The reported cyber breach through an IT contractor’s software used by the military highlights the risks the Department of Defense takes when it increasingly must rely on third-party vendors for digital services.
As civilian agencies disconnected Monday from the SolarWinds’ Orion platform under government orders, the Department of Defense declined to comment on whether its systems are among those across several government agencies reportedly accessed by hackers affiliated with Russia’s foreign intelligence agency. SolarWinds counts all five military services, the Pentagon and the National Security Agency among its clientele for the network management platform, and said Monday in a Securities and Exchange Commission filing that the hack between March and June affected 18,000 customers — both government agencies and businesses.
With agencies just now unplugging from the platform, the extended time that hackers potentially had access to government emails and other information particularly alarmed experts.
“This is just the price that the Department of Defense, the intelligence community and the U.S. government, writ large, are going to pay over and over for their continued and increasing reliance on, at its core, code that someone else wrote and tested on their network” (as opposed to code that they wrote and they tested), said Philip Reiner, CEO of the Institute for Security and Technology, who also formerly served at DoD and on the National Security Council.
“As the Department of Defense continues to expand its trust in third-party products and services, because it has no choice, really, this will only get worse. Trust is a transitive property, and threat actors know this, which is why they take advantage of it.”
The Navy and Army referred questions to the Department of Defense, which declined to comment. A spokesperson for the chief information officer of the Air Force did not respond right away to a request for comment.
A U.S. Cyber Command spokesperson said the command is assessing the issue. “U.S. Cyber Command is postured for swift action should any defense networks be compromised. We are in close coordination with our interagency, coalition, industry and academic partners to assess and mitigate this issue.”
Reuters, which first reported the breach, identified the departments of Commerce, Treasury and Homeland Security as agencies that hackers infiltrated. The Washington Post reported that the group behind the intrusions was APT29, which is associated with the SVR, Russia’s foreign intelligence agency.
Reuters reported that the breach was severe enough for the National Security Council to call an emergency meeting. The Wall Street Journal reported Monday that “national security agencies and defense contractors” were among the breached organizations. FireEye, a cybersecurity company with significant federal contracts, announced last week that hackers broke into its servers, which the Washington Post attributed to the same Russian outfit.