The greatest espionage act in modern memory was launched with an ancient tactic. Elite hackers embedded a digital Trojan horse within routine software updates from an IT supplier named SolarWinds. Instead of conquering the city of Troy, the invaders penetrated the networks of nine U.S. military and civilian government agencies and numerous Fortune 500 companies.
Despite its unprecedented scope and the passage of several months, there is little consensus about how to prevent this type of attack in the future. Meanwhile, hackers are doubling down from espionage to outright sabotage. In an attempted attack just two days before the Super Bowl and 16 miles from Tampa Bay, hackers manipulated the level of sodium hydroxide, a caustic chemical, by 1,000% at a water treatment plant in Oldsmar, Fla.
Fortunately, Congress has stepped into the breach. Just weeks after the SolarWinds hack was disclosed, the Senate and the House overrode former President Trump’s veto and approved the 2021 National Defense Authorization Act. For the first time, the White House will now have a Senate-confirmed national cyber director. The creation of this role was one of the signature recommendations of the bipartisan Cyberspace Solarium Commission, chaired by Sen. Angus King and Rep. Mike Gallagher.
As the role is both critical and brand-new, the Biden administration is wisely taking time to define its scope of authority and consider possible candidates. To succeed, the national cyber director will need to be empowered by the President—the title and even cabinet designation alone are not enough. In government as in corporate life, leadership roles that do not have direct, operational authority require the clear support of their principal and deft collaboration skills.
If cyber now poses a national security threat tantamount to the risk of terrorism following 9/11, the dynamic between former President George W. Bush and Tom Ridge offers important lessons. Less than a month after 9/11, Bush appointed Ridge, then governor of Pennsylvania, as the first-ever director of the newly created Department of Homeland Security within the White House. With the trust and unflinching support of the President, Ridge was able to carry out his mandate to develop “a comprehensive national strategy to secure the U.S. from terrorist threats.”
In like fashion, the new national cyber director will be responsible for crafting a national cyber strategy as well as driving more consistency across civilian government networks. If disaster strikes, the director will serve as the point person in coordinating the government’s nonmilitary response.
While that process is unfolding within the federal government, business leaders across virtually every industry need to step up to support these efforts. As Anne Neuberger, the deputy national security adviser for cyber and emerging technology, recently stated: “In the United States, the way we’re structured, public-private partnership has to be a core part of our national cyber defense.” Indeed, 80% of critical infrastructure in this country, including nuclear plants, the electric grid, telecommunication networks, and transportation systems, is owned or operated by the private sector.
The first step is remediation. The approximately 100 companies that were compromised in the SolarWinds hack, and scores of others, need to comb through their IT environments searching for evidence of intrusion or anomalies. Since legions of hackers were allegedly involved and spent many months burrowed in IT networks, the process of identifying hidden backdoors and rebuilding compromised systems will likely take even longer.
Second is prevention of future attacks. The tech industry, which was specifically targeted by the SolarWinds hack, needs to help design a more reliable system for developing and distributing software. This is not the first large-scale supply chain attack. In 2017, the NotPetya attack, which was launched using routine software updates from an obscure accounting firm in Ukraine as the attack vector, rapidly cascaded around the world. Nor will it be the last. In just the past year, the volume of supply chain attacks has reportedly increased by over 400%.
The voluntary guidelines currently used by developers did not prevent, or detect, the insertion of malicious code in the SolarWinds build process. Leading software developers should jointly craft a more rigorous set of security standards that, for example, would require the use of physical tokens to insert code and detailed logging at every stage of the build, development, and distribution process. Third-party experts could then audit these protocols.
There is a powerful incentive to do so. A growing chorus, including the Solarium Commission, is calling for the imposition of tort liability on the final assemblers of software for damages that flow from incidents that exploit known and unpatched vulnerabilities.
The SolarWinds virus has laid bare the ways in which an adversary can gain entry into our most critical fortresses. The new chair of the Senate Intelligence Committee, Mark Warner, recently warned that while espionage may have been the focus this time, these tools could be deployed in a destructive manner with grave consequences. To protect our critical infrastructure, the public and private sectors need to link arms as never before to enhance our national cyber resilience.
Peter J. Beshar is general counsel of Marsh & McLennan, the world’s largest risk adviser, and has testified before Congress on cybersecurity multiple times.
Jane Holl Lute was deputy secretary of homeland security from 2009 to 2013 and is on the board of the Center for Internet Security.
More opinion from Fortune:
- Which big companies truly treat their workers well? California aims to keep score
- Why is women’s health still so under-researched?
- Disinformation attacks are spreading. Here are 4 keys to protecting your company
- Biden Gender Policy Council leaders: We must fix the caregiving crisis COVID has created for women
- How “data alchemy” could help businesses make the most of A.I.
