The Cybersecurity and Infrastructure Security Agency (CISA) announced in December 2024 that it has made large-scale upgrades to federal cyber defenses since the 2020 Solar Winds hacking attack by Russian-linked forces. AFP/GETTY IMAGES
THE WATCH STAFF
A top official at the federal Cybersecurity and Infrastructure Security Agency (CISA) told cybersecurity professionals in December 2024 that technological and logistical upgrades over the past four years have eliminated the weaknesses exploited by Russian-linked hackers during the SolarWinds cyberattack.
Jeff Greene, CISA’s executive assistance director for cybersecurity, told attendees at a cybersecurity conference that his agency can now detect state-sponsored hacking in real time after improvements led to better integration among federal agencies, related computer networks and millions of individual devices.
The strengthening of United States’ cyber defenses was sparked by the Russian-linked hacking operation, which began in 2019 with the infiltration of a Texas-based network management company named SolarWinds. From there, hackers breached Microsoft’s defenses and eventually infected 18,000 customers who had received a virus-laden update. Of those, the hackers targeted a smaller subset of high-value customers, including the federal government, to exploit for the “primary purpose of espionage,” according to a 2021 U.S Government Accountability Office report. “The cybersecurity breach of SolarWinds’ software is one of the most widespread and sophisticated hacking campaigns ever conducted against the federal government and private sector.”
The reforms generated by the hacking incident have tightened U.S. cyber defenses, Greene said. In November 2020, when the breach was detected, it revealed a lack of integration across the vast system of federal computer networks. “What we saw during the after action [reviews] was agencies were seeing events that were part of the campaign, but the government didn’t have enough data, and they didn’t have the visibility across agencies to correlate, to put it together and see that this was happening,” Greene said, according to the Federal News Network.
The federal government enacted sweeping reforms following a 2021 executive order and the resulting work has led to vast improvements, Greene said. Those steps included CISA working with agencies to expand cross-government visibility into potential cyber incidents by expanding the data tracked under CISA’s Continuous Diagnostics and Mitigation program. Agencies also expanded their logging data and moved toward a centralized Endpoint Detection and Response (EDR) capability. CISA can now “see” more than 5 million devices across 94 agencies through the CDM dashboard including processor models, firmware and software versions, the Federal News Network reported. The EDR upgrade is expected to be done by the end of 2024. The improvements also enabled access to more than 400,000 logs across federal agencies and gives CISA the ability to monitor the logs and access the networks quickly, Greene said.
“We do incident response now with federal agencies in a matter of minutes or hours, not days or weeks,” Greene said. “We’re not shipping people across the country. We’re not waiting for logs to come back. We are supplementing what the agencies can detect on their own networks, bringing our own expertise and knowledge from that visibility across agencies, and then what we have learned sitting in that place where we can see the breadth of it.”