The online world has become a cornerstone of global society, a fact that 2020 has certainly been a testament to as technology has assisted in the response to a global pandemic, through innovation in research, tracking the spread of COVID-19, and empowering us to socially distance at school and work.
As in all sectors, our increased reliance on technology is matched by an increase in cybersecurity risks, including those posed by individuals and nation-states capitalizing on society’s reliance on information and communications technologies (ICT). We have seen a rise in cybercrime as threat actors profit from a global human tragedy by targeting the healthcare sector. But we are observing cybercriminal activity in all sectors across the globe, which demands a more focused international discussion about cyberspace norms and deterrence strategies to disincentivize bad actors and to hold them accountable.
The recent cyberattack on software company SolarWinds is especially devastating and concerning. The malicious actors in this case compromised SolarWinds’ infrastructure via a method that puts the broader online environment at risk. As FireEye discovered and SolarWinds reports, the attackers incorporated their malware into an upgrade of the company’s Orion product that may have been installed by more than 18,000 customers, including government agencies. The attack is therefore neither narrow nor targeted and could still result in damaging repercussions well beyond data collection and espionage. The attack potentially creates a serious vulnerability in our interconnected world to be exploited, demonstrating how the utilization of a “supply chain attack” can quickly undermine trust in our online environment.
System upgrades and updates, security-focused or otherwise, are already frequently viewed with suspicion by customers and consumers around the world, who are wary of allowing access to their computer systems. Nevertheless, these processes are essential tools for improving the performance and security of ICT products and services. To exploit them in for malicious purposes is reckless and unacceptable.
The dangerous implications of nation-state supply chain attacks were acknowledged by the United Nations Group of Governmental Experts on Developments in the Field of ICTs in the Context of International Security in 2015, which agreed in one of 11 norms that “States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions.”
Similar support for supply chain security has emerged outside the United Nations. The Paris Call for Trust and Security in Cyberspace, which the Cybersecurity Tech Accord supported as one of its first signatories, also acknowledged the importance of supply chain security: “To that end, we affirm our willingness to work together, in the existing fora and through the relevant organizations, institutions, mechanisms and processes to assist one another and implement cooperative measures, notably in order to: ….”Develop ways to prevent the proliferation of malicious ICT tools and practices intended to cause harm; and Strengthen the security of digital processes, products and services, throughout their lifecycle and supply chain.”
Malicious actors, with motives ranging from criminal to geopolitical, have inflicted economic harm, put human lives at risk, and undermined the trust that is essential to an open, free, and secure internet. Attacks on the availability, confidentiality, and integrity of data, products, services, and networks have demonstrated the need for constant vigilance, collective action, and a renewed commitment to cybersecurity.
The Cybersecurity Tech Accord recognizes that protecting our shared online environment is in everyone’s interest and is crucial now, more than ever. We came together nearly three years ago, based on four core principles that bind us to defend and improve the security of the online world for the benefit of all societies. We have also pledged our support to the Paris Call. We committed ourselves to act responsibly, to protect and empower our users and customers, and to work to improve the security, stability, and resilience of cyberspace, and this includes promoting accountability.
Therefore, we believe it is necessary to identify this action for what it is – an inexcusable breach of trust. We hope that this incident will galvanize governments to tighten and strengthen rules governing behavior in cyberspace and to ensure accountability for bad actors. It should also encourage organizations worldwide to double down on increasing their supply chain security, and improving their cybersecurity readiness.
We commend our signatories, FireEye and Microsoft, along with others, that are working tirelessly to respond to cyberattacks and other malicious activity and to ensure the safety and security of our networks. We appreciate the early disclosure and information sharing that has taken place in the wake of this recent incident. It is a testament to the importance of the public-private partnership in cybersecurity. Importantly, it also demonstrates a positive step in increasing the transparency of nation-state activity in order to continue the global dialogue to protect the internet. We hope elevating attention to this problem raises awareness among organizations and individuals about actionable steps they can take to protect themselves.