In December 2020, FireEye, a cybersecurity company, announced that their software had been compromised by a cyber attack. FireEye immediately tracked the attack back to a March 2020 update from SolarWinds, a Texas-based company that makes IT management software. The software in question, Orion, was corrupted by malicious code embedded in a software update that was then installed by around 18,000 SolarWinds customers. This kind of hack is known as a supply-chain attack since the infected software was corrupted during production and then pushed out by the victim company to its customers.
In this case, those impacted included companies such as Microsoft, the National Institutes of Health, and FireEye, as well as the Departments of Homeland Security, State, Energy, Commerce, Treasury, and the Pentagon. The Cybersecurity and Infrastructure Security Agency published an advisory in response to the attack, but clean up may take years; one of the main goals of the attacks was likely to look at the source code of places like Microsoft and by doing so find new, unrelated routes of attack.
How Did the Attack Occur?
On January 5, the FBI, NSA, CISA, and the ODNI issued a joint statement that the hack was likely from Russia. No specific hacking group or government agency has been named. The Russian embassy in the US denied any responsibility for the attack in a December 13 statement on Facebook, but Russian group APT29 (Nickname: CozyBear) has been blamed for hacking government emails and Democratic National Committee emails during the Obama Administration. The complexity and skill of the cyberattack leads experts to think that a nation-state must be responsible for it. Specifically, Microsoft has pointed to Private Sector Offensive Actors (“PSOAs”) who develop cybersecurity hacks and sell them to governments.
U.S. Cybersecurity Litigation
The SolarWinds hack represents a global threat that has affected governments around the world and demonstrated the “heightened level of vulnerability” of the United States. Although the victims of this attack included seven countries outside the United States, 80% of SolarWinds customers were located in the U.S.
Within the U.S., Microsoft President Brad Smith has called for government and company collaboration in response to these attacks. He claims such collaboration will be essential because much U.S. “technology infrastructure” is owned privately, “from data centers to fiberoptic cables.” One possible solution is a proposed federal disclosure law that would require all companies to report the existence and extent of any breach.
The SolarWinds attack also has pressing implications for litigation involving the False Claims Act (“FCA”) and cybersecurity compliance. Cases under the FCA are brought by the U.S. Government when they contract with private companies and later find that the company failed to meet federal cybersecurity standards. FCA liability can only be imposed if the noncompliance was knowing and material. These standards have recently been bolstered by requirements for contractors to complete a self-assessment in advance of the contract and to acquire a Cybersecurity Maturity Model Certification (CMMC). However, one court found that “the technology policies referenced … do not require defect-free products” from contracted companies. As a result, companies cannot be held liable if they have good faith compliance with the regulations.
International Law on Cyberattacks
Unfortunately, the international nature of these attacks can make enforcement difficult. An upcoming appeal involving NSO Group demonstrates the prospects and challenges of international cybercrime litigation. NSO Group is a known PSOA responsible for selling governments an app named Pegasus that could hack mobile devices. NSO has claimed immunity from liability because they are “acting on behalf of a foreign government customer and hence share that government’s legal immunity”. In response, Microsoft’s Smith has called on the Biden administration to “ensure that domestic laws … prohibit companies from helping governments engage in unlawful and offensive cyberattacks.”
Smith has also called for an international agreement prohibiting attacks on healthcare institutions and other civilian infrastructure. However, compliance for this kind of agreement is hard to track. Even if an attack is traced to a specific country, it may be unclear how to apportion responsibility among government and criminal actors.
Jessica Cianci is a 1L at HLS interested in bioethics, equitable healthcare access, and innovations in medical technology.