VOlUME 05 ISSUE 07 JULY 2022
Donald L. Buresh, Ph.D., Esq.
Morgan State University
Google Scholar Download Pdf
ABSTRACT
This essay explores the Federal Acquisition Supply Chain Act (FASCA) and the difference it would have made had it been a law during the SolarWinds cyber-attack. The Act is examined from a critical perspective to see what effect it would have had if it had existed when the attack occurred. The SolarWinds cyber attack is then discussed in some detail. In deciding what would have happened if the FASCA was a law at the time of the attack, the events are presumed to be the same as what took place. It was at the time when the cyber-attack information reached the Federal Acquisition Security Council (FASC) that the incident would likely have changed. The paper argues that there would be delays in the actions of the FASC due to the complexity of the bureaucracy involved. The article concludes that the projected outcome would differ from the actual outcome because the cyber-attack would have been handled administratively rather than legislatively in the proposed outcome. This difference may or may not have fostered mitigation of the cyber-attack.
KEYWORDS:Federal Acquisition Supply Chain Act , Federal Acquisition Security Council ,SolarWinds Cyber-Attack
REFERENCES
1) Nola Taylor Redd, What Is Solar Wind?, SPACE.COM (May 18, 2018), available at https://www.space.com/22215-solar-wind.html.
2) Lori Hawkins, SolarWinds Keeps on Growing, STATESMAN NEWS NETWORK (Undated Dec. 12, 2018), available at https://www.statesman.com/business/employment/solarwinds-keeps-growing/JkhMoapafA0qdJvD5MFILM/.
3) Liana B. Baker, Greg Roumeliotis, SolarWinds Confirms It Is Exploring Strategic Alternatives, REUTERS (Oct. 9, 2015), available at https://www.reuters.com/article/us-solarwinds-m-a/exclusive-solarwinds-in-talks-with-buyout-firms-about-a-sale-sources-idUSKCN0S31OT20151009.
4) Saheed Oladimeji, SolarWinds Hack Explained: Everything You Need to Know, TECHTARGET (Jun. 16, 2021), available at https://whatis.techtarget.com/feature/SolarWinds-hack-explained-Everything-you-need-to-know.
5) Bloomberg Staff, SolarWinds, Corp., BLOOMBERG (n.d.), available at
https://www.bloomberg.com/profile/company/0OI:GR.
6) Treva Lind, SolarWinds blows into Post Falls, SPOKANE JOURNAL OF BUSINESS (Sep. 22, 2011), available at https://www.spokanejournal.com/local-news/solarwinds-blows-into-post-falls/.
7) Michael Novinson, $286M Of SolarWinds Stock Sold Before CEO, Hack Disclosures, THE CHANNEL CO.: CRN (Dec. 16, 2020), available at https://www.crn.com/news/security/-286m-of-solarwinds-stock-sold-before-ceo-hack-disclosures.
8) Catalin Cimpanu, SEC Filings: SolarWinds Says 18,000 Customers Were Impacted by Recent Hack, ZDNET (Dec. 14, 2020), available at https://www.zdnet.com/article/sec-filings-solarwinds-says-18000-customers-are-impacted-by-recent-hack/.
9) Dina Temple-Raston, A ‘Worst Nightmare’ Cyberattack: The Untold Story of the SolarWinds Attack, NATIONAL PUBLIC RADIO (NPR) (Apr. 16, 2021), available at https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack.
10) Andy Greenberg, Hacker Lexicon: What Is a Supply Chain Attack?, WIRED (May 31, 2021), available at https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/.
11) Vijay A. D’Souza, SolarWinds Cyberattack Demands Significant Federal and Private-Sector Response (infographic), WATCHBLOG (Apr. 22, 2021), available at https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic.
12) Justin Hall, Kent Sharkey, Bill Anderson, & Alex Buck, What is Azure Active Directory?, MICROSOFT CORP. (Jun. 5, 2020), available at https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis.
13) Vijay A. D’Souza, supra, note 18.
14) Saheed Oladimeji, supra, note 4.
15) See generally, CSIS Staff, Significant Cyber Incidents, CENTER FOR STRATEGIC & INTERNATIONAL STUDIES (n.d.), available at https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents.
16) Dorothy Denning, How the Chinese Cyberthreat Has Evolved, SCIENTIFIC AMERICAN (REPRINTED FROM THE CONVERSATION (Oct. 7, 2017), available at https://www.scientificamerican.com/article/how-the-chinese-cyberthreat-has-evolved/.
17) Vijay A. D’Souza, supra, note 19.
18) Saheed Oladimeji, supra, note 4.
19) Morrison Foerster Staff, U.S. Government Responds to SolarWinds Hack, Seeks to Establish New Norms for Cyber Espionage, MORRISON FOERSTER (Apr. 19, 2021), available at https://www.mofo.com/resources/insights/210419-us-government-responds-solarwinds-hack.html.
20) Dina Temple-Raston, Biden Order To Require New Cybersecurity Standards In Response To SolarWinds Attack, NATIONAL PUBLIC RADIO (NPR) (Apr. 2021), available at https://www.npr.org/2021/04/29/991333036/biden-order-to-require-new-cybersecurity-standards-in-response-to-solarwinds-att.
21) Morrison Foerster Staff, supra, note 58.
22) Linda Rosencrance, Peter Loshin, & Michael Cobb, Two-Factor Authentication (2FA), TECHTARGET (Last updated Jul. 2021), available at https://searchsecurity.techtarget.com/definition/two-factor-authentication.
23) Federal Acquisition Supply Chain Security Act, FEDERAL REGISTER (n.d.), available at https://www.federalregister.gov/documents/2020/09/01/2020-18939/federal-acquisition-supply-chain-security-act.
24) 41 U.S.C. § 201-1.101.
25) 41 U.S.C. § 201-1.300(b).
26) Federal Acquisition Supply Chain Security Act, supra, note 54.
27) Federal Acquisition Security Council Rule, FEDERAL REGISTER (Aug. 26, 2021), available at https://www.federalregister.gov/documents/2021/08/26/2021-17532/federal-acquisition-security-council-rule.
28) Dina Temple-Raston, supra, note 11.
29) Investor.gov Staff, The Laws That Govern the Securities Industry, SECURITIES AND EXCHANGE COMMISSION (n.d.), available at https://www.investor.gov/introduction-investing/investing-basics/role-sec/laws-govern-securities-industry.
30) Vijay A. D’Souza, supra, note 19.
31) Federal Acquisition Supply Chain Security Act, supra, note 54.