The United States federal government and private sector remain uneasy following the SolarWinds impact on global supply chains. As a result of SolarWinds Impact, all bets are off with respect to the previous legislative agenda for cybersecurity. In the new 117th Congress, the relevant committees have yet to weigh in on specific sections of legislation, however, it is clear that cybersecurity will be a major focus across both the House and Senate – and it’s about time.

Introduction

The U.S. capital stands on high alert ahead of Joe Biden’s presidential inauguration on Wednesday, January 20th. Biden-Harris is already planning major policy changes once he formally takes office, including overturning many of President Trump’s most controversial policies.

Following the detection of the SolarWinds impact, the Biden administration has devoted to making cybersecurity a top priority. Mid-January 2021, prior to President-elect Biden’s pending inauguration, the Biden team displayed a commitment to that promise when announcing its’ Rescue Plan calling for roughly $10 billion in cybersecurity spending, including $690 million for CISA* to improve security monitoring and incident response at the agency.

CISA – Cybersecurity and Infrastructure Security Agency

Succeeding Intelligence Chair, Mark Warner (D-VA), announced that he would hold multiple hearings, examining the SolarWinds impact and subsequent plans to re-examine the model of a mandatory national data breach notification law. With respect to mandatory breach reporting requirements, Warner held, “We’re going to need a fulsome review. The fact that the public enterprises don’t even have to fully report to CISA, let alone the private sector where, if the breach doesn’t reach a level of materiality, doesn’t even have to report, needs to be fully reviewed.”

Capitol Siege Riots

Up to this point, it remains uncertain how the mob that broke into the Capitol may have compromised the security of any IT system or hardware.

Authorities say that one thing is certain: There are IT security implications from the events of January 6 that require investigation. As well, mandated changes in how the legislative branch operates, may be necessary.

“If the House were appropriately prepared, which means they had an inventory of all the devices being used for professional purposes and they were able to cross-reference that inventory to determine which devices were missing and then able to wipe those devices clean,” then all damage the mob caused would not have us concerned about the theft of any property, Todt, of the Cybersecurity Institute, asserts.

“Additionally, if every member of Congress and staffer had the appropriate protocols in place about strong passwords, etc., then we shouldn’t have a concern. What I don’t know is if that is actually true.”
Kiersten Todt, Managing Director of the Cybersecurity Institute  

Another point of consideration regarding the SolarWinds impact; CISA, which has a “very lean and scarce workforce that, in May of last year, was responsible for protecting the presidential election, securing government and private infrastructure, and responding to a pandemic,” says Todt.

“While we had success absolutely with the 2020 election, I don’t think we solved the problem. I think what we certainly need to do is to recognize that our election process is the foundation of our democracy, and we have to institutionalize it. I don’t think we can be relying on an all-volunteer workforce.”

Imposed Measures & Steps

In addition to the dramatic expansion of the cybersecurity budget, President-elect Biden has been adding officials with cybersecurity credentials to his administration. Caitlin Durkovich, who had previously served as chief of staff at the National Protection and Programs Directorate, will act as the National Security Council’s senior adviser for resilience and response. Lisa Monaco, former homeland security adviser to Barack Obama, will be deputy attorney general. Politico reported the Biden team wants Anne Neuberger, director of the National Security Agency’s Cybersecurity Directorate, for a deputy national security adviser for cybersecurity, though the transition team has not made any official announcements.

Reprisal

Policymakers are now considering whether or not to retaliate to SolarWinds, and in doing so, they will have to think about how the public will react to their actions. While not retaliating against the Solarwinds impact could set a permissive precedent for state-sponsored cyber espionage, if the US does choose to move forward with retaliation, public reluctance towards the policy could undermine the effectiveness of the U.S. response or even raise questions about the ability to deter future cyber operations.

A retaliatory response, moreover, runs the risk a possible escalation of the crisis, and at a time when U.S. policy is largely focused within. As the United States moves towards developing a more comprehensive policy that could outline when cyber operations do or do not justify a retaliatory response, public attitudes about these questions should remain a point of valid consideration. If you would like to learn more about the Solarwind Impacts, or what Packetlabs can do to protect your organization, please do not hesitate to contact us today!