As new fallout and revelations emerge from the massive SolarWinds hacking campaign that hit multiple U.S. agencies, a barrage of other online threats is likely to challenge President Biden’s pledge to boost cybersecurity.
The SolarWinds breach, which U.S. intelligence officials have linked to Russian hackers, affected as many as 18,000 of the information technology service provider’s customers, including agencies like the Energy Department and Fortune 500 companies. The sweeping cyberespionage campaign was revealed just weeks before Biden took office and quickly changed the incoming administration’s focus.
"Cyberthreats are among the greatest threats to our global security in the 21st century," Biden said in a Dec. 22 speech following news that SolarWinds’ Orion software platform had effectively been hijacked by hackers. "I believe we must treat them with the same seriousness of purpose that we treated the threat of other unconventional weapons."
But Biden could face other cybersecurity shocks in his first days in office. With the coronavirus pandemic forcing many to work from home, 2020 introduced new digital risks as people logged in from personal laptops. Meanwhile, "ransomware" attacks have steadily grown in cost and sophistication, according to cybersecurity experts, and more hackers have turned an eye to critical infrastructure networks like those running the electricity grid.
Here are four things to watch for cybersecurity during Biden’s first 100 days in office:
The SolarWinds hack has spotlighted cybersecurity concerns surrounding the vast supply chain for software products.
While the hack had initially been described as a Russia-led compromise of U.S. agencies and companies through SolarWinds products, the federal government may have been breached in more than one way. Officials at the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, recently said that almost a third of the campaign’s victims hadn’t used the SolarWinds product thought to be the initial point of access, The Wall Street Journal reported. Russia has denied involvement.
Additionally, China also took advantage of a flaw in a SolarWinds product to infiltrate a federal payroll agency, Reuters reported yesterday, which adds another layer of problems for the new administration to tackle.
The SolarWinds espionage campaign has hit around 10 agencies, intelligence and homeland security officials confirmed, and an untold number of private organizations (Energywire, Jan. 6).
Speaking in a recent Atlantic Council webinar, Sen. Mark Warner (D-Va.), chair of the Senate Intelligence Committee, said that the number of "brand-name players" compromised by the SolarWinds campaign "would surprise the hell out of many of the people watching this."
Warner also warned that when an adversarial nation "brings its A game" against organizations, "chances are, they’re going to be successful. So better cyber hygiene alone is not going to win the battle."
Details are still surfacing around how the hackers infiltrated SolarWinds and the scope of the spying campaign, and experts say it could be months to learn the extent of the damage. Meanwhile, lawmakers have called for additional hearings and reviews over how to prevent the next major hack.
In a blueprint released last month, DOE’s cybersecurity office said the U.S. "energy infrastructure and digital supply chain present a key target for cyber compromise" and that the "frequency and sophistication" of cyberthreats are increasing.
Tobias Whitney, vice president at cybersecurity firm Fortress Information Security and a former senior manager at the North American Electric Reliability Corp., the nonprofit U.S. grid overseer, said that the SolarWinds hacks demonstrate the importance of supply chain cybersecurity.
"All utilities and all energy companies in any critical infrastructure organizations need to make sure that they spend more time understanding [the] interconnected, interrelated nature of their technology supply chain," Whitney said.
Whitney said that in the coming year, the energy industry needs to be more demanding "of the transparency of the software and hardware technologies" bought from outside vendors.
"That’s going to be really important for the ultimate asset owner and operator to have much more visibility into the software and hardware, or microprocessor components of the systems that they use for critical infrastructure," Whitney said.
Key cyber hires
Biden has already tapped former Obama administration officials for several cybersecurity positions, but several high-profile openings remain.
He’s widely expected to nominate Jen Easterly, a former National Security Council member during the Obama administration, for the newly created national cyber director role, which was enacted last year as part of the National Defense Authorization Act. Easterly, who helped establish U.S. Cyber Command, was also the deputy of counterterrorism at the National Security Agency (Energywire, Jan. 25).
