The SolarWinds hack proves US cyber defenses are a mess — here’s how to fix them
Supply chains, sloppy security, and a talent shortage
The vulnerability of the software supply chain – the collections of software components and software development services companies use to build software products – is a well-known problem in the security field. In response to a 2017executive order, areport by a Department of Defense-led interagency task forceidentified “a surprising level of foreign dependence,” workforce challenges, and critical capabilities such as printed circuit board manufacturing that companies are moving offshore in pursuit of competitive pricing. All these factors came into play in the SolarWinds attack.
SolarWinds, driven by its growth strategy and plans tospin off its managed service provider businessin 2021,bears much of the responsibilityfor the damage, according to cybersecurity experts. I believe that the company put itself at risk byoutsourcing its software development to Eastern Europe, including acompany in Belarus. Russian operatives have been known to use companies in former Soviet satellite countries to insert malware into software supply chains. Russia used this technique in the 2017NotPetya attackthat cost global companies more than US$10 billion.
SolarWinds alsofailed to practice basic cybersecurity hygiene, according to a cybersecurity researcher.Vinoth Kumar reported that thepasswordfor the software company’s development server was allegedly “solarwinds123,” an egregious violation of fundamental standards of cybersecurity. SolarWinds’ sloppy password management is ironic in light of the Password Management Solution of the Yearaward the company receivedin 2019 for its Passportal product.
In ablog post, the company admitted that “the attackers were able to circumvent threat detection techniques employed by both SolarWinds, other private companies, and the federal government.”
The larger question is why SolarWinds, an American company, had to turn to foreign providers for software development. A Department of Defensereport about supply chainscharacterizes the lack of software engineers as a crisis, partly because the education pipeline is not providing enough software engineers to meet demand in the commercial and defense sectors.
There’s also a shortage ofcybersecurity talentin the U.S. Engineers, software developers and network engineers are among themost needed skills across the U.S., and the lack of software engineers who focus on the security of software, in particular, is acute.
Fragmented authority
Though I’d argue SolarWinds has much to answer for, it should not have had to defend itself against astate-orchestratedcyberattack on its own. The2018 National Cyber Strategydescribes how supply chain security should work. The government determines the security of federal contractors like SolarWinds by reviewing their risk management strategies, ensuring that they are informed of threats and vulnerabilities, and responding to incidents on their systems.
However, this official strategy split these responsibilities between the DOD for defense and intelligence systems and the Department of Homeland Security for civil agencies, continuing a fragmented approach to information security thatbegan in the Reagan era. Execution of the strategy relies on the DOD’sU.S. Cyber Commandand DHS’sCyber and Infrastructure Security Agency. DOD’sstrategyis to “defend forward”: that is, to disrupt malicious cyber activity at its source, which proved effective in therunup to the 2018 midterm elections. The Cyber and Infrastructure Security Agency, established in 2018, is responsible for providing information about threats tocritical infrastructure sectors.
Neither agency appears to have sounded a warning or attempted to mitigate the attack on SolarWinds. The government’s response came only after the attack. The Cyber and Infrastructure Security Agency issuedalerts and guidance, and aCyber Unified Coordination Groupwas formed to facilitate coordination among federal agencies.
These tactical actions, while useful, were only a partial solution to the larger, strategic problem. The fragmentation of the authorities for national cyber defense evident in the SolarWinds hack is a strategic weakness that complicates cybersecurity for the government and private sector and invites more attacks on the software supply chain.
A wicked problem
National cyber defense is an example of a “wicked problem,” a policy problem that has no clear solution or measure of success. TheCyberspace Solarium Commissionidentified many inadequacies of U.S. national cyber defenses. In its 2020 report, the commission noted that “There is still not a clear unity of effort or theory of victory driving the federal government’s approach to protecting and securing cyberspace.”
Many of the factors that make developing a centralized national cyber defense challenging lie outside of the government’s direct control. For example, economic forces push technology companies to get their products to market quickly, which can lead them to take shortcuts that undermine security. Legislation along the lines of theGramm-Leach-Bliley Actpassed in 1999 could help deal with the need for speed in software development. The law placed security requirements on financial institutions. But software development companies are likely to push back against additional regulation and oversight.
The Biden administration appears to be taking the challenge seriously. The president has appointed anational cybersecurity directorto coordinate related government efforts. It remains to be seen whether and how the administration will address the problem of fragmented authorities and clarify how the government will protect companies that supply critical digital infrastructure. It’s unreasonable to expect any U.S. company to be able to fend for itself against a foreign nation’s cyberattack.
Steps forward
In the meantime, software developers can apply thesecure software development approachadvocated by the National Institute of Standards and Technology. Government and industry can prioritize the development of artificial intelligence that can identify malware in existing systems. All this takes time, however, and hackers move quickly.
Finally, companies need to aggressively assess their vulnerabilities, particularly by engaging in more“red teaming” activities: that is, having employees, contractors or both play the role of hackers and attack the company.
Recognizing that hackers in the service of foreign adversaries are dedicated, thorough and bar no holds is important for anticipating their next moves and reinforcing and improving U.S. national cyber defenses. Otherwise, SolarWinds is unlikely to be the last victim of a major attack on the U.S. software supply chain.
This article byTerry Thompson, Adjunct Instructor in Cybersecurity,Johns Hopkins Universityis republished fromThe Conversationunder a Creative Commons license. Read theoriginal article.
Story byThe Conversation
An independent news and commentary website produced by academics and journalists.An independent news and commentary website produced by academics and journalists.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
