WHAT COMES NEXT : CYBERSECURITYered via a “supply-chain attack” that was fiendishly hard
to detect. Once attackers compromised SolarWinds and
inserted spyware in a trusted “patch,” or update, it became
nearly invisible to routine cyberdefense measures.
This vulnerability is especially dangerous because, in part
for the sake of cost savings, most software reuses a variety
of third-party components, such as open-source code. One
compromised component can become a foothold for attack-
ers to access or corrupt other systems, potentially turning
it into a backdoor master key to any software built using
it. Yet there is no widely accepted standard for tracking or
reporting what components and interactions make up a
piece of software, much less any regulation requiring such
tracking. In the SolarWinds attack, this may have added ob-
stacles, as thousands of private and government customers
scrambled to understand the threat posed by the corrupted
Orion patch.
There is growing awareness that effective cybersecu-
rity must be built into software and networks from the
ground up, including through “zero-trust” software that
would limit hackers’ movement between systems. But
there’s little market incentive to build software that is so
robust, and governments don’t have much leverage to
require it. “You see an increasing reliance on commercial
and even off-the-shelf technology in even very high-end
[government] system spaces,” says Eric Wenger, a tech-SHORTLY BEFORE the
SolarWinds’ hacking revela-
tion, Trump ousted Chris
Krebs, founding director of
the Cybersecurity and In-
frastructure Security Agen-
cy, or CISA, the agency that
serves as the government’s
primary cyber-focused
interface with private
industry. Krebs, a veteran
of Microsoft, had earned
plaudits for building CISA,
and for his role in keeping
the 2020 elections free of
foreign interference. He
lost his job in a dispute over
the President’s baseless
election fraud allegations.
The two-year-old CISA
was already fighting to be
“invited to the adult table in
intelligence discussions,”
says Kiersten Todt, manag-
ing director of the nonprofit
Cyber Readiness Institute.
Krebs’s dismissal would fur-
ther handicap the agency
most responsible for
helping companies recover
from hacks. (Krebs has
since been hired by Solar-
Winds to help the company
with its unenviable attempt
to bounce back from its
eponymous hack.)
But even as it absorbs
its loss, CISA has gained
new powers under the
NDAA. For one, the agency
got clearance to create
a “cyber planning office”
that will more closely and
proactively coordinate with
the private sector. That
includes creating play-
books for how to respond
to big hacks, putting in
place economic continuity
plans, and running tabletop
exercises with corporations
on code red situations.Such exercises would help
big companies and cyber-
security firms plan for, say,
what to do if Iran hacks
a utility to poison local
water supplies, the Kremlin
causes citywide blackouts,
or China fries our roughly
three-dozen GPS satellites.
“Bodies like CISA matter
because they’re trying to
develop the philosophies
and the methodologies
and practices that we need
share” to increase our col-
lective defenses, says Vasu
Jakkal, Microsoft’s chief
security marketer.
The NDAA boosts the
authority of CISA in other
ways as well. Crucially,
CISA will be permitted to
hunt down threats on fed-
eral networks, where who
knows how many hackers
are crawling. The Solar-
Winds hack ought to be
viewed “as a long-term pen-
etration of our most valu-
able networks,” says Dmitri
Alperovitch, founder of
Silverado Policy Accelera-
tor, a security-focused think
tank. Staffing up a squad
of top-notch search-and-
destroyers “is something
they need to start leverag-
ing literally on day one,”
says Alperovitch, also a
cofounder and former tech
chief of the cybersecurity
company CrowdStrike.
Word is that Biden
intends to tap Rob Silvers,
a former Obama official
who helped negotiate a
major trade-secret–stealing
truce with China in 2015,
as CISA’s new leader. If he’s
confirmed, he’ll be a close
partner to the national
cyber director.- STRENGTHENING
CISA , THE WHITEHOUSE’S LIAISONTO BUSINESSANNE NEUBERGER, a veteran of the National Security
Agency, is the top cybersecurity expert in President
Biden’s inner circle.PHILLIP FARAONE—GETTY IMAGES