Viewpoint
he final pages of 2020look a lot like these firstpages of 2021. Thereare so many issues toworry about, but there’s one thatappears to be potentially trulyfrightening for credit unions. Forthe moment, let’s put aside theactual pandemic that continuesinfecting and killing thousands ofpeople every damn day. Let’s putaside the political mess of electionlawsuits and attempts to toss outor ignore millions of votes that arehappening because a distressingnumber of Republican politiciansbelieve the election was stolen –without any evidence.
The issue I’m most worriedabout right now is the fact thatwe’ve been hacked.
About 20 miles to my south,there’s a formerly little-knowntech company that develops software to help businesses managetheir networks, IT infrastructureand all sorts of enterprise efforts.
Some weeks ago, the first re-
porting was published that this
company was at the center of what
could be the most prolific and
historically-damaging hack of our
country’s infrastructure, govern-
ment and financial systems.
SolarWinds, this company weall now know about, was reportedly used by Russia to infiltratehundreds federal agencies andbusinesses across the country, according to reporting by the NewYork Times and several other newsoutlets.
Reporting from tech organizations involved in the attackshowed that the hack focused onfinance, national security, healthand telecommunications bodies.
While the U.S. governmenthas been largely quiet about themanifestation of the hacking thatwent on for several months oreven more than a year withoutdetection, and the hack has notstopped, Microsoft and other organizations have raised red flagseverywhere about the virtual fireraging through our servers. Infact, it wasn’t our nation’s officialorganizations in charge of ourcyberdefenses, or our military’sCyber Command or National Security Agency that reported themonths-long hack by the Russians. It was a private organization, FireEye, that first soundedthe alarm.
According to the New York
Times, Sen. Mark Warner (D-Va.),
who sits on the Senate Intelligence
Committee, said, “And if FireEye
had not come forward, I’m not
sure we would be fully aware of it
to this day.”
Microsoft has been uniquely
open about its internal investiga-
tions early on. Initially the organi-
zation said its networks were not
compromised. Microsoft amend-
ed that statement a few days later
when it announced that the hack
had indeed gone incredibly deep
into its system and hackers were
able to see original source coding
for some of its products.
According to a recent blog post
on Microsoft’s website, “The at-
tack unfortunately represents a
broad and successful espionage-
based assault on both the con-
fidential information of the U.S.
government and the tech tools
used by firms to protect them. The
attack is ongoing and is being ac-
tively investigated and addressed
by cybersecurity teams in the
public and private sectors, includ-
ing Microsoft.”
I’ve had two off-the-record
conversations with credit union
industry officials about the So-
larWinds hack. I’ll characterize
those brief chats this way: We
don’t know much, we are very
concerned and we are looking for
help.
On Dec. 17, CUNA announcedit had sent a letter to the NCUA
about the cyberattack to expressits concerns about the impacts onthe regulatory agency. Below is aportion of the statement emailedto CU Times from CUNA:
The data breach, which is said tobe the most significant cyberattackin recent history, corrupted theOrion IT monitoring platform toinfiltrate systems across the country, including credit unions andother financial institutions.
“As the NCUA seeks to deter-
mine the attack’s impact on the
agency and as credit unions do
the same, CUNA members have
two concerns,” CUNA President/
CEO Jim Nussle wrote. “First, we
urge the agency to be forthright
in its communications with credit
unions if it is determined that the
agency is impacted. Second, we
call on (the) NCUA to suspend
the collection of data from credit
unions until it can ascertain that
its systems have not been and are
not compromised.”
In the letter, CUNA suggests
that the NCUA consider issuing
guidance to alleviate stress from
impacted credit unions as the full
scope of the data breach is yet to be
determined due to the complexity
of the attack.
As of this writing, the NCUA hasnot addressed the issue. We donot know if the NCUA has beenimpacted. We do not know if theNCUA is conducting its own investigation or audit of its networksystems. We do know the TreasuryDepartment, the Commerce Department, the State Department,the Pentagon and the Energy Department have all been compromised. We do know from reportsthat other federal regulatory agencies have also been compromised.
CUNA appears to be concernedand so are we.
Are we supposed to assumethat no news is good news, andthe NCUA is safe and secure because we haven’t heard otherwise? Is the NCUA considering thesuspension of credit union datacollection? Have they suspendeddata collection?
We understand that NCUA
Chairman Rodney Hood is about
to be replaced as soon as the new
administration is sworn in later
this month. We understand that
the scope of this cybersecurity
problem is massive and compli-
cated. We understand the idea
of punting this problem to the
next administration could be
very appealing, if that’s what is
happening.
What isn’t happening is anycommunication about this issueto credit unions from its leadingagency. Whether it’s good newsor bad news, the NCUA needs tocommunicate something – anything – that could be reassuringor even some kind of guidance tolet an entire cooperative financialindustry know that the agency isat least thinking about this potentially disastrous problem.
As I’ve done before, I’ll give
them an example of what they
could say:
“The NCUA is aware of the So-
lar Winds cybersecurity issue and
we are committed to investigating
our network security thoroughly.
Soon we will issue a report of our
findings. In the meantime, we
suggest unplugging your credit
union, waiting a minute and then
plugging it back in.”
In one of my off-the-record
conversations about this, the per-
son basically said that the hack is
so large they don’t know where to
start.
I applaud CUNA’s effort to, atthe very least, indicate that thehack could be a real and damaging problem for credit unions.Frankly, we don’t officially knowif it is or not.
I thought Bruce Schneier, a
Harvard fellow and network se-
curity expert, put it best in an in-
terview with the New York Times
that the only way to be sure that a
network is clean after this cyber-
security failure is “to burn it down
to the ground and rebuild it.”
Are credit unions at risk? If so,
what are those risks? Hello? Are
you there? Anyone? n
Are You There NCUA? It’s Me (Insert Credit Union)
EDITOR’S COLUMN
Michael OgdenEditor-in-Chiefmogden@cutimes.com
NEXT STEPSEMAIL comments tomogden@cutimes.com Solar Winds headquarters, Austin, Texas.