The cyber director is a Senate-confirmed position that’s aimed at improving coordination among the White House and federal offices with a hand in U.S. cyberdefense.
Jim Cunningham, executive director of the grid advocacy group Protect Our Power, said the United States "shouldn’t be spending our time — any portion of our time — dealing with turf issues" among various agencies. Any overlap could be minimized by the incoming cyber director, Cunningham said.
"You’re playing the game of whack-a-mole, in some ways, if you don’t have the structure," Cunningham said.
In addition, the cyber director would oversee private-sector partnerships and organize work with state and local governments.
Biden is also poised to pick Robert Silvers, a former DHS official in the Obama administration, to lead CISA. Established as an independent agency under former President Trump, CISA has seen its responsibilities grow as the nation’s top civilian cybersecurity agency, though its budget has stayed between $1.6 billion and $2 billion since its inception. The number of employees at CISA has also declined in recent years, going from a peak of around 3,000 to 2,000 workers, according to the Office of Personnel Management.
Silvers, Easterly and other Biden administration cyber officials could be tasked with carrying out proposals from the congressionally mandated Cyberspace Solarium Commission, which issued about 80 cybersecurity recommendations last year. Some of those action items were included in the NDAA, and their rollout could bring about major changes in cyber policy, from new CISA authorities to an increased focus on public and private partnerships.
Biden has also named Anne Neuberger, the National Security Agency cybersecurity director, to be deputy national security adviser for cybersecurity and technology. The president has also announced Caitlin Durkovich, who formerly served in DHS under President Obama and has extensive grid security experience, as senior director for resilience and response on the National Security Council (Energywire, Jan. 11).
One office that has yet to see a nomination for the top role is the Department of Energy’s cyber arm, the Office of Cybersecurity, Energy Security and Emergency Response (CESER), which is tasked with protecting the grid from physical and cyberthreats. Patricia Hoffman, formerly principal deputy assistant secretary of DOE’s Office of Electricity, was named as acting head of CESER last week (Energywire, Jan. 25). The office has been without a Senate-confirmed assistant secretary since last February, when Karen Evans, the first head of the new office, left the position.
Biden will also have to contend with increased U.S. tensions with China following a yearslong trade war under the Trump administration and long-standing concerns about intellectual property theft and cyberespionage.
Alejandro Mayorkas, who was confirmed as Biden’s secretary of Homeland Security yesterday in a 56-43 Senate vote, could play a role in those disputes as well as DHS’s wider efforts to protect U.S. critical infrastructure, from oil and gas pipelines to nuclear plants.
Tom Kuhn, president of the Edison Electric Institute, which represents U.S. investor-owned utility companies, welcomed Mayorkas’ confirmation in a statement yesterday.
"Protecting critical energy infrastructure from physical and cyber threats and responding to natural disasters are shared responsibilities between the electric power industry and our government partners," Kuhn said. "We look forward to working with Secretary Mayorkas again, as well as with leaders from the Department of Energy and other Administration officials, to enhance security and preparedness in order to ensure the electric power industry remains ready to respond to any and all hazards to the energy grid, which powers our nation’s economy and the American way of life."
Biden may also be faced with heightened hacking threats from Russia and China, both of which have an increased interest in and capability for attacking the grid, according to intelligence officials and cybersecurity experts.
"It’s no secret that China and Russia and other potential nation-state adversaries are improving their own ability to attack the grid, and we need to not only be ready for the capabilities that they currently possess to try to disrupt grid reliability, but anticipate the threats to come," said Paul Stockton, former assistant secretary of Defense for homeland defense and co-chair of the newly formed Grid Resilience for National Security Subcommittee at DOE.
The subcommittee is part of the agency’s Electricity Advisory Committee, which is made up of industry leaders who advise DOE on a variety of electric reliability, security and policy issues. The committee is meeting virtually today and tomorrow to discuss recent renewable electricity policy changes at the Federal Energy Regulatory Commission and the impact of the SolarWinds breach, among other topics.
