Colonial pipeline ransomware attacks and SolarWinds hacks were almost inevitable – why country cyber defense is an “evil” problem
Military units such as the 780th Military Intelligence Brigade shown here are just one component of US national cyber defense. FlickrTakeaways: FlickrTakeaways: -There is no easy solution to strengthen US national cyber defense. · Software supply chain and private sector infrastructure companies are vulnerable to hackers. • Many US companies outsource software development due to lack of talent, some of which is directed to Eastern European companies that are vulnerable to Russian agents. -The US Department of Defense is divided into the Department of Defense and the Department of Homeland Security, and there is a gap in authority. The May 7, 2021 ransomware attack on the colonial pipeline represents a major challenge facing the United States in strengthening cyber defenses. Private companies, which manage key components of the US energy infrastructure and supply nearly half of the East Coast liquid fuel, were vulnerable to a very common type of cyberattack. The FBI allegedly attributed the attack to a Russian cybercrime gang. It is difficult for the government to mandate better security for private companies, and the government cannot provide that security to the private sector. Similarly, one of the most devastating cyberattacks in history, SolarWinds hacking, unveiled in December 2020, reveals vulnerabilities in the global software supply chain affecting government and private sector computer systems. Did. It was a serious breach of national security that revealed the US cyber defense gap. These gaps include inadequate security by major software producers, fragmentation of authority over government support for the private sector, blurring of the line between organized crime and international espionage, and a national lack of software and cybersecurity skills. It is included. While these gaps cannot be easily filled, the scope and impact of SolarWinds attacks show how important it is to control these gaps for US national security. Cyber defenses against critical infrastructure are much more difficult to implement than installing barbed wire fences around fuel depots. Jim Watson / AFPSolarWinds breach via Getty Images may have been committed by a group related to Russian FSB security services and software development used by SolarWinds to update 18,000 users of Orion network management products. Violated the supply chain. SolarWinds sells software that organizations use to manage their computer networks. The hack, which allegedly began in early 2020, was discovered only in December, when cybersecurity firm FireEye revealed that it had been hit by malware. Even more worrisome, this could have been part of a widespread attack on US government and commercial targets. The Biden administration is preparing an executive order that is expected to address these software supply chain vulnerabilities. However, these changes, importantly, would not have prevented SolarWinds attacks. Also, to prevent ransomware attacks such as colonial pipeline attacks, US intelligence and law enforcement agencies must invade all organized cybercriminal groups in Eastern Europe. Supply Chain, Sloppy Security, Lack of Talent Software Supply chain vulnerabilities (a collection of software components and software development services companies use to build software products) are well-known issues in the security arena. In response to a 2017 executive order, a Pentagon-led inter-ministerial task force report reports “amazing levels of foreign dependence,” labor challenges, and companies moving abroad in pursuit of competitiveness. Key features such as printed circuit board manufacturing have been identified for pricing. All of these factors affected the SolarWinds attack. According to cybersecurity experts, SolarWinds plans to spin off its managed services provider business in 2021, driven by its growth strategy, and is responsible for many of the damages. I think that outsourcing software development to Eastern Europe, including Belarus, puts us at risk. Russian agents are known to use companies in the former Soviet satellite state to inject malware into their software supply chains. Russia used this technique in its 2017 NotPetya attack, costing global companies more than US $ 10 billion. Described software supply chain attacks. According to cybersecurity researchers, SolarWinds has also failed to practice basic cybersecurity hygiene. Vinoth Kumar reported that the password for the software company’s development server is “solarwinds123”. This is a terrible violation of basic cybersecurity standards. SolarWinds’ sloppy password management is ironic given the company’s 2019 Password Management Solution of the Year award for Passportal products. In a blog post, the company admits that “attackers were able to evade threat detection technologies used by both SolarWinds, other private companies, and the federal government.” The bigger question is why the American company SolarWinds had to rely on foreign providers for software development. Pentagon reports on the supply chain characterize the shortage of software engineers as a crisis. This