By: Yasmin Hayre
FireEye, a $3.5 billion company that helps its customers respond to sophisticated cyberattacks, was attacked itself when its software was breached and its data was infiltrated by a nation with “top-tier offensive capabilities.” FireEye reacted quickly – the company discovered the breach, disclosed of it to the proper authorities, brought in experts to help with the investigation, and provided their customers with information on how to detect and block the attack. The current recourse and response however, is just a band aid and ultimately, the Biden Administration needs to coordinate not only with FireEye, but other prominent cybersecurity firms to develop a federal disclosure law that would require all companies to report the existence and extent of any breach. While other possible solutions exist to combat unlawful and offensive cyberattacks, it is the job of both private companies and the government to fend off such attacks.
FireEye, one of the world’s top cybersecurity firms, is usually the one who gets called on to investigate when governments or companies around the world get hacked. On December 8, 2020, however, the tables turned when the company announced that it suffered a major breach and its software had been compromised. This was one of the biggest breaches in United States cybersecurity history, with multiple United States agencies having been successfully targeted, including the departments of State, Treasury, Commerce, Energy and Homeland Security, the National Institutes of Health, and major technology companies like Microsoft.
The hack did not receive as much attention as it truly deserved, namely because it happened right after the presidential election, but served as a loud wake-up call that the United States was ill-prepared for a compromise of this scale. Now, there is a call for government and company collaboration in response to the attack with the hope that the Biden Administration does not treat federal cybersecurity efforts as just one more partisan battleground. More importantly, there is a call from cybersecurity experts and advocates to adopt a proposed federal disclosure law, as well as a federal privacy law, as potential solutions to one of the most devastating compromises in federal history.
At the time of the attack, America’s attention – including the United States government, the security people within the government, and FireEye’s – was preoccupied with and focused on securing the presidential election system. It was nothing short of an ideal moment for the attack to occur; the nation’s public and private intelligence systems were seeking out breaches of voter registration systems or voting machines, and thus, as one reporter who focuses on cybersecurity investigations noted, “you couldn’t have picked a better time to launch a massive spying attack on the government.” The attack on the California-based company was quickly traced back to a March 2020 update from SolarWinds, a Texas-based company that makes IT management software.
The hackers embedded malicious code into an update of a software platform, Orion, and disguised it as a software update. Approximately 18,000 SolarWinds customers installed the tainted update onto their systems, resulting in what is known as a supply-chain attack, “one of the scariest [and most alarming] kinds of attacks.” As to who was responsible for the highly-sophisticated attack, FireEye CEO, Kevin Mandia, believes it was a “state-sponsored attack” by a nation with “top-tier offensive capabilities.” While FireEye themselves never specified who they believed to be responsible for the attack, media reports ultimately linked the breach to Russia and its intelligence services. Russia’s National Association for International Information Security however, claimed that there was no evidence its hackers were responsible for the attacks.
“Security firms have been a frequent target for nation-states and hackers, in part because their tools maintain a deep level of access to corporate and government clients all over the world.” In fact, federal agencies do not have the best track record for protecting data over the past five years. There has been “an embarrassing string of hacks, from the China-linked compromise of the Office of Personnel Management in 2015 (which, among other things, leaked the fingerprints of every federal employee) to a string of hacks at the State Department”, to name just two major lapses.
As a nation that has however just had “potentially one of the most successful cyberespionage campaigns ever done on it”, it is critical now more than ever to adopt some doctrine or federal law to combat, and ultimately deal with, such attacks and breaches. “Trump took office actively denying the role of Russian active measures in the 2016 election, despite an unusually definitive attribution by US intelligence agencies”, but now, with both houses of Congress being from the same party, federal cybersecurity efforts can hopefully be treated with compromise and cooperation between the government and cybersecurity companies.
By making this a priority, the Biden Administration and Congress can create a federal disclosure law and/or a federal privacy law plan, which has never happened before. While it may take years to learn the depth of the damage, the government should organize its response to the intrusion with top cybersecurity protection officials.
Ultimately, the breach attack proved first and foremost that anyone can be hacked. It also, more importantly, “demonstrated the heightened level of vulnerability of the United States.” The attack raised multiple questions including “how to respond to such a massive attack and what is the responsibility of the private sector when it comes to national security?” It also led many to call for federal laws regarding cybersecurity to be created and enforced, and some, like Microsoft’s President, Brad Smith, even called for an international agreement prohibiting attacks on healthcare institutions and other civilian infrastructures.
The attack on FireEye was a wake-up call; “it is not fair to expect private companies, no matter how large, to fend off entire nation-states. The job of the US government should be to defend private enterprise from other countries.” When it comes to such attacks, the hackers only need to get it right once in order to be successful, but the government and companies, like FireEye, need to get their protections – and if that fails, their response – right every time.
Student Bio: Yasmin Hayre is currently a second-year law student at Suffolk University Law School and a Staff Member on the Journal of High Technology Law. Prior to law school, Yasmin received a Bachelor of Arts Degree in Biology and Education from Bowdoin College.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.