SENIOR ADMINISTRATION OFFICIAL: Thank you, everyone, for joining us this afternoon. This call is going to be on background, attributed to a “senior administration official.” And the contents of this call will be embargoed until its conclusion.
With that, I’m happy to turn this over to our speaker, [senior administration official]. Over to you.
SENIOR ADMINISTRATION OFFICIAL: Thank you so much. Good afternoon, everyone. It’s good to have the opportunity soon to hear your questions and engage with you.
I want to talk with you about two incidents today: an update on SolarWinds and some information on the Microsoft Exchange hack. And I’ll use the same format that we use as we look at cyber incidents. First, what happened? Why did it happen? And what are we doing about it?
I’ll start with a quick update on SolarWinds. You know what happened and you know why it happened. I’ll give an update on what we’re doing about it.
As we talked about then, three parts. First, finding and expelling the adversary. We’re in week three of a four-week remediation across the federal government. The compromised agencies all were tasked to do a particular set of activities and then were tasked to have an independent review of their work to ensure that we felt confident the adversary had been eradicated.
Most of the agencies have completed that independent review. For those who have not yet, they will complete it by the end of March.
We’ve had regular Deputies meetings here at the White House on this topic — deputy heads of agencies, particularly the nine compromised agencies — and we’ve discussed the methodology throughout. In fact, we standardized the methodology for incident response based upon this. And we also made a decision on the key pieces of part two, which is “Building Back Better to Modernize Federal Defenses.”
As we talked about during a press event a number of weeks ago, we cannot defend a network if we can’t see a network. And in our review of what caused SolarWinds, we saw significant gaps in modernization and in technology of cybersecurity across the federal government.
So we will be rolling out technology to address the specific gaps we identified, beginning with the nine compromised agencies. We want to make the federal government a leader, not a laggard, in cybersecurity. And we know we need to be able to defend against the adversaries who pursue the nation’s diplomatic, law enforcement, and health efforts.
Those will be rolled out in the near term, beginning, as I said, with the nine compromised agencies and then more broadly across the federal government to ensure we have the visibility we need to have trust in our networks, that we can protect the important work the federal government does on behalf of the American people.
We also learned key lessons regarding visibility and market. Today, the cost of insecure technology is borne at the end: by incidence response and cleanup. And we really believe it will cost us a lot less if we build it right at the outset.
And I give two exemplars to help characterize what we want to do here. One is: Mayor Bloomberg, a number of years ago, when he wanted to address restaurant sanitation, he realized, you know, the health department kept rating restaurants, and it just wasn’t changing anything. So he required restaurants to put a simple rating — A, B, C, D — in their front window to make a market — to make a market around health and sanitation.
And we’re looking to do a very similar thing with cyber and the cybersecurity of software companies we buy software from. More to follow on that.
And then, similarly, Singapore has an interesting model where they provide cybersecurity standards for different Internet of Things devices, like baby monitors, so that moms who want to buy secure products have a really easy way to put their money on it. And we don’t have that in the U.S. today; we don’t have that transparency so that people can make a market for cybersecurity.
There will be ideas coming in both of those in an executive action in the next couple of weeks — or in the next few weeks.
And then, finally, the third part of what we’re doing about it is responding to the perpetrators of the attack. You can expect further announcements on that in weeks, not months.
I’ll move now to the Microsoft Exchange hack. First, what happened? Bad actors discovered four vulnerabilities on Microsoft Exchange servers that they exploited. Microsoft has made a patch available the vulnerabilities, but those already infected, they’ll need to remediate in addition to patch.
As you all know, when any critical patch is released, criminal actors immediately begin to reverse-engineer it so they can exploit the underlying vulnerabilities. We’re always in that race. Once they do, they’ll able to copy the attack to deploy ransomware and other potential disruptive attacks on an unpatched server. We really have a short window to get vulnerable servers patched, measured in hours, not days.
The impact and significance: First, the impact overall is both concerning regarding datasets and the concerns we talked about regarding ransomware. The effort is still evolving, as you’ve seen. We put — I’ll get to that in a moment.
So, first, how did this happen? From a “them” and “us” perspective, “them”: Yes, they appear to be sophisticated and capable. But they took advantages of weaknesses that were in that software from its creation. As we talked about a moment ago, insecure software and hardware is a key challenge we face.
And then, on our end: First, lack of domestic visibility. The U.S. government largely does not have visibility into U.S. infrastructure. And many of these actors operate out of U.S. infrastructure. And as we talked about, the “us” part of really needing to start prioritizing security in the way we build and buy software; we can do innovation and security.
