As high-profile hacks mount, should the government be involved in creating and enforcing a national cyber strategy?
The number of identified companies and government entities that were among the 17,000+ compromised in the SolarWinds backdoor injection operation will continue to grow. The many questions we all are cataloging as time passes is also growing. Indeed, as evidenced by Security Boulevard’s own blogwatcher, Richi Jennings, the blogsphere is chock-a-block full of perspective, falling into the following groups:
- What happened?
- How did it happen?
- Who is affected?
- How do we mitigate?
- Who did it?
- What does retaliation look like?
- What is the U.S. cyber strategy?
Then there is the question of who is responsible for keeping one’s entity safe. The advice provided by Tony Howlett sums up what every company should be doing to help themselves stay safe: “If your organization is vetting, monitoring and auditing its vendors properly, it will have a much better chance of stopping or catching attacks coming through third parties, whether it’s from this hack or the next one.”
That said, SolarWinds didn’t help its customer’s detection effort when it directed its customers to “exclude from antivirus scanning for Orion Platform products” in the spirit of “optimal performance.” The support page first provided the network management guidance in April 2018 and was most recently updated in November 2020, as detailed by Heise Online.
Perhaps the time is ripe for the ideas and recommendations of the congressional Cyberspace Solarium Commission, co-chaired by Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wisconsin), to be looked at more closely.
Cyberspace Solarium Commission: A National Cyber Strategy?
The Cyberspace Solarium Commission provides a practical road map and means to root a national cyber strategy. The timing of the commission’s March 2020 report (pdf 182 pages), which called for layered cyber deterrence with a desired end state in “reduced probability and impact of cyberattacks of significant consequence,” may be viewed by some with dry irony given the window of the SolarWinds exploitation.
The commission touches on three avenues to achieve that desired end state:
- Shape behavior – “The United States must work with allies and partners to promote responsible behavior in cyberspace.”
- Deny benefits – “The United States must deny benefits to adversaries who have long exploited cyberspace to their advantage, to American disadvantage, and at little cost to themselves. This new approach requires securing critical networks in collaboration with the private sector to promote national resilience and increase the security of the cyber ecosystem.”
- Impose costs – “The United States must maintain the capability, capacity, and credibility needed to retaliate against actors who target America in and through cyberspace.”
The commission went on to make 80-plus recommendations falling into six “pillars”:
- Reforming the U.S. government’s structure and organization for cyberspace.
- Strengthen norms and non-military tools.
- Promote national resilience.
- Reshape the cyber ecosystem.
- Operationalize cybersecurity collaboration with the private sector.
- Preserve and employ the military instrument of national power.
The commission’s report was followed in July by several legislative proposals (pdf 257 pages) that address each of the six pillars. Among these is the recommendation for the creation in both the U.S. House and the Senate for a “Permanent Select Committee on Cybersecurity,” which would serve to consolidate budget and legislature which touches national cybersecurity issues.
This is not the first, nor will it be the last, time when industry and government have been compromised at the hands of a foreign actor.
U.S. Intelligence Failure
The idea of entering a target’s ecosystem via a third-party vendor is not new. Most of us are old enough to remember the 2014 Home Depot and Target exploitations, when hackers breached the companies via third-party access and then navigated through their networks to collect sensitive data. These attacks also had Russian fingerprints, as some of the malware code was in Russian.
These types of attacks also do not happen quickly—they require detailed surveillance, planning, trial runs and then operational exploitation. All opportunities for detection.
Therefore, the required after-action report must go back well before the identified footprint of activities of surveillance (October 2019) and operational exploitation (March to December) to determine why the U.S. intelligence apparatus did not get wind of the effort before it was operational. In this regard, both HUMINT (human intelligence) and the NSA/U.S. Cyber Command efforts need to be reviewed and if necessary, overhauled.