What might go down as the most consequential story of the year for the cybersecurity community only surfaced in December, despite the alarming realization that the SolarWinds supply chain hacking took place months before.
Cybersecurity experts predict years of clean up, both physical and political, from the infiltration attributed to Russia, which pushed malicious updates for the popular SolarWinds Orion IT platform.
What remains to be seen is how the incident will influence federal legislation, business and government security priorities, and geopolitics.
First and foremost, the inevitable talk about whether the government will respond to SolarWinds via policy has already begun. In our reporting, we’ve seen suggestions that the government may start using cybersecurity as a criteria for critical supply chain contracts, encouraging upfront disclosure of third-party components and requiring firms to contractually mandate cybersecurity with vendors.
We’ve also seen some skepticism that lawmakers will do more than admire the problem.
“I am not optimistic about significant reform, at least at the legislative level, because I am not optimistic that we will find common ground or convergence on the SolarWinds and related hacking, and the need for bold action,” said David Kris, former head of the Department of Justice’s National Security Division and founder of the Culper Partners consulting.
In a blog post, Microsoft President Brad Smith suggested better information sharing, both between government groups and between government and industry, to protect future supply chain breaches.
Many of these solutions would not have changed the current crisis. Intelligence sharing would only work if the U.S. had intelligence to share – in this case, it appears not to have had any to offer. Still, most experts believe that supply chain issues are broader than just this single incident and need to be addressed on that broader scale.
One of the largest cyberattacks in history, also attributed to Russia, was a similar software supply chain attack. The NotPetya malware, which presented as ransomware but offered no mechanism to reverse the encryption, was embedded in malicious updates to a popular Ukrainian accounting software.
Whether for information gathering, as with SolarWinds, wanton destruction, as in NotPetya, or for some other reason, supply chains will always be a prime vector for attacks because they have such broad reaching consequences.
“As technology advances and the world gets increasingly interconnected, these supply chain attacks will grow and become more effective, highlighting a critical vulnerability in all third-party relationships: the exploitation of trust,” said Austin Berglas, global head of professional services at BlueVoyant.
Businesses, especially high value targets in federal sector, critical infrastructure and other links in supply chains, are right now evaluating what needs to be addressed in their own networks. For some, that’s going to mean the arduous process of removing a nation state level hacker from their systems. It will be a time consuming process full of uncertainty, given how, as security personality Bruce Schneier described it to the Associated Press, the most efficient way to know a hacker is out of your network is “to burn it down to the ground and rebuild.”
To keep businesses up in the meantime, it will take herculean acts of network segmentation, separating clean, critical systems from potentially vulnerable ones connected to the SolarWinds system, experts told SC Magazine.
“After months of incident response, hunting, patching, and tuning monitoring systems, would it be safe to reconnect again? Going forward, the SolarWinds systems should be segmented away from other parts of the environment so that the impact of any future weaknesses is mitigated,” Ben Johnson, CTO for SaaS at Obsidian said.
For companies that were not effected by the hack, SolarWinds still serves an inflection point. Many will re-evaluate technology procurement to emphasize security all the way up the supply chain.
As for response against Russia to deter future actions, the United States does not traditionally pull the most reactionary levers of diplomacy for espionage operations intended to steal information, given that all nations spy on each other. The big guns only come out when hacking is used for harm, disrupting critical infrastructure or stealing intellectual property. As of writing, there is no evidence the SolarWinds attack was designed to do more than swipe data.
But there may be a loophole, given the timing and scale of the attack.
Speaking to SC Media, Rep. Mike Gallagher, R-Wis., suggested that the global pandemic – when government resources should rightly be spent saving lives – offers an exemption to global norms.
And during an Auburn University panel on the SolarWinds incident, former homeland security adviser to President Trump,Tom Bossert, and Chris Inglis, former deputy director of the National Security Agency, both argued that the scale of the hacking effort was disproportionate to Russia's potential national security needs. For that reason, they argued, this goes beyond the standard permissions for espionage operations.
"[Russia] put everyone at risk," said Inglis.