One risk, Stockton said, is China’s growing ability to use artificial intelligence to map out the U.S. bulk power system as well as electricity distribution networks.
"That kind of mapping — intelligent mapping and attack planning — becomes a much bigger problem than it’s ever been before," Stockton said.
Increased tensions with Russia could potentially bring retaliation against U.S. infrastructure like the power grid, Washington-based research firm ClearView Energy Partners LLC warned in a recent note to clients.
"Cyber-escalation vis-à-vis Russia could potentially draw retaliation against U.S. infrastructure, including energy assets," ClearView analysts wrote.
Biden has publicly taken a harder line with Moscow compared with his predecessor in the Oval Office.
In the first call between Biden and Russian President Vladimir Putin, Biden voiced his concern about Moscow’s alleged involvement in the SolarWinds hack and interference in the 2020 election. Biden has previously stressed that whoever was behind the cyberespionage campaign will face "substantial costs," and White House chief of staff Ron Klain said recently that retaliation could move beyond sanctions.
"It’s also things we can do to degrade the capacity of foreign actors to repeat this sort of attack," Klain said on CBS’s "Face the Nation" in December.
Another coming concern is protecting so-called defense-critical grids, said Stockton, referring to those that provide power to key U.S. military sites.
Bolstering defense-critical grids should be a top priority of the new administration, he added.
One of Biden’s first significant cybersecurity actions was to pause a Trump executive order aimed at protecting defense-critical grids (Energywire, Jan. 26).
The May 1 order was aimed at banning certain utilities from buying grid equipment from nations that present a national security risk — specifically China.
Biden’s decision to suspend the order for 90 days and instruct DOE and the Office of Management and Budget to consider a replacement met with mixed reactions.
Scott Aaronson, vice president for security and preparedness at EEI, praised Biden’s order, saying the move provides more time to get new DOE officials up to speed.
Grid security advocate Michael Mabee said he was "very concerned" that the order was suspended.
"The electric utility industry, as well as the regulators FERC and NERC have been behind the eight ball on supply chain cybersecurity for years," Mabee said in an email. "And this is a position the United States can’t afford to be in. Now is not the time to suspend supply chain cybersecurity measures."
While it’s not yet clear what direction the Biden administration will take, Stockton said the move is "timely and valuable."
"As the implementation began of the executive order, it became clear that some of the components of the order were going to be problematic," Stockton said.
One of the initial concerns following the May 1 order was that some power industry executives were being left out of the loop. The concerns prompted Sens. Joe Manchin (D-W.Va.) and Jim Risch (R-Idaho) to ask DOE to "engage with the developers and providers of bulk power system equipment" (Energywire, July 17, 2020).
Clean energy push
Biden has pledged to zero out electricity-sector carbon emissions by 2035, and renewable energy companies are poised to be a major force with the new administration.
But the president’s focus on clean energy also comes with new threats to the grid, and renewable power developers don’t appear to be placing cybersecurity at the forefront, some cybersecurity experts say (Energywire, Dec. 22, 2020).
"Oftentimes, when companies rapidly pivot to new technologies, cybersecurity is late to the game," said Jim Guinn, global managing director for cybersecurity in energy, chemicals, utilities and mining at Accenture. "Moreover, many of these new and possibly untested technologies appear to have largely unaddressed cybersecurity needs."
Additionally, the distributed nature of resources like wind turbines and solar panels — as well as the lack of cybersecurity standards created specifically for clean energy — poses serious security issues, Guinn said.
DOE’s National Renewable Energy Laboratory recently launched a cybersecurity program office aimed at developing technologies to help secure the modern grid.
The complexity of electric power networks is only going to increase due to the rise of renewable energy resources, said Stockton, and ensuring grid reliability requires new technologies that are within reach but "constitute an overall grid design challenge of staggering complexity and importance."
"We often say the power grid is the most complex machine on the planet," Stockton said. "That degree of complexity is poised to grow because of the challenges that we will meet in maintaining grid reliability."