By Mark Kuhr, Co-Founder and Chief Technology Officer of Synack
The impact of the SolarWinds compromise is staggering: approximately 18,000 customers—including private sector companies, government agencies, and education institutions—used the malware-laden version of the Orion network-monitoring platform, with major companies—such as Microsoft, Cisco and Intel—acknowledging that their networks were compromised. Perhaps most significantly, the attackers breached the security at as many as 10 U.S. government agencies with subsequent targeted operations.
While it may take years to tally the full extent of the massively damaging SolarWinds Orion hack, one thing is clear: The current cyber defense approach is not working.
Even though the U.S. government and American industry have spent billions of dollars on supposedly state-of-the-art defenses, we continuously suffer as the most well-trained and cunning cyber operations specialists — from Russia, China, North Korea, Iran, or elsewhere — carry out attacks that violate U.S. sovereignty, steal intellectual property, pilfer commercial and technological secrets, and weaken American democracy.
The Biden administration can make a critical difference in cybersecurity if it adopts an adversarial mindset when appropriate. While details of the SolarWinds hack will continue to emerge over time, it should not take years to construct stronger defenses to guard against sophisticated nation-state attacks or to begin changing policies and practices that have failed to safeguard critical systems against our most advanced adversaries. In fact, much of that know-how already exists. We just have to focus it in the right places.
It’s time to lay the groundwork now to adopt more innovative and aggressive solutions designed to quickly root out weaknesses and detect intrusions before they spread.
Rebuild tools that no longer work
The first line of defense for U.S. government agencies are two technologies: EINSTEIN 3 Accelerated (E3A) and the Continuous Diagnostics and Mitigation (CDM) program. Neither one detected attacker activity due to the SolarWinds compromise.
E3A grew out of the EINSTEIN program in 2003 and aims to detect threats by aggregating network data across civilian agencies. Kicked off in 2012, the CDM program focuses on a more holistic approach to cybersecurity, handling asset management, network security analysis, and data protection.
Yet, neither program is equipped to defend against the threats we have seen in 2021. The Department of Homeland Security launched its CDM initiative in 2012, for example, to provide a dynamic and multi-faceted approach to fortifying the cybersecurity of government networks and systems, but the cybersecurity threat landscape has shifted over the past decade. Rather than data breaches and intellectual property theft, current threats include ransomware, phishing attacks, and cyber-physical attacks that could affect everything from our elections to our economy, making the continuous monitoring as a service (CMaaS) approach outdated and ineffective.
A one-size-fits-all program for federal agencies facing stealthy overseas hackers no longer provides the needed protection against increasingly common and potentially devastating cyberattacks. There need to be enforcement mechanisms built into the program and requirements for how agencies should address problems discovered through CDM. Sensors can help identify threats, but today’s risks demand a more proactive approach.
Shoring up supply-chain security
The U.S. government and industry have slowly but surely, created a third-party and partner ecosystem to supply necessary hardware, software and services. However, smaller organizations with slimmer margins have less capability to secure their networks than the enterprise and government clients. As networks and data become increasingly interconnected, the reliance on third parties leaves innumerable firms vulnerable to potential attacks.
The SolarWinds Orion attack is only the latest example of a successful supply chain attack. In 2017, an intrusion at a small, family-owned Ukrainian supplier of tax software resulted in a malicious update that kicked off the damaging digital epidemic of the NotPetya crypto-locking worm. And in May, software services firm GitHub found more than 26 software projects had been compromised by a malware tool, the Octopus Scanner, that drops malware upon installation.
As third parties and companies work more closely together, supply chains are growing in complexity. The more integrated business relationships add risk that should be tested to find weak points and security threats. While detecting the compromise of SolarWinds would be a tall order for any downstream client—even government agencies—the behavior of trusted tools needs to be monitored and analyzed to detect continual supply-chain compromises.
Thinking more like the adversary
The cybersecurity threat is ever-evolving, and the adversary is continually learning from our security measures and augmenting their approaches, thus we must adapt to the changing threat. While scanning for signs of the attacker inside your network is necessary, taking a purely defensive approach is not enough. Organizations need to think more like the attacker, adopting penetration and automated attack testing to find weak points before they can be exploited.
Crowdsourced security testing harnesses the power of legions of hackers to provide intelligence about how secure or vulnerable an organization appears to an adversary. By partnering with ethical hackers, organizations gain information on potential vulnerabilities, whether patches have been correctly applied, and their overall resistance to outside attack. Employing crowdsourced penetration testing and vulnerability assessments can be a critical part of any good cybersecurity strategy.
The U.S. government has already engaged with crowdsourcing security firms to launch penetration testing programs, such as Hack the Pentagon. Increasing efforts to allow independent researchers and ethical hackers help put the United States on the right path to eliminate vulnerabilities and enhance security. This crowdsourced penetration testing model is about as close as an organization can get to testing systems against a real-world adversary.
The Trump administration’s cybersecurity strategy continued the U.S. government’s focus on tapping the commercial sector for aid in securing the nation’s networks, systems, and data, with a “Defend Forward” policy. Expanding public-private partnerships can add real-time, actionable intelligence, allowing federal agencies to better understand their vulnerability to cyber threats and plan an appropriate response.
The cybersecurity landscape has become increasingly complex, making the proper security mechanisms and infrastructure necessary to combat today’s unrelenting and often devious adversaries. The Biden administration should focus on creating a strong cybersecurity foundation by altering the current approach to defense from the outdated CDM program and instead embrace a more adversarial mindset that can detect security weaknesses before they are exploited by cyberattacks.
By utilizing more innovative and aggressive solutions, such as ethical hacking via more public-private partnerships and focusing more on supply-chain security, we can start constructing stronger defenses today.