Just when we thought 2020 couldn’t get worse, security firm Mandiant FireEye broke the news that a vulnerability in the software of IT solutions provider SolarWinds had resulted in a massive security breach across the public and private sector, targeting dozens of companies and government agencies, including the U.S. Departments of Commerce, Treasury, Justice, Defense, and the Center for Disease Control.
The National Security Agency, the main body tasked with protecting government assets from hackers, did not detect the breach. FireEye did—after it found that it too had been hacked. Some security experts and U.S. government officials have described it as the worst security incident in the past few years.
This is not the first time that a security incident spreads across many organizations and sectors. There have been similar examples in recent years. Consider the Petya ransomware outbreak in 2017. The attackers managed to spread the infection after breaching the servers of Ukrainian software company MeDoc and inserting a malicious payload into its tax processing program, which was used by many of the victims.
The SolarWinds breach was a wake-up call for all those who have not begun to consider the reality that, security-wise, we live in a totally different world. You just need to look at the numbers to see how bad things can get. According to SolarWinds, as many as 18,000 of its customers have downloaded the trojan virus that the alleged Russian hackers uploaded in its servers, even though the purported target was the U.S. government and special companies like FireEye. In the Petya outbreak, the primary target of the attackers was Ukrainian government bodies, but the ransomware ended up locking hundreds of thousands of computers in the span of a few days.
With digitization and internet connectivity spreading to all sectors of life, business, and politics, the meaning of peace and security has changed a lot. Today’s battles are fought less often on sea and land borders. Instead, cyber-battles have come to every home and office, industrial control systems, public transportation, personal vehicles, and every piece of a nation’s physical and digital infrastructure.
The nature and identity of the fighters and battles have changed a lot too. Today, nation-states hide behind faceless and murky hacker groups that are hard to pinpoint and even harder to link to their respective governments. And their activities get caught up in the multitude of cybercrime that is happening at different levels every day.
In the distant past, security vulnerabilities cropping up in other companies’ software would be a cause to celebrate. One organization’s misery would be another’s gain. But in today’s world, where software systems, web services, APIs, and the internet of things (IoT) have created a complex web of interconnected ecosystems, every security incident can have ripple effects and spread across many nodes and geographical locations. Companies like SolarWinds or MeDoc, which are not much known to the public, can end up becoming windows to national crises because their services are used by many private and public entities.
The key point is, in our increasingly connected world, we all have a vested interest in promoting security and making sure every piece of software and hardware that connects our globe together is secure. Just think of the various applications you use every day at home and work. Think of the multitude of on-cloud and -premise applications that keep your enterprise online and working. Any one of them failing can lead to a chain reaction of security incidents, as we saw at the close of the year.
Success is no longer an individual achievement. Even if you develop the most secure software, even if you’re FireEye, a company that is known for ferreting out hackers from the deepest recesses of the web, you’ll fail if the hardware, software, and services you rely on are insecure.
So, what is the remedy? First, we must acknowledge that we’re all in this together. Then, we must act uniformly to secure personal, enterprise, and government networks. While this might sound easier said than done, there are concrete steps that can help us move toward this goal.
One necessary step would be to promote and augment collaboration on dealing with cybersecurity incidents and threat actors. The past few years have seen some positive developments on this front, sometimes known as threat intelligence sharing, where government agencies and private firms consolidate threat indicators and indicators of compromise (IoC) such as IP addresses, domains, binary signatures, and malware source codes. These concerted efforts have helped discover the identity and source of many attacks and reduce the response time. They should be complemented with transparency and responsible disclosure.
At the same time, we need to establish a culture of safeguards at every organization that is either developing or using software (that practically means everyone). The need for secure encryption practices, encrypted storage of data, strong authentication options, and proper security policies are often highlighted after an organization is breached when it’s too late. That needs to change. While we continue to compete for market share and customers, we should also compete for better security standards. Companies should not be valued only for their growth and revenue, but also for the security of their data and infrastructure.
Authentication and government contracts: the password requirements of NIST and DFARS