is because the education pipeline does not provide enough software engineers to meet the demands of the commercial and defense sectors. There is also a shortage of cybersecurity talent in the United States. Software developers and network engineers are one of the most needed skills across the United States, and the shortage of software engineers with a particular focus on software security is serious. I argue that the fragmented authority SolarWinds has a lot of answers, but it shouldn’t have had to protect itself from state-organized cyberattacks. The 2018 National Cyber Strategy describes how supply chain security works. Governments determine the security of federal contractors like SolarWinds by reviewing their risk management strategies, ensuring that they are informed of threats and vulnerabilities, and responding to incidents on their systems. However, this official strategy shares these responsibilities between the Pentagon’s defense and intelligence system and the Department of Homeland Security’s private sector, continuing the fragmented approach to information security that began in the Reagan era. The execution of the strategy relies on DOD’s US Cyber Command and DHS’s Cyber and Infrastructure Security Agency. DOD’s strategy is to “defend positively.” That is, blocking malicious cyber activity at its source. This has proven to be effective for the 2018 midterm elections. Founded in 2018, the Cyber and Infrastructure Security Agency is responsible for providing information on threats to critical infrastructure sectors. Neither agency appears to warn or attempt to mitigate attacks on SolarWinds. The government response took place only after the attack. Cyber and infrastructure security agencies have issued alerts and guidance, and a unified cyber coordinating group has been formed to facilitate coordination between federal agencies. While these tactical actions were useful, they were only a partial solution to a larger strategic problem. The fragmentation of authorities for national cyberdefense revealed in SolarWinds hacks is a strategic weakness that complicates government and private sector cybersecurity and further leads to attacks on software supply chains. Evil Problems National cyber defense is an example of an “evil problem”, a policy problem with no clear solution or measure of success. The Cyberspace Solarium Commission has identified many inadequacies in US national cyber defense. “There is not yet a clear unification of efforts or theories of victory to promote the federal approach to cyberspace protection and protection,” the Commission said in a 2020 report. Many of the factors that make it difficult to develop a centralized national cyber defense are outside the direct control of government. For example, economic power allows tech companies to get their products to market faster, taking shortcuts to compromise security. Laws in line with the Gramm-Leach-Bryley Act passed in 1999 could help address the need for speed in software development. The law imposes security requirements on financial institutions. However, software developers may oppose additional regulations and oversight. The Biden administration seems to be taking a serious challenge. The President has appointed a National Cyber Security Director to coordinate the relevant government efforts. It is unclear whether the government will address the issues of fragmented authorities, how to address them, and how the government will protect companies that provide critical digital infrastructure. is. It is impossible to expect US companies to be able to counter foreign cyber attacks. In the meantime, software developers can apply the secure software development approach advocated by the National Institute of Standards and Technology. Governments and industries can prioritize the development of artificial intelligence that can identify malware in existing systems. However, this all takes time and hackers move quickly. Finally, companies need to proactively assess their vulnerabilities, especially by engaging in more “red team” activities. That is, employees, contractors, or both act as hackers and attack companies. Recognizing that hackers serving foreign enemies are devoted, thorough, and constrained by all rules is to anticipate their next move and to strengthen and improve US national cyber defenses. It is important. Otherwise, the colonial pipeline is unlikely to be the last victim of a major attack on US infrastructure, and SolarWinds could be the last victim of a major attack on the US software supply chain. The sex is low. This is an updated version of the article first published on February 9, 2021. [Deep knowledge, daily. Sign up for The Conversation’s newsletter.]This article has been republished by The Conversation, a non-profit news site aimed at sharing ideas from academic experts. It was written by Terry Thompson of Johns Hopkins University. Read more: North Korea is targeting cybersecurity researchers by combining hacking and espionage. The FBI is breaking into corporate computers to remove malicious code. Terry Thompson does not work, consult, own shares, or receive funds for any company or organization that would benefit from this article.