She said one idea that was contemplated was whether Microsoft could push a patch to all compromised systems to effectively “vaccinate” them. Though it was determined that that was not technically feasible in this case, the government will continue to work with the private sector to explore that idea in future cases.
Neuberger is also the administration's point person in responding to the so-called SolarWinds hack, in which suspected Russian hackers breached at least nine different federal agencies. The AP reported this week that the hackers gained access to email accounts belonging to the Trump administration's head of the Department of Homeland Security and members of the department's cybersecurity staff whose jobs included hunting threats from foreign countries.
Neuberger said there were “gaps” in basic cybersecurity defenses at some of the nine agencies affected, which has hampered officials’ ability to determine what the hackers accessed.
She said the administration has identified five specific modernization efforts as a result of its review of how the SolarWinds hack happened, including using technology that continuously monitors for malicious activity and requiring greater use of multi-factor authentication so systems can't be accessed with a stolen password alone.
That threat to critical infrastructure was laid bare in February after a hacker's botched attempt to poison the water supply of a small Florida city raised alarms about how vulnerable the nation's utilities may be to attacks by more sophisticated intruders.
A local sheriff said that the water supply of Oldsmar, population 15,000, was briefly in danger when an unknown hacker used a remote access program shared by plant workers to briefly increased the amount of lye — sodium hydroxide — by a factor of 100. Lye is used to lower acidity, but in high concentrations it is highly caustic and can burn. It’s found in drain cleaning products.
A supervisor monitoring a plant console about 1:30 p.m. saw a cursor move across the screen and change settings and was able to immediately reverse it. The intruder was in and out in five minutes. Suspicious incidents are rarely reported and usually are chalked up to mechanical or procedural errors, experts say. No federal reporting requirement exists, and state and local rules vary widely.
The nation’s 151,000 public water systems lack the financial fortification of the corporate owners of nuclear power plants and electrical utilities. They are a heterogenous patchwork, less uniform in technology and security measures than in other rich countries.
On Wednesday, federal prosecutors charged a Kansas man who they said accessed a rural water district's protected computer system without authorization and "performed activities that shut down the processes at the facility which affect the facilities cleaning and disinfecting procedures."