Lawfare

Reflections on the SolarWinds Breach

Read the original article: Reflections on the SolarWinds Breach

The monuments in Washington D.C. as seen from the Marine Corps War Memorial, June 20, 2012. (Brian Wolfe, https://flic.kr/p/27HW4HQ; CC BY-NC 2.0, https://creativecommons.org/licenses/by-nc/2.0/)

Since Dec. 13 the SolarWinds breach has dominated the news cycle. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to mitigate the consequences of the security breach. SolarWinds, the company responsible for the software in question, reported that as many as 18,000 customers may have been affected. Other reports indicate that a variety of government agencies, including the Departments of Treasury, State, Commerce, Energy (specifically, the National Nuclear Security Administration, which is responsible for the U.S. nuclear weapons stockpile) and Homeland Security have been affected as well. The Washington Post reports that the Russians are behind the hack and that they have had a foothold in the affected networks since March 2020.

The timeline of this incident is still unfolding, and more information is available every day about its particulars, but it is not too early to offer a number of high-level observations and predictions:

  • The scale and significance of this incident will grow as more details of the breach are revealed. There is little chance that all of the damage that has occurred has been revealed to the attack’s victims. Further, it is entirely possible that undetected portions of the attack are still in operation, continuing to gather information that will be transmitted back to the adversary or to plant “logic bombs” that will be “detonated” at a future date. (A “logic bomb” is code inserted into a program that does harm to the computer system on which it is being executed when certain conditions are met, such as the date being January 4, 2021 or processing a transaction valued at a specific amount like $612,292.21.) While there is no evidence at the present moment that this is the case, nothing has appeared in the public record that would rule it out.
  • Those responsible have had many months to burrow into their targets’ information technology infrastructures. Completely eliminating the attackers’ access to the network will be really hard if not impossible. A useful analogy might be therapy for cancer—unless you can kill essentially every cancerous cell in someone’s body in an initial round of therapy, cancer may well return while the patient is in remission. And killing every single cancerous cell in someone’s body is mighty hard to do. Rebuilding entire IT systems from scratch may be the only thing that affected networks can do to ensure the attackers no longer have a foothold.
  • Victims attempting to rebuild their systems from scratch will face agonizing choices between security and some significant loss of work that was done between March 2020 and now (not to mention the loss of productivity entailed in rebuilding systems rather than doing useful new work). For example, one might consider restoring databases from backup media—assuming backups are still available from March, which is certainly not guaranteed. But records in many of those databases will probably have been changed, sometimes significantly, since March. Using backups from March will mean losing all of the work done on those databases in the past nine months. Using more recent backups could reduce the amount of work lost, but the more recent the backup, the greater the likelihood that the backup itself contains potentially contaminated data.
  • It is impossible for any vendor of computer products or services to develop what it needs all by itself. Even the most sophisticated vendor of IT products and services obtains components such as a power supply or a program library from other parties to integrate into its offerings for customers. The SolarWinds breach has been described as a “supply chain attack,” which is true. But supply chain vulnerabilities have been a concern for cybersecurity specialists for a number of decades, and few with decision making authority have listened—it should not have taken the SolarWinds incident for such individuals to focus seriously on supply chain security issues.
  • The majority of cybersecurity breaches reported to date have resulted in compromising the confidentiality of data—hackers get their hands on data which they have no right to access. But there are other threats to data. Compromises to data integrity are of deep concern—instances when hackers alter or erase data. Compromises of integrity can be even more dangerous than compromises of confidentiality. When electronic medical records are involved, most people would feel far worse about a cyber intrusion that removed an indication of an allergy to a certain medication from a medical record than one that merely revealed that allergy, even if those records are supposed to be kept confidential.
  • Data is not the only component at risk in cybersecurity breaches—cyberphysical devices and computer-based control systems can also be affected. Even smartphones and personal computers have the ability to control physical devices, such as printers and devices like Amazon’s Alexa. One report indicates that the compromised SolarWinds Orion software is sometimes used to manage networks that support devices for environmental controls and power in buildings. But nearly any physical real-world functionality can be tied to a network and controlled by computer, and it is quite unlikely that anyone knows the full range and extent of cyberphysical capabilities that the attackers could now control. This lack of knowledge may also be true even in individual organizations where building engineers and individual offices often make decisions, without reporting to higher management, to put control of physical systems on networks.
  • In recovering from a cybersecurity breach, psychology also plays an important role. If your system has been compromised to an unknown extent, and your IT employees tell you that it now works properly, could you trust their judgement following a large breach? For example, if you have a calculator in your office that gives an error in about ten percent of its calculations—would you trust it to complete your tax return? It mostly works—but you would probably not base your 1040 on it. Similarly—would you trust the data in your company’s databases following a breach? What would reassure you that essential data has not been compromised and is still valid as read from the database? On the other hand, you may have no choice about it—you may have to proceed, despite your doubts.
  • What is the most important security lesson to come from a breach of this size? Cybersecurity requires resilience as well as strong defenses. Unfortunately, the United States’ public and private sectors have simply not yet internalized this fact. The idea that it is possible to erect cybersecurity defenses that will keep the bad guys out of systems and networks forever is absurd on the face of it, and no serious cybersecurity professional believes that is possible. Those using information technology must assume their systems and networks have already been compromised, and take the proper precautions as if they are operating on compromised systems and networks. This will be inconvenient, reduce productivity and seem unnecessary, but it is the only way to limit the effects of a security compromise.