As the cybersecurity community slowly recovers from the SolarWinds Orion breach, we speak to Michael Bahar, a leader in cybersecurity and privacy, about the aftermath of this attack. Bahar is a partner in the Washington D.C. office of Eversheds Sutherland (U.S.) LLP, and the firm’s Litigation practice. He was Deputy Legal Advisor to the National Security Council at the White House, former Minority Staff Director and General Counsel for the U.S. House Intelligence Committee, and a former Active Duty Navy JAG.
Security magazine: Let’s discuss the aftermath of the SolarWinds Orion breach. Is this one of the most successful cyber campaigns against the U.S. government and corporate systems?
Bahar: The attack has been extensive; but its full impact and magnitude is still unknown. I am not sure we can even call it the “aftermath” yet. We are still very much in its midst. We also have to be prepared that other successful breaches have occurred contemporaneously with the SolarWinds hack, either as part of a multi-pronged intelligence-collection campaign, or as opportunistic assaults.
Security magazine: Should this security breach be a catalyst to rethink federal cybersecurity?
Bahar: It is less about rethinking federal cybersecurity and more about doing what has long ago been identified as necessary— upgrading systems, ensuring better supply chain security and requiring third party cybersecurity standards in federal contracting. In addition, making sure there is an engagement of meaningful public-private information sharing, and imposing increased costs on attackers and would be attackers. Centralizing cybersecurity leadership within the White House is also critical, particularly as one of the keys to cyber defense is closing seams, coordinating responses, as well as remaining agile and ahead of the curve.
Security magazine: In your opinion, what are some of the lessons learned in regards to supply chain security?
Bahar: So often I hear that it is the Government’s responsibility to defend the country against cyber threats; but one thing we have learned is that, not unlike a pandemic, it is only through a shared public, private and individual effort that we can be secure. Supply chain hacks are the latest variation on a consistent cyber theme: we are only as strong as our weakest link. Put another way, if you can’t get through the front gates of the castle, and you can’t get through the back gate, you will try hitching a ride on something that can. We need to recognize that fact, and the Government should lead an all-of-nation and international effort to improve cybersecurity from the top down, from the ground up, and across the globe.
Security magazine: What does the Biden administration need to focus on to address potential red flags and cybersecurity preparedness, and to avoid similar incidents?
Bahar: The Administration is already off to a great start in elevating the role of cybersecurity. They have appointed and are nominating immensely accomplished individuals to lead, including within the White House, at the Departments of Homeland Security and Defense, the Director of National Intelligence, and the Director and Deputy Director of the CIA. But, cybersecurity requires an all-of-nation approach, not just an all-of-government approach, as well as international coordination. So, I think the Government needs to incentivize and encourage greater cyber hygiene and preparedness within the private sector and engage in closer collaboration with allies and partners. We also need to make clear— and at times demonstrate— our willingness to impose strong costs on those who engage in cyber operations against us.