News

The US government has warned agencies about cybersecurity risks for years

The US government has warned various agencies about cybersecurity risks and missed opportunities to improve security since at least 2003.

A massive cyberattack by Russian government-sponsored hackers discovered in December 2020 resulted in deployment of a malicious update to SolarWinds’ Orion software to infect government networks. According to experts, supervisory authorities and information security experts have warned companies and departments about cybersecurity risks and potential dangers for many years.

For example, the Cyberspace Solarium Commission (CSC), set up by Congress to develop a strategy to prevent major cyberattacks, presented a set of recommendations to Congress in March 2020 that included additional security measures to ensure more reliable supply chains. It remains unknown whether these recommendations could have prevented such a sophisticated cyberattack, if they had been implemented earlier.

“The federal government would at least have detected the breach earlier and could mitigate the damage much faster”, – says CSC chairman Mike Gallagher.

Warnings about cybersecurity risks and missed opportunities to improve protection date back to at least 2003. For example, in the same year, the US government offered agencies a free software update management system to track software updates that constantly download their networks and check for vulnerabilities.

“Congress has approved $11 million for a system that has been developed by private contractors. However, there were few people willing to participate, so the program known as Patch Authentication and Dissemination Capability was eventually closed”, – says the report of the Cyberspace Solarium Commission.

Also, in response to the growing number of cyberattacks, the US Department of Homeland Security created the first version of the cybersecurity system known as Einstein to detect potential intrusions into government networks.

Billions of dollars were spent on Einstein, which was considered the equivalent of a surveillance and alarm system in a government agency. For years, the US Audit Office has warned of problems with Einstein, as if forecasting his apparent failure to detect the SolarWinds hack.

In a 2016 report, the agency found that the system was only “partially” in line with its objectives, and made nine recommendations for improving it. But two years later, it turned out that the US Department of Homeland Security “has not taken sufficient steps to ensure successful mitigation of cybersecurity risks in computer systems and networks in the federal and private sectors.”

December 2018 report found that eight recommendations had not been implemented at all.

As a reminder, Security professionals continue to investigate the massive supply chain attack on SolarWinds and its customers and linked Sunburst backdoor with the Kazuar malware.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button