I’ve seen certain reporting questions regarding how adversaries are enabled out of U.S. infrastructure, and I want to be clear: We believe the model for the U.S. government in addressing cybersecurity issues involves working closely with the private sector. We’re not looking at additional authorities for any government agencies to do additional monitoring within the U.S. at this time. We are focused on tightening the partnership between the U.S. government and the private sector, who does have visibility into the domestic industry and into private sector networks, to ensure we can rapidly share threat information and we can address the liability barriers and disincentives that disincentivize U.S. companies from both addressing some of these issues and rapidly sharing information when there are incidents.
Back to the key question of what are we doing about the Microsoft Exchange work? We have been working incredibly hard across government and the private sector, across all elements of the U.S. government.
First, we’re leaning forward to alert Americans and convey the seriousness. The National Security Advisor tweeted early and more than once, signaling how important this is. I think this is the first-ever National Security Advisor to tweet on a cybersecurity incident. And tweeting also that insecure software is a threat to national economic security.
Second, securing federal systems and expelling the adversary. We’re leading this directly from the National Security Council. We’ve stood up a Unified Coordination Group, and we’ve done something totally different this time. Under the authority under which the Unified Coordination Group is stood up, it allows for private-sector participation. For the first time, we’ve invited private-sector companies to participate in the Unified Coordination Group because we still believe that public-private partnership is foundational in cybersecurity, and we want to ensure we’re taking every opportunity to include key private sector participants early and directly in our remediation efforts.
I briefed the President earlier in the week. He was very engaged on this topic. He asked a lot of questions on this topic and made clear that he directed that we address cybersecurity vulnerabilities and that we take on this topic with seriousness of purpose.
Finally, we’re working very closely with Microsoft. They’ve released a series of patches to make it easier for people to patch, including those out of support who are not up to date with previous patches.
They also developed and released a tool that customers can use to scan their system to determine if they’ve been compromised, and, if so, to eliminate it. And they messaged repeatedly that everyone with Exchange Server needs to patch and then run the tool to see if they’re compromised. And anyone having problems can call Microsoft customer support for assistance. In addition, we’re actively discussing methods that can be used to more rapidly address the scope and scale of compromise.
And then, finally, as we’ve said, we’re working to really build back better to modernize defenses, thinking through rebooting the approach to software security, rebooting the approach to software security standards, and trying to get to a goal we have: that the level of trust we have in our systems is directly proportional to the visibility we have to their cybersecurity. And the level of that visibility needs to match the consequences if those systems fail.
My ask from all of you is urging your readers to patch their systems, check if they haven’t already been compromised. And we’ll have White House Press forward Microsoft links and additional information directly to you.
And then, finally, I’m just struck by the professionalism of so many of the CIOs and CISOs, and other more technical parts of the federal government I’ve had the privilege of speaking with over the last few weeks. And I’m struck by the cooperative spirit of the private sector. No kidding. These have been some really busy weeks to our industry, and I want to compliment so many of these companies who’ve taken time to jump on calls with us over the weekend, jump on calls to share their insights, to think creatively of how we can do defense at scale, and really think about how we move to a place where the kind of incidents we’re talking about here, and the scope and scale of those incidents, become a thing of the past.
So with that, I’ll pause, and I’m really looking forward to your question.
SENIOR ADMINISTRATION OFFICIAL: Thank you. Operator, if you could please open the lines for questions and share instructions with our guests.
Q Hi, thanks for doing the call. I’m interested to hear more about the role of private sector in the UCG. Can you talk a little bit about what changes needed to be made to the interagency process or to classification levels, or things like that, to allow private-sector participants in that process?
SENIOR ADMINISTRATION OFFICIAL: Really great question. First, the policy had always allowed for it, so this was a great opportunity to use to use the policy fully. And cybersecurity really needs to be done unclassified. So many — in cases in government sometimes we — because we have the option of classified comms, we did that. We defaulted to change it to make these unclassified calls. But we do that discussion and coordination.
And if we need to have a classified discussion, which we expect we regularly will, we have mechanisms where the private-sector participants can join us if that’s geographically convenient for them.
Q Hey, thanks so much for doing this. Good to — good to reconnect. You mentioned — you mentioned, just a minute ago, that, you know, in both of these hacks, and that (inaudible) in general are operating on domestic infrastructure and that there is often a struggle just to have visibility there.
But you said that, you know, the model going forward, you — the administration believes is — is working closely with private-sector and (inaudible) authorities. I was just hoping you could elaborate a little on that. Is that due to privacy concerns or, you know, other reasons? Just given that there has been some discussion among lawmakers and then others about whether or not this is something that maybe — maybe should be looked at. Thanks.
