The SolarWinds hack was more than one of the most devastating cyberattacks in history. It was a major national security breach that exposed loopholes in US cyber defenses.
These gaps include inadequate security from a large software producer, a fragmented authority for government support to the private sector, and a nationwide lack of software and cybersecurity skills. None of these loopholes are easily filled, but the scope and impact of the SolarWinds attack shows how critical they are to US national security.
The SolarWinds breach, likely carried out by a group affiliated with the Russian security service FSB, compromised the software development supply chain used by SolarWinds to update 18,000 users of its Orion networking product. The hack, which is believed to have started in early 2020, was not discovered until December, when cybersecurity firm FireEye revealed it had been affected by the malware. More worryingly, it may have been part of a larger attack on government and commercial targets in the United States.
Supply chains, sloppy security and a talent shortage
Vulnerability in the software supply chain – the sets of software components and software development services that companies use to create software products – is a well-known issue in security. In response to a 2017 decree, a report by an interagency task force led by the Defense Ministry identified “a surprising level of foreign dependency”, workforce challenges and critical capabilities such than the manufacture of printed circuits that companies outsource in search of competitive prices. All of these factors came into play in the SolarWinds attack.
SolarWinds, driven by its growth strategy and plans to sell its managed service provider business in 2021, bears much of the damage liability, according to cybersecurity experts. I think the company has put itself in danger by outsourcing its software development to Eastern Europe, including a company in Belarus. Russian agents are known to use companies from former Soviet satellite countries to insert malware into software supply chains. Russia used this technique in the 2017 NotPetya attack that cost global companies more than $ 10 billion.
SolarWinds has also failed to practice basic cybersecurity hygiene, according to a cybersecurity researcher.
Vinoth Kumar reported that the software company’s development server password was allegedly “solarwinds123,” a flagrant violation of core cybersecurity standards. SolarWinds’ botched password management is ironic in light of the Password Management Solution of the Year award the company received in 2019 for its Passportal product.
In a blog post, the company admitted that “the attackers were able to circumvent threat detection techniques employed by SolarWinds, other private companies and the federal government.”
The bigger question is why SolarWinds, an American company, had to turn to foreign vendors for software development. A Defense Department report on supply chains characterizes the shortage of software engineers as a crisis, in part because the training pipeline is not supplying enough software engineers to meet demand in the sectors commercial and defense.
There is also a shortage of cybersecurity talent in the U.S. Engineers, software developers, and network engineers are some of the most needed skills in the U.S., and the lack of software engineers who focus on software security, in particular, is crying out.
While I would say SolarWinds has a lot to answer for, it shouldn’t have had to defend against a state-orchestrated cyberattack alone. The 2018 National e-Strategy describes how supply chain security should work. The government determines the safety of federal contractors like SolarWinds by reviewing their risk management strategies, ensuring they are aware of threats and vulnerabilities, and responding to incidents on their systems.
However, this official strategy divided these responsibilities between the DOD for defense and intelligence systems and the Department of Homeland Security for civilian agencies, continuing a fragmented approach to information security that began in the Reagan era. . The execution of the strategy relies on the US Cyber Command of DOD and the Cyber and Infrastructure Security Agency of DHS. DOD’s strategy is to “defend ahead”: that is, to disrupt malicious cyber activity at its source, which has proven effective in the run-up to the 2018 midterm elections. And Infrastructure Security Agency, established in 2018, is responsible for providing information on threats to critical infrastructure sectors.
Neither agency appears to have issued a warning or attempted to mitigate the attack on SolarWinds. The government’s response did not come until after the attack. The Cyber and Infrastructure Security Agency has issued alerts and advice, and a unified cyber coordination group has been formed to facilitate coordination among federal agencies.
These tactical actions, while useful, were only a partial solution to the larger strategic problem. The fragmentation of authorities for national cyber defense evident in the SolarWinds hack is a strategic weakness that complicates cybersecurity for government and the private sector and invites more attacks on the software supply chain.
A bad problem
National cyber defense is an example of a “thorny problem”, a political problem that has no clear solution or measure of success. The Cyberspace Solarium Commission has identified many deficiencies in US national cyber defenses. In its 2020 report, the commission noted that “there is still no clear unity of effort or victory theory behind the federal government’s approach to protecting and securing cyberspace. “
Many of the factors that make it difficult to develop a centralized national cyber defense are beyond the direct control of the government. For example, economic forces are driving tech companies to bring their products to market quickly, which can cause them to take shortcuts that compromise security. Legislation similar to the Gramm-Leach-Bliley Act passed in 1999 could help meet the need for speed in software development. The law imposed security requirements on financial institutions. But software development companies are likely to oppose further regulation and oversight.
The Biden administration appears to be taking the challenge seriously. The president appointed a national cybersecurity director to coordinate related government efforts. It remains to be seen if and how the administration will tackle the problem of fragmented authorities and clarify how the government will protect companies that provide critical digital infrastructure. It is unreasonable to expect that an American company will be able to defend itself against a cyberattack from a foreign country.
In the meantime, software developers can apply the secure software development approach advocated by the National Institute of Standards and Technology. Government and industry can prioritize the development of artificial intelligence capable of identifying malware in existing systems. However, all of this takes time, and hackers move quickly.
Finally, companies must aggressively assess their vulnerabilities, including engaging in “red teaming” activities: that is, employees, contractors, or both play the role of hackers and attack the company.
Recognizing that hackers in the service of foreign adversaries are dedicated, conscientious, and forbidden is important to anticipate their next actions and to strengthen and improve the national cyber defenses of the United States. Otherwise, SolarWinds is unlikely to be the latest victim of a major attack on the software supply chain in the United States.
This article by Terry Thompson, Assistant Cyber Security Instructor, Johns Hopkins University is republished from The Conversation under a Creative Commons license. Read the original article.
Petaluma, California becomes first US city to ban new gas stations