SolarWinds Hack: U.S. Govt Failure is Deeply Worrying - Security Boulevard

SolarWinds Hack: U.S. Govt Failure is Deeply Worrying

The U.S. government is doing a piss-poor job of protecting Americans from foreign hackers. That’s the eye-catching conclusion made by a pair of Associated Press scribblers this week.

The SolarWinds hackers broke into the email of former acting Secretary of Homeland Security, Chad F. Wolf (pictured). And the Federal Aviation Administration “struggled for weeks” to rid their network of compromise.

So say secret sources within the government. In today’s SB Blogwatch, we wonder what’s next.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The Sink.

Your Tax Dollars at Work

What’s the craic? Alan Suderman and James LaPorta report—“SolarWinds hack got emails of top DHS officials”:

 Suspected Russian hackers gained access to email accounts belonging to the Trump administration’s head of the [DHS] and members of the department’s cybersecurity staff. … The symbolism is stark: … It throws into question how the U.S. government can protect individuals, companies and institutions across the country if it can’t protect itself.

The Biden administration has tried to keep a tight lid on the scope of the SolarWinds attack as it weighs retaliatory measures against Russia. But [we] found new details about the breach at DHS and other agencies: [We] interviewed more than a dozen current and former U.S. government officials, who spoke on the condition of anonymity.

The list of obstacles facing the federal government is long: highly capable foreign hackers backed by governments that aren’t afraid of U.S. reprisals, outdated technology, a shortage of trained cybersecurity professionals and a complex leadership and oversight structure. … One former administration official … said the [FAA] was hampered … by outdated technology and struggled for weeks to identify how many servers it had running SolarWinds software.

[CISA] operates a threat-detection system known as Einstein … designed a decade ago. Its failure to detect the SolarWinds breach before it was discovered by a private security company alarmed officials.

Russia has denied any role in the hack. … “Cybersecurity is a top priority,” said White House spokesperson Emily Horne.

Mercy me. Maggie Miller maximizes malarkey—“Hackers accessed emails of top DHS officials”:

 The incident … is one of the largest cybersecurity breaches in U.S. history. … At least nine federal agencies and 100 private sector groups had been compromised.

A spokesperson for DHS … stressed that the agency is evaluating “lessons learned” and working with the White House on ensuring that federal cybersecurity defenses could be built up and modernized. Some of these efforts would be funded through use of $650 million that was included in the recent COVID-19 relief package for DHS’s … CISA.

Follow the pork. Looks like dwater has:

 Manufacturing more consent. Watch for a request for more budget.

Something must be done! Iain Thomson notes something—“Want to check again for SolarWinds compromises?”:

 CISA has released a free tool to allow network administrators to see if they got hit in the SolarWinds attack. Dubbed CISA Hunt and Incident Response Program (CHIRP), the tool checks Windows event logs and Registry alterations for tell-tale signs of a SolarWinds attack. It also looks for Windows network artifacts and runs a YARA rules scan to spot potential malware.

This might seem like a case of shutting the stable door after the horse has not only bolted but is grazing on pasture with a few foals on the way. However it’s important to check – not just from an information security perspective but also to cover liability.

And what of SolarWinds itself? Bob Zukis puns it up—“Cybersecurity Board Reform Blows Into Place”:

 SolarWinds data breach is the stuff of plaintiff’s attorneys dreams and corporate director nightmares. … SolarWinds just took steps to strengthen its boardroom cybersecurity risk oversight.

The actions they are taking aren’t breaking any new ground, except for them, although they are far from widely adopted practices. But they should be: … The ROI of improving digital and cybersecurity risk governance shortcomings in the boardroom is exponentially positive.

The SolarWinds CEO just reported that they are creating a cybersecurity committee on their board and adding additional directors who are digitally and cyber risk literate. [But] there’s more to solving the corporate governance digital and cybersecurity risk oversight problem than just that, although it starts with having corporate directors who can effectively oversee these issues.

Boards need to recognize that risk is changing and their scope of risk management oversight needs to as well. These changes are principally around the issue of … the systemic risk that exists throughout their digital business systems. Cyber risk can’t be understood and mitigated without an understanding of systemic risk.

Digital and cybersecurity success starts in the boardroom. So does digital and cybersecurity failure, unfortunately.

At which a slightly cynical 0laf laffs:

 I don’t think the C-Suite are ignoring it but many companies and organisations have been around for a long time and their networks have grown like slime moulds over decades. If these were brand new networks then securing them would be far easier.

It’s like trying to find a way to make a horse and cart carry a shipping container.

The board probably do see the problem but it seems nearly impossible to fix in a financially viable way, plus they’ve spent many of the last 5yr decimating their IT departments so they have no resources or skills to do the work even if they wanted to. This is something I’ve always found hard to understand, C-Suite falling over themselves to proclaim a new digital future yet forgetting who actually has to do the work on anything that is digital.

So what’s the solution? u/archaeolinuxgeek oils up the snake:

 What you need is my magic hack prevention rock! Like a regular rock, but powered by science!

It’s already prevented potentially quadrillions of attacks. But it only works when you don’t verify anything. If you get hacked, it’s entirely due to a lack of faith. For every 30 minutes that you don’t get hacked, thank this igneous innovation!

Example: You buy my rock and a maintenance plan. You go unmolested for about five years. That’s 87,600 half hour increments with only one penetration! That is 99.98% effective! Can you afford not to send me money?!

TLA BBQ FTW. Zap25 PDQ:

 The CIA, NSA, FBI and the Pentagon not only have the competence, but also the resources and knowledge to provide bulletproof cybersecurity services. But that’s the thing about the DHS isn’t it? Like many departments they are lead by people who suffer from the “Not invented here” syndrome:

If the DHS didn’t come up with a solution for their cybersecurity problems it is because no other solutions exist within the government. It cannot be that other departments have solutions, let alone that these solutions may be better than anything developed outside the government.

Meanwhile, u/The_Lone_Apple is not alone in pointing the finger:

 Somewhere down the road, the US needs to pay the Russians back for this. Maybe hack into the foreign accounts of oligarchs and set the amounts to zero.

And Finally:

A tribute to the weirdest podcast of 2020

Original podcast: The Sink

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: DonkeyHotey (cc:by-sa)

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 234 posts and counting.See all posts by richi