The U.S. Government Has Warned Agencies About Cybersecurity Risks For Years

A massive cyberattack by foreign government-sponsored hackers discovered in December 2020 led to attackers installing a malicious update to SolarWinds' Orion software to infect government networks. According to experts, regulatory authorities and information security experts have warned companies and departments about cybersecurity risks and potential dangers for many years. For example, the Cyberspace Solarium Commission (CSC), set up by Congress to develop a strategy to prevent major cyber attacks, presented a set of recommendations to Congress in March 2020 that included additional security measures to ensure more reliable supply chains.

It remains unknown whether these recommendations could have prevented such a sophisticated cyberattack if they had been implemented earlier. But, according to CSC chairman Mike Gallagher, "the federal government would at least have detected the breach earlier and could mitigate the damage much faster."

Warnings about cybersecurity risks and missed opportunities to improve protection date back to at least 2003. For example, in the same year, the US government offered agencies a free software update management system to track software updates that constantly download their networks and check for vulnerabilities. Congress approved $ 11 million for the system, which was developed by private contractors. But there were few willing to participate, so the program known as Patch Authentication and Dissemination Capability was eventually closed.

Also, in response to the growing number of cyberattacks, the US Department of Homeland Security created the first version of the cybersecurity system, known as Einstein (Einstein), to detect potential intrusions into government networks. Billions of dollars were spent on Einstein, which was considered the equivalent of a surveillance and alarm system in a government agency.

For years, the US Audit Office has warned of problems with Einstein, as if heralding his apparent failure to detect the SolarWinds hack. In a 2016 report, the agency found that the system was only “partially” in line with its objectives and made nine recommendations for improving it. But two years later, it turned out that the US Department of Homeland Security "had not taken sufficient steps to ensure successful mitigation of cybersecurity risks in computer systems and networks in the federal and private sectors." A December 2018 report found that eight recommendations had not been implemented at all.

Previous Post Next Post