Federal Agencies Struggling With Supply Chain SecurityAfter SolarWinds Attack, Agencies Are Not Making Security Upgrades, GAO Reports
More than five months after the SolarWinds supply chain attack came to light, federal agencies continue to struggle with supply chain security, according to a Government Accountability Office official who testified at a congressional hearing Tuesday.
The SolarWinds supply chain attack, which sent a Trojanized update of the Orion network monitoring platform to 18,000 users, resulted in follow-on attacks on about nine federal agencies, including the Homeland Security, Treasury and Energy departments, as well as 100 companies. But since the cyberespionage attack, only a handful of executive branch departments have made updates to their security protocols, and none are fully protected against these types of intrusions, Vijay D'Souza, GAO's director of information technology and cybersecurity, testified.
D'Souza was one of several witnesses who testified at a House Committee on Science, Space and Technology subcommittee hearing on the SolarWinds attack and its consequences for federal cybersecurity. The committee's investigation is one of several congressional inquiries into the cyberespionage campaign (see: House SolarWinds Hearing Focuses on Updating Cyber Laws).
"The need for agencies to make risk-based ICT [information and communications technology] supply chain decisions about how to secure their systems is urgent," D'Souza testified. "Recent events, such as the compromise of SolarWinds Orion, highlight the importance of implementing supply chain risk management to protect against threats posed by malicious actors. In the absence of foundational risk management practices, malicious actors may continue to exploit vulnerabilities in the ICT supply chain, causing further disruption to mission operations, harm to individuals or theft of intellectual property."
On May 12, President Joe Biden issued an executive order designed to address many of the cybersecurity issues that came to light as a result of the SolarWinds attack, which was uncovered by security firm FireEye in December 2020.
The order calls for the creation of guidelines for how federal agencies purchase and evaluate third-party software and how software should be developed with security in mind. It also calls for creating a rating system for demonstrating whether software follows new cybersecurity guidelines (see: Biden's Cybersecurity Executive Order: 4 Key Takeaways).
The White House accused Russia's Foreign Intelligence Service, or SVR, of carrying out the SolarWinds supply chain attack and imposed sanctions against Russia (see: US Sanctions Russia Over SolarWinds Attack, Election Meddling).
Supply Chain Security
The GAO released an audit in December 2020 that found 14 of 23 large federal agencies had not implemented any of seven supply chain risk management practices that the agency had previously recommended.
The security recommendations included developing an agencywide supply chain risk management strategy, developing procedures for suppliers to follow and creating a way to identify counterfeit or compromised products and software.
Since that report was released, only six of the 23 agencies have provided the GAO with updates about plans to implement more of the supply chain risk management protections, D'Souza told members of Congress.
"We are currently evaluating evidence provided by these six agencies to determine the extent to which implementation of recommendations has occurred," D'Souza testified. "However, to date, none of the agencies have yet fully addressed recommendations to implement foundational practices in their organizationwide approach to ICT supply chain resource management. We intend to continue monitoring agencies' progress in implementing them."
D'Souza also told lawmakers that the National Institute of Standards and Technology is revising its recommendations for supply chain risk management for federal agencies and plans to publish a final version in April 2022. In the meantime, the GAO is working on a larger report about the SolarWinds supply chain attack and the federal response, which is scheduled to be released in the fall.
Until federal agencies address these supply chain issues, however, D'Souza says their networks will remain vulnerable to the types of intrusions that were found after the SolarWinds attack.
"Agencies face numerous ICT supply chain risks, including threats posed by malicious actors who may exploit vulnerabilities in the supply chain and, thus, compromise the confidentiality, integrity or availability of an organization’s systems and the information they contain," D'Souza said.
In opening remarks at the Tuesday hearing, Rep. Bill Foster, D-Ill., the chairman of the committee, noted that many federal agencies are falling behind on cybersecurity and seem incapable of keeping up with security alerts and recommendation.
He offered the example of agencies failing to follow directives to implement patches to mitigate the risk of Zerologon exploits.
The Cybersecurity and Infrastructure Security Agency "had to issue an emergency order to force agencies to patch or disable affected Windows servers," Foster said. "Meanwhile, it was discovered that the [unpatched vulnerability] was already being exploited in the wild by Iranian and Russian hackers."
Rep. Jay Obernolte, R-Calif., the ranking member of the subcommittee, said Congress needs to do more to ensure federal agencies follow NIST and GAO recommendations for enhancing supply chain security.
"We need to find a better way to conduct oversight of agencies' implementation of this guidance, and agencies must be more accountable for their responsibilities under the Federal Information Security Modernization Act to secure the information and systems for which they are responsible," Obernolte said.