BLUF

SolarWinds has been the talk of the cyber world for the last month, with many legitimate concerns taking a Zen role in security circles – very much looking at the present. As we move to 2021, and get closer to understanding what happened and its organisational impacts, it’s time to look at other questions.

Background

There have been a number of articles posted about SolarWinds, the Christmas gift to cyber security/ infrastructure etc. teams everywhere ensuring most are gainfully employed, even if not properly funded. A quick synopsis of the events is below, with a larger breakout here.

1. March – June 2020 – Solarwinds was hacked but the hack was not yet known. Attackers conducted a supply-chain attack attaching malware to product updates to gain access and data from customers.
2. 8 and 11 December 2020 – FireEye suffered an attack which stole hacking tools used by red team penetration testers (legitimate hackers employed to test network defenses). In investigating the breach, FireEye noted SolarWinds was compromised, with their updates weaponised by the attackers.

From there there has been a scramble.

• Microsoft was able to sinkhole the domain
• Damage assessments are being conducted
  • (198 victims – critical government agencies/ ISPs among them, investigations and meetings in US executive and legislative branches conducted)
• Fingers are pointed
• Many teams are working tirelessly to answer questions which aren’t likely theirs, but fall to no one else.

A few questions come to mind about where we go from here. These are not comprehensive, merely a start.

1. This was assessed to be a state-sponsored operation, but no one will say it. Why? Because we rightly look to definitive attribution before levelling accusations. Trouble is, that takes a good bit of time and a lot of resources from a variety of organisations who are rather bad at working with others. Law Enforcement wants to be the ones who break the case open. Vendors do the same to bolster their marketing strategies. Intelligence just overclassifies things so no one else can look. You will see agencies and vendors working in tandem. Rarely do you find agencies and vendors working together with their own. Hell hath frozen if you see multiple vendors and agencies working on the same. Are we ready to recognise this is all the same game and have at least our skin (if not our soul) in it?
2. We talk a good game of information sharing among peers, but we (and our third parties) are afraid of doing the same, fearing litigation and reputational damage. When we think about how to take things end-to-end for constructs such as operational resilience, often we think about customer experience – without talking to them*. When will we be ready to work on building continents from our island cyber ecosystems? In many cases the top 5% are pretty well set-up to defend themselves. The other 95% are trying and could benefit from a bit of help. If we start looking at the cooperative culture across our supply chain… well, that’s another post.
3. How does cyber supply-chain/ state-actors/ response options factor into organisational risk calculations? A whole other conversation for another post.
4. Microsoft and friends (which sounds like a Stan Lee educational comic coming free with Office 365 were it released in the 80’s) sinkholing the domain leads to larger questions. Don’t get me wrong, I’m happy they did it. However, since this was potentially a state actor, making their activities state operations, who gives the authorisation to counter? We still haven’t established Rules of Engagement or any frameworks in cyber. Do we trust multinational private-sector entities conducting operations on behalf of national interests? If it were someone other than Microsoft or FireEye in the spotlight (say it was Huawei and Kaspersky doing the same operations), would we have the same trust? Who decides? Certainly another post.
5. As we move forward, this isn’t the first time (potentially) Russia conducted a cyber attack to massive effect for many unintended victims, costing millions of dollars in resources and man-hours just to get a sense of what’s going on and the relative effect. Were it done in physical spaces we would have had physical deterrence in play. What constitutes cyber deterrence? What are the repercussions of these actions? What red lines are there to cross and who draws them?
6. Lastly, as I am quite excited about the development of space and the expansion into the private sector, are we willing to risk lives in space for cyber, or is it time to develop a new framework to operate whilst not losing the technological advances?

There are many more questions and posts to follow, these are conversations not to be held lightly.

-scl

*We may talk to a chosen few who may be so large they have different vantage, so important they get special treatment, or so indifferent they won’t answer the questions with diligence or consideration. Not to mention the likelihood of special relationships in all potentially tainting communications.