As the dust has settled on the December 2020 SolarWinds Orion “hack,” there’s much more scrutiny worldwide towards cybersecurity and the global implications of sophisticated digital attacks. The attack brought several issues to the forefront for businesses and IT professionals as the world attempts to determine how to navigate digital security and the aftermath of a breach when the strike originates with a state actor.
When launched as a government strike, attacks blur the lines of business data security, effectively becoming espionage over mere malicious activity. In the case of a state-sponsored attack as an act of espionage and intelligence gathering (a long practiced and firmly rooted tradition in global governments), the implications are more far reaching than an attempt to retrieve company information. Attacks can be seen as an act of war. So now, we face the question: Whose responsibility is it to secure our technology?
The Threat to IT Supply Chains
The SolarWinds attack left many businesses with their proverbial heads in hands. The true genius of the incident lies with the target of the threat. Rather than directly attacking systems, Russian-sponsored hackers implemented a vulnerability during the build process. Once the back-door update was deployed, the attackers gained access to at least 18,000 customers, many of whom were government employees.
The attack on the IT supply chain was a stroke of brilliance and has certainly caused businesses—and everyone, really—to examine how we manage our supplies. Companies have so often born the brunt of a breach and have been subjected to public shame, and in many cases, loss of business when one occurs. Traditionally, the fingers have been pointed squarely in one direction—toward the companies who announce their data loss. But are most breaches really that simple?
With any other supply chain, there is an expectation of trust. Consumers expect that the food they receive from suppliers has been properly vetted by grocers and there is no expectation that consumers will take the responsibility of ensuring quality suppliers. But with IT, the supply chain is not so carefully regulated.
However, businesses should be afforded the same expectation that the equipment they are supplied comes inherently secure. Unfortunately, while the U.S. has some national security regulations, such as NIST and ISO, we simply do not have the same oversight of the IT supply chain that we do in other industries.
Who is Responsible for Securing Our Technology?
Often when a breach occurs, public outcry launches blame on a company’s inability to protect consumer data. The SolarWinds attack has many questioning this general practice. Shouldn’t companies be able to trust that IT suppliers are securing what they are providing? And even with secure supplies, how can businesses be expected to defend against a sophisticated, state-sponsored attack?
The questions were debated in a recent CompTIA podcast, “Supply Chain Attacks and State Actors: The Evolving Challenge of Cybersecurity.” As one might expect, the answers aren’t so simple.
“If the CIA, and the NSA, and FireEye, the company we would generally call in if we were to ask for help, can’t defend themselves, then how can we be living in fear of losing everything because we suffer an attack like this?” said Kevin McDonald COO and CISO of Alvaka Networks. It’s not fair to assume SMBs or even enterprises can protect themselves from the looming threat of breaches designed to compromise governments.
Still other questions loom ahead. Should we even set a standard that businesses would be responsible if they have done their due diligence and followed best practices? Many experts advise that a lack of anonymous identification of breaches and lack of safe harbor are industry practices that hurt our ability to quickly respond to incidents and minimize damage.
“It’s so vital that we know that whatever’s happening is happening. That’s way more important than who it’s happening to, in the early stage,” said MJ Shoer, CompTIA senior vice president and executive director of the CompTIA ISAO.
Adding More Security and Resiliency
So how does the public shaming of breached businesses truly help us in our fight to combat attacks? If we actually want to mitigate the impact of these attacks, we need to alter our approach to blame culture and enable open discussions around attacks, while supporting greater vigilance by IT suppliers. Additionally, here are some ways we can build a more secure IT Supply Chain, according to the podcast guests.
Support greater protections for businesses: Companies should have the ability to rely on insurance coverage in the event of a state-sponsored attack and be able to gain protection under safe harbor laws in situations where proper precautions were taken.
Engage in open discussions and enhance transparency during a breach: To truly progress past a practice of shaming, we need to have open conversations about how breaches occur, where we can improve, and enable better information sharing among the IT community.
Operate as though you don’t have trust in the IT supply chain: If you want to ensure you don’t fall victim to a supply-chain attack, you need to act as though your supplies can not be trusted. Ask questions, investigate options, and push for better security.
Require appropriate licensing: Currently, MSPs and solution providers aren’t required to show licensing. In other industries, licensing is common practice and provides a way for businesses to quickly validate a base level of proficiency. Requiring licensing would force the hand of supplier and MSPs to comply with better security practices.
Ultimately, we have a long road ahead to prevent future attacks. The current administration continues to investigate the causes of the Solar Winds attack and is working to develop more secure processes moving forward.
For more information, listen to the CompTIA podcast, Supply Chain Attacks and State Actors: The Evolving Challenge of Cybersecurity, and don’t forget to subscribe to CompTIA Biz Tech Podcasts to get notified when new episodes are available.