The government’s naming of Russia as the perpetrator of the attack is a “significant step” in its response to the wide-scale hack, said Michael Morgan, a privacy and cybersecurity partner at McDermott Will & Emery LLP in Los Angeles and Silicon Valley.
“It’s a big deal because to actually say it means the U.S. government is pointing the finger at another nation-state actor and imposing consequences on it,” Morgan said. “It’s noteworthy in that that hasn’t happened in all cases where law enforcement has reached a determination and been able to attribute.”
Biden’s Thursday executive order—which restricts the buying of new debt and issues sanctions—comes after Russian election interference and perpetration of the SolarWinds supply chain attack. Revealed late last year, the hack hit U.S. government agencies and companies as it cascaded throughout the software supply chain.
The executive order builds upon work previously done in the private sector related to the attack, said Jennifer Beckage, the Buffalo, N.Y.-based founder of tech, privacy, and cybersecurity law firm Beckage.
“It’s nice to see the government support private-public collaboration to drive this forward,” Beckage said. “It’s more indication from the current administration that cybersecurity is important and will continue to be going forward.”
Supply Chain Warning
The White House said Thursday the compromise of SolarWinds and other companies highlights Russia’s efforts to exploit the software supply chain.
“Those efforts should serve as a warning about the risks of using information and communications technology and services supplied by companies that operate or store user data in Russia or rely on software development or remote technical support by personnel in Russia,” the White House said.
The warning is a reminder for lawyers who advise clients on global data issues to take a hard look at data localization and the use of data centers in Russia, Morgan said.
“With vendor and supplier diligence, that’s going to be something companies are going to have to think about,” he said.
The public warning means companies need to be smart about assessing risk, said Greg Szewczyk, a privacy and cybersecurity partner at Ballard Spahr LLP in Denver. Certain types of data processing connected to Russia might not be secure, so companies need to “assess their practices in light of the new warning,” he said.
Choosing to continue using risky vendors or data processors could impose liability in the event a company is sued, Szewczyk said.
From a software development perspective, the warning will hopefully spur companies to rethink whether they want to use component parts or services from Russian companies, said Linn Freedman, a cybersecurity partner at Robinson & Cole LLP in Providence, R.I.
“Companies need to be doing more due diligence,” Freedman said. “It makes perfect sense to distrust things manufactured or stored in Russia.”
Companies should follow guidance issued in a joint agency advisory also unveiled Thursday, regardless of whether they used SolarWinds software, said Neil Daswani, co-director of Stanford University’s Advanced Security Certification Program.
The advisory lists known vulnerabilities at software companies such as
“The overall big benefit in putting out an advisory like this is that organizations can address those vulnerabilities rather than having agencies privately provide guidance to some organizations at the risk that others might not get it,” Daswani said. “There is of course the downside that by posting that publicly, we give feedback to specific attacker groups that we’re onto which techniques they’re using.”
The supply chain attack has been widely referred to as the SolarWinds hack, but not all companies were exposed from that company’s Orion software. Publicly releasing other known vulnerabilities used by Russian nation-state actors could help companies reduce the risk of further infiltration, Daswani said.
The joint advisory, coupled with the executive order, signal a commitment to prevent and mitigate the fallout from such attacks down the line, Freedman said.
“It’s overdue to put responsibility where it lays,” she said. “I’m pleased to see that attribution is now official, and it’s a very positive development that the White House and Biden are taking a very strong position regarding responsibility after years of attacks.”