SolarWinds: Lessons from the largest ever cyber attack
The December discovery that compromised software from SolarWinds had given hackers access to the systems of government agencies and businesses worldwide, exposes where cybersecurity is going wrong. Bill Mew asks what can be learned from the largest ever cyber attack.
In December security researchers unveiled that hackers working for a nation-state had managed to infiltrate SolarWinds’s Orion software. This is described as a “single pane of glass” that can monitor everything in a system. And it is used by key government agencies and many of the world’s largest companies that rely on it to manage their IT networks.
By inserting malicious code into the software updates provided by SolarWinds to its customers in March and June 2020, the hackers had been able to create backdoors to let them spy at will on targets that included the US military and the Pentagon as well as thousands of other organisations.
Western societies have never been so reliant on technology or so interconnected. Consequently, we have never been so vulnerable to cyber threats. These come in two main forms: 1) espionage and 2) cybercrime. It is unrealistic to think that we can prevent either, but there are ways that each can be mitigated.
Espionage and mass surveillance
As long as there are national security threats, there will always be security agencies and some form of spying or mass surveillance. Espionage is internationally allowed in peacetime. The problem is that both espionage and cyberattacks require the same computer and network intrusions, and the difference is only a few keystrokes.
The best-funded agencies of all are based in the US: the NSA, FBI, CIA, and others. Their approach to date has been based on a combination of international mass surveillance to identify the threats, selective bans on vendors from certain countries to reduce vulnerabilities, and proactive attacks to neutralise the main threats before they can cause harm. This follows the Clausewitz principle that attack is the best form of defence.
A very public rebuke on privacy
It has run into trouble recently. Firstly, America’s allies in the EU and elsewhere have rebuked the US for employing extraterritorial laws to enable its agencies to conduct mass surveillance that has contravened promises that it made to respect its allies’ privacy.
The Privacy Shield agreement for transatlantic data sharing has been overturned because US measures such as the CLOUD Act, FISA 702, and EO 12333 allowed US agencies to access personal data held by US cloud, telecoms, and social media firms. The mass surveillance was found to lack proportionality as it was unlimited and there was also no effective independent oversight or redress.
The world’s biggest ever hack
Secondly, the Clausewitz approach has been found to be ineffective. The proactive and combative approach adopted by the highly-funded US agencies failed to detect or prevent a widespread cyber hack that compromised a host of federal government systems and thousands of public and private networks. Probably the largest attack in history, it is believed to have been "an intelligence-gathering effort” that was “Russian in origin,” according to a joint statement from The Cyber Unified Coordination Group – which includes the FBI, National Security Agency, Office of the Director of National Intelligence and Cybersecurity & Infrastructure Security Agency.
The scope of the Solarwinds attack is potentially huge. SolarWinds has 275,000 customers worldwide, but the company believes that “fewer than 18,000” of its customers had downloaded the compromised updates. Hackers could have had access to these clients’ systems for as long as nine months.
Embarrassingly potentially impacted clients included all five branches of the US military; the Pentagon, the state department; the NSA; the Department of Justice; and the Office of the President of the United States.
Fingers are being pointed at the SVR, Russia’s foreign intelligence service, which previously implanted the NotPetya virus into Ukrainian accountancy software in 2017, but Russian officials have labelled the accusations “groundless”.
Vendor blacklisting is flawed
Blacklisting vendors has also been found to be counterproductive. Those on the blacklist, such as Russia’s Kaspersky Labs and China’s Huawei and others, have all been heavily scrutinised without any backdoors being discovered. Instead, it was Solarwinds, a vendor on the whitelist, that was compromised in order to create backdoors.
The whole blacklisting approach has not only undermined innocent vendors, but it has provided a false sense of security. Hackers aren’t going to target those vendors on the blacklist. Instead, as we have seen, they will seek to compromise those on the whitelist – ones that everyone, including the NSA, had trusted.
Cybercrime and Ransomware
Meanwhile, cybercriminals, who sometimes operate simply out of malice, mischief, or to cause business disruption, or economic and financial doubt and distrust, but mainly for profit – and not at all for espionage – have been on the rampage. Not only have ransomware incidents escalated in number, sophistication, and severity, but the criminals have actively cynically targeted health and pharmaceutical institutions that have been busy battling the pandemic.
While we have cautioned against paying ransoms, many UK firms have seen no other choice. In the last year, they have been forced to pay out more than £200m ($266m) in ransom demands from cybercriminals, for fear of further fines, lost data, and damaged reputations.
As Eugene Kaspersky, one of the world’s greatest champions for cybersecurity, and ironically the CEO of the blacklisted cybersecurity firm that bears his name Kaspersky Labs, has explained, the cost of the ransom is just the tip of the iceberg: “If an organisation is attacked with ransomware, it is not just a matter of paying the ransom and ending the matter. There are many other costs that are inextricably linked to hacking. The real cost of a ransomware attack will most likely include loss of revenue during downtime, fees paid to cybersecurity experts, various fines, as well as reputational damage and even a consequent loss of business or capitalisation.”
He argues that even with budgets under pressure during the pandemic, “cybersecurity must not be allowed to move down the priority list. Organisations can work smart and deploy the simplest protocols to keep their business protected against attack.”
What do we need to do differently?
A new approach is required. The best way to counter the cyber threat is with cooperation rather than confrontation. In our next article, we will go on to explain the need to do things differently – to move away from the Clausewitz approach and from vendor bans, towards international collaboration. As I will explain in more depth in my next article, this needs to set out guiding principles for key protections in the digital age:
Protections from cybercrime
Protections for privacy
Protection of intellectual property
Protection of taxable revenue
It is these digital protections that will define our future, that will be the subject of international geopolitical tension and that can only be resolved via collaboration and cooperation.
You might also be interested in
Founder and CEO of CrisisTeam.co.uk (SiliconANGLE global Startup of the Week – May 2019), an elite team of experts in incident response, cyber law, reputation management and social influence that help clients minimize the impact of cyber incidents. Previous cloud strategist at UKCloud (the...