SENIOR ADMINISTRATION OFFICIAL: Absolutely. So I was speaking specifically really — thank you, [reporter name] for the question. I was speaking specifically to new authorities regarding monitoring those domestic systems and saying we’re not looking at that at this time because we believe that, you know, the additional visibility into domestic incidents, into domestic compromises is really had by the private sector — really a small number of key companies who have broad visibilities: Internet service providers, cloud providers, some of the cybersecurity providers. They really see the larger number of victims.
And what we’d like to do is figure out how we fix the barriers in information-sharing. And I’ve sent — I have a team looking at that, and they’ve listed them, and they’ve done some really thoughtful work on them: how we fix those barriers that prevent the private sector who has this visibility, doing that effective back-and-forth sharing with the government.
And we think that would be an optimal first approach to really address — in order to get to where we need to, which is visibility into threats that come out of domestic infrastructure.
Did I get at your question,[reporter name]? Because it was a very specific authorities change I was talking about. And my point was to say, “Not yet, not now,” because we first want to fully address and try to fix the issues preventing effective information sharing that we believe can get at that issue, while still fully protecting the civil liberties and privacy of Americans.
Q Absolutely. That’s very helpful. Thank you.
Q Thanks. I was wondering if you could give us a look forward in what you think the private sector could do (inaudible). In the case of SolarWinds, it looks like some of the infrastructure (inaudible) servers that you can just rent out. Amazon come to testify on the (inaudible) hearing the other day. But tell us a little bit about what they could do (inaudible) and whether or not the reason that you are not going back (inaudible) fundamentally, the Biden administration believes the foreign intelligence services need to stay focused on foreign.
And maybe give us some insight as to why they didn’t see these being planned in foreign networks before they came to the U.S.
SENIOR ADMINISTRATION OFFICIAL: Thank you, David. So the connection is not great, but I think I heard the questions. You’ll have to —
So, the first piece is the — in the waning days of the Trump administration, they issued an executive order focused on infrastructure, as a service, knowing your customer. And it essentially requires cloud providers to do some more work to understand who are the entities creating virtual accounts, gaming virtual services.
That’s one of the key areas we’re looking at. As you know, the Commerce Department is moving forward with that. And it’s really to address this particular threat: adversaries operating on the U.S. infrastructure.
To the second part of your question of whether that represents the administration’s beliefs that foreign intelligence should focus on foreign — no, it doesn’t. It instead represents a desire to address our cybersecurity issues while fully protecting the civil liberties and privacy of Americans. So if we can find — and building a deeper partnership with the private sector, which is foundational to effective cybersecurity.
It really comes from saying our goals are: building a tight partnership with the private sector. They have the information. There’s less concerns of civil liberty and privacy when it’s private sector versus government, as we know from other discussions on social media privacy, for example. And as such, let’s work to make this work. Let’s do the hard work to really understand the legal barriers, the disincentives that would make this work.
And having now, you know, a team, as I said, dedicated who’s now spent a lot of time, across legal and policy and technical, finding what those issues are, as part of our review of SolarWinds and the causes — we had a four-week strategic review of that that’s coming to a close — coming out of that, there will be a set of thoughtful, we hope, policy and potential —
(The call experiences technical difficulties.)
Q On the subject of building back better to modernize federal defenses, you said that the review has found significant gaps in modernization and technology across the federal government. More and more agencies in recent years have moved to hosted services and cloud services. Is there any — is there any consideration being given to moving federal agencies off of these off-the-shelf commercial platforms and possibly onto a built-from-the-ground system, maybe open-source based, that might be more difficult for malign actors to get a foothold in so easily?
SENIOR ADMINISTRATION OFFICIAL: The federal government, as you know so well, is very large. And what we want to do is move to best-of-breed commercial technology and take advantage of the innovation of our private sector. I think we don’t even need to build something new from the ground up when we think that there is much stronger, innovative technology available that we can move to — including cloud, including security implemented in the cloud, zero-trust based principles, and other related areas.
So that’s our plan right now. We’re on a tight timeline to move there, as I said, (inaudible) beginning with the compromised agencies, as well as addressing, in the upcoming executive action, some of the foundational areas that we think will help the federal government use procurement to be a leader in this space, and, really, in meeting in this space, address both private-sector and government challenges in finding, buying, and using innovative, usable, and secure software and hardware — and systems, to your point.
SENIOR ADMINISTRATION OFFICIAL: All right, everyone. That has to be our last question. We have a hard stop.
Thank you all for joining us today. With the conclusion of this call, the embargo was lifted and friendly reminder that we are on background, attributable to a “senior administration official.”
Thanks all for joining.