C. Warren Axelrod

Solar Winds Blow Hard

Unbelievable! But true. The enormous hack, purportedly by Russia (per Secretary of State Mike Pompeo and others), of major U.S. government agencies and the U.S.’s biggest corporations—apparently some 18,000 organizations according to the software maker—came through malware planted in updates to third-party network-monitoring software called Orion from SolarWinds. However, this and other vectors may already have been at work earlier than the March 2020 date attributed to the start of the attack. Is this attack a “cyber Pearl Harbor” or cyberpandemic? Is it cyberwar and, if so, what is an appropriate response? The announcement of the hack comes 79 years (to the week) after the original Pearl Harbor attack by the Japanese air force. Currently, it appears to be less a cyberpandemic and more a “cyber Pearl Harbor”—an unseen attack only discovered once it hits, as stated in a December 18, 2020 Newsweek article by Matthew Impelli, “Colorado Representative Says SolarWinds Hack Could Be ‘Cyber Equivalent of Pearl Harbor’” available at Colorado Representative Says SolarWinds Hack Could Be ‘Cyber Equivalent of Pearl Harbor’ (msn.com)

My definition of a cyberpandemic is the unintended, uncontrolled proliferation of destructive malware, which this attack does not appear to be—at least so far. The SolarWinds attack looks to be very controlled. The attackers need an available working Internet in order to operate their compromise, so that they would not willfully take the network down. In any event, the distractions of the COVID-19 pandemic and the 2020 U.S. election seemingly played a significant role in the success of the attacks and may well hinder halting future damage and the ability to recover.

I say this because, if you look at the nature of the SolarWinds cyberattack, one interim resolution would be to isolate all affected and potentially-affected critical systems from the outside world … right at a time when remote access is needed to keep government and businesses running. A veritable “perfect storm” of concurrent catastrophes. A gotcha of enormous consequences.

Coincidentally, I was just reading Verizon’s new “Cyber-Espionage Report” available via 2020 Cyber-Espionage Report (CER) | Verizon  It’s amazing what a difference a day makes. If you read the report, you will see on page 10 that, for the 2014-2020 timeframe, NA (North America) did much better on cyber-espionage breaches than EMEA (Europe, Middle East and Africa) and APAC (Asia-Pacific), even though NA leads in all breaches by a substantial margin.

Well, that report is certainly due for a huge update in the light of the SolarWinds breach. And CISA (DHS’s Cybersecurity and Infrastructure Security Agency), which received so much praise for protecting voting, as described in my December 14, 2020 BlogInfoSec column, “CISA and Desist,” gets a major demerit for the failure of its multi-billion-dollar Einstein system to detect and protect against such egregious cyberattacks and potential data exfiltration and system damage.

And, what is more … the SolarWinds corporation apparently didn’t even have a CISO to blame. Shame on them!

Is this at last the cyber tipping point, on which a number of us have been continually harping? We’ll have to wait and see. But it’s not going to be pretty whatever decisions are made.

So, what are some answers? They are really the same as they have been all along. Avoidance. Deterrence. Prevention. Protection. I’ve discussed most of these these topics, as they pertain to the pandemic and cybersecurity risk, in recent BlogInfoSec columns. However, given the nature of the SolarWinds cyberattack, we need to concentrate on securing the software supply chain, assuring that software meets security requirements, and ensuring that it does not harbor malware. I shall revisit some of these issues in the future.

While much damage has already taken place, we must redesign systems architectures and better manage access in order to mitigate the intrusion and spread of malware. Application security and security software assurance must be built into the system development and support processes. Also, there is the longstanding concern about software monocultures exacerbating transmission. Some of the authors of a report on the impact of monocultures on information security were vilified—to the extent that one member of the group of authors was fired—but they were right. And the ubiquitous use of the compromised SolarWinds’ Orion network monitoring systems demonstrates their prescience. The September 2003 report, “Cyber Insecurity: The Cost of Monopoly,” is available at Essays: CyberInsecurity: The Cost of Monopoly – Schneier on Security I wrote about it in my March 30, 2009 BlogInfoSec column, “Are System Monocultures More or Less Secure? Yes!”

The pendulum is swinging more towards isolation since we cannot fully rely on deterrence, prevention and protection. The SolarWinds attackers used obfuscation and a variety of distracting and hiding techniques—methods that we should use in defensive approaches. If there is any silver lining to this cloud (and that is questionable), it is that learning how the attackers were able to infiltrate highly-critical systems undetected for nine or more months may lead to better protective measures going forward. But don’t count on it.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*