White House activates cyber emergency response under Obama-era directive

In the wake of the SolarWinds breach, the National Security Council has activated an emergency cybersecurity process that is intended to help the government plan its response and recovery efforts, according to White House officials and other sources.

The move is a sign of just how seriously the Trump administration is taking the foreign espionage operation, former NSC officials told CyberScoop.

The action is rooted in a presidential directive issued during the Obama administration known as PPD-41, which establishes a Cyber Unified Coordination Group (UCG) that is intended to help the U.S. government coordinate multiple agencies’ responses to the significant hacking incident.

The UCG is generally led by the Department of Justice — through the FBI and the National Cyber Investigative Joint Task Force — as well as the Office of the Director of National Intelligence and the Department of Homeland Security.

“This cyberattack is the exact type of threat I worried about when I was at the White House — a nation-state threat that infects the software supply chain, and now it’s here and it’s affecting not just the U.S. government but some of its most sensitive interests, as well as private-sector organizations,” Anthony J. Ferrante, a former Director for Cyber Incident Response at the NSC, told CyberScoop.

The UCG has been used on multiple occasions during the Trump administration since January 2017, according to a source familiar with the process, but activation of the group is rarely publicly acknowledged.

The SolarWinds breach — in which suspected Russia-backed hackers concealed malware in software updates by SolarWinds, a company that serves U.S. government and private sector entities — has reportedly compromised targets in the National Institutes of Health and the Departments of Commerce, Treasury, Defense, State and Homeland Security.

The breach is still being investigated. But the early signs indicate the reach of the stealthy supply-chain attack will have substantial aftershocks; SolarWinds claims to have 300,000 customers, including the National Security Agency, all five branches of the U.S. military, and entities in the health, technology, telecommunications, media and finance sectors.

The UCG will likely be trying to mitigate the threat and assess the damage as more victims emerge, says Michael Daniel, who previously served as cybersecurity coordinator during the Obama administration.

“This set of activities involved long-term planning, significant resources, and lots of patience. The precise, careful tradecraft and attention to detail reveal both technical and organizational sophistication,” said Daniel, who now serves as the president and CEO of the Cyber Threat Alliance. “Since the incident affects a large number of Federal agencies, using the PPD-41 framework to manage the response makes sense. … The U.S. government needs to understand the extent of the intrusion, the scope of the information potentially obtained, and the possible damage from that theft.”

Federal agencies, representatives from the private sector and international partners may participate in the UCG meetings, which can be used to share intelligence about the incident, the adversary’s hacking methods and plan efforts to degrade the adversaries’ capabilities.

All eyes on the NSC

In another signal the White House is taking SolarWinds seriously, President Donald Trump’s national security adviser, Robert O’Brien, cut short a trip to Europe in order to return to “address the hacking incident,” an NSC spokesperson said Tuesday. O’Brien planned to hold NSC meetings on Tuesday evening and Wednesday morning, and will hold a high-level interagency meeting later this week, NSC spokesman John Ullyot told CyberScoop.

Meetings about the supply chain hack in another NSC hacking incident forum, known as the Cyber Response Group (CRG), have been focused on technical indicators and identifying which entities might be compromised, according to a U.S. official.

“There’s no internal jockeying back and forth right now. Everybody’s coming to the table right now, identifying lines of effort and who the leads are going to be,” a U.S. official who attended the Monday CRG meeting told CyberScoop. “Everyone is focusing on: Here are the technical indicators. Here are the things you should be looking for.” 

The CRG generally includes senior representatives from the CIA, NSA, Secret Service, and Departments of Treasury, Commerce, Justice, Defense, State, Energy and Homeland Security, as well as the Secret Service.

No one left unscathed

While the FBI and the Pentagon’s Cyber Command are still investigating the breaches, questions are bubbling up over how the suspected Russian hackers were able to slip past U.S. counterintelligence and defensive cybersecurity operations that are purportedly well-poised to track and protect against these kinds of campaigns.

“Establishing the UCG is significant, as it reflects that this cyberattack is a major concern with potential global ramifications. But we have to evaluate how we got here in 2020,” said Ferrante, who now works as the Global Head of Cybersecurity at FTI Consulting. “We were given so much confidence going into the presidential election that the U.S. government had insight into what nation-states might do, but does this attack suggest that we didn’t actually know everything? Did we take our eyes off the ball?”

The fact that there is a UCG, by definition, means “this is a significant cyber incident” and “this is a wake up call, not only for the U.S. government but also for industry,” says Megan Stifel, who formerly served on the National Security Council as director for international cyber policy. “For all of the money that has been spent on capabilities in the USG it was a private sector entity that first went public with this information,” said Stifel, who now works at the Global Cyber Alliance. Stifel noted it may be too soon to know if the U.S. government did actually have awareness of the espionage operation.

Cybersecurity firm FireEye, not the U.S. government, first uncovered the breach because FireEye was also hacked by the suspected Russian actors.

The hackers responsible for the infiltration of SolarWinds are some of the most capable hackers FireEye says it has ever observed — but it’s alarming that the U.S. government’s sprawling intelligence and national security apparatus was not alert to the espionage operation before. The issue lies in how the federal government structures its cybersecurity ranks, says Mark Montgomery, a senior adviser to the Cyberspace Solarium Commission.

“The federal government is not currently organized to successfully defend itself, or the nation’s critical infrastructure, from threats in cyberspace,” said Montgomery, who used to serve on the NSC. Montgomery added there are several reforms that could bolster the nation’s ability to prevent these kinds of hacks from occurring in the future.

The first order of business would be to slate someone into a new Senate-confirmed National Cyber Director (NCD) role to manage defensive cybersecurity efforts across the federal government, Montgomery says. In recent days Congress signaled establishing the NCD role is a priority.

“[O]ther specific recommendations that would have been useful in preventing this hack include authorizing CISA to threat hunt on the .gov — looking for malicious software; increasing CISA’s capacity to respond with more Hunt and Incident Response Teams (HIRT), and improving threat information sharing, both within the federal government and between the federal government and the private sector,” said Montgomery, a senior fellow at the Foundation for Defense of Democracies.

Generally, the UCG is also intended to help the U.S. government coordinate responses to congressional inquiries, which are already starting to accumulate. Sen. Ron Wyden, D-Ore., says he has requested more information from the U.S. government about its issues securing the government against foreign hackers. Wyden and Sen. Sherrod Brown, D-Ohio, wrote Tuesday to the Treasury Department for more information about its response.

Sean Lyngaas contributed to this story.