SolarWinds, part of the wider Sunburst campaign, has had enormous consequences, but, as supply-chain attacks go, it was not unprecedented.”
The report emphasizes that the Sunburst campaign is not an isolated event – by looking at it through the lens of previous supply chain failures – and goes on to call the campaign part of a “disturbing trend” in which the United States is failing in an intelligence competition against adversaries because of “technical insecurity, deficient policy response, and a shortfall in strategy.”
“The response to Sunburst must lead to meaningful action from both industry and the policymaking community to improve the defensibility of the technology ecosystem and position the United States and its allies to compete more effectively in this intelligence contest,” the report says.
The SolarWinds Orion hack was first discovered in December 2020, while investigations have indicated some of the breaches took place as far back as March 2020. The attack affected nine Federal agencies and exposed court records, and the price tag for its remediation keeps going up. As of March 15, Federal officials said they were close to remediation for the breach.
The Microsoft Exchange vulnerability was discovered earlier in March, leading to officials at the Cybersecurity and Infrastructure Security Agency (CISA) to ask for more resources to combat these supply chain vulnerabilities.
The report emphasizes three lessons from the attack: the campaign was the result of a failure in strategy; the targeting of cloud-computing in a supply chain breach marks a significant development; and the United States did not do all it could to limit the harm of the campaign.