January 4, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

The man who founded the organization I work for, the Internet Security Alliance, was Dave McCurdy.  Mr. McCurdy was the former Chair of the House Intelligence Committee. Dave was fond of reminding people, “Congress does two things well: Nothing and overreact.”

So far, with respect to cybersecurity  Congress has largely been in the doing nothing phase – that is by far the lesser of the two evils. Heaven forbid they decide to “take quick action” because – and while few will say this out loud,  I assure you this is the consensus view of the cybersecurity community – we have serious doubts that Congress has really taken the time to understand what we are really talking about.

For heaven’s sake, even the technical experts don’t yet know what we are really talking about.

We are already hearing Members of Congress issuing assuring statements that suggest they have already taken steps to address the type of cyber threat illustrated by SolarWinds.  Caution is suggested here. As we pointed out in previous posts things like the provisions in the new NDAA, while helpful, are far too narrow to address the type of systemic attack SolarWinds is indicative of.  Congress holding truly substantive hearings is obviously critically important, but it’s even more important they do not overreact and make a very bad situation worse.

Before we get to any legislating or regulating it’s pretty important that we understand that this was not “just another big hack.” SolarWinds was a fundamentally different kind of attack.  SolarWinds can best be classified as a “systemic attack.” That is quite unlike many previous well publicized cyber-attacks which were “entity” attacks. Addressing the enormous problems it highlights – and they must be addressed – will take thoughtful and sophisticated work. Historically, at least regarding cybersecurity, Congress has not tended to do that sort of work

Josephine Wolff of Future Tense in a helpful blog last week did a good job explaining the difference.

She explained SolarWinds is very different from “Equifax or Sony Pictures or Office of Personnel Management,” for instance—it’s important to understand both how the SolarWinds malware was delivered and also how it was then used as a platform for other attacks. Equifax, Sony Pictures, and OPM are all examples of computer systems that were specifically targeted by intruders, even though they used some generic, more widely used pieces of malware.

This meant that there were some very clear sources that could be used to trace the scope of the incident after the fact—what had the person using those particular stolen credentials installed or looked at? What data had been accessed via the fraudulent domains? It also meant that the investigators could be relatively confident the incident was confined to a particular department or target system and that wiping and restoring those systems would be sufficient to remove the intruders’ presence.

The compromised SolarWinds update that delivered the malware was distributed to as many as 18,000 customers. The SolarWinds Orion products are specifically designed … so they have to have access to everything, which is what made them such a perfect conduit for this compromise. So, there are no comparable limiting boundaries on its scope or impacts, as has been made clear by the gradual revelation of more and more high-value targets. Even more worrisome is the fact that the attackers apparently made use of their initial access to targeted organizations, such as FireEye and Microsoft, to steal tools and code that would then enable them to compromise even more targets. After Microsoft realized it was breached via the SolarWinds compromise, it then discovered its own products were then used “to further the attacks on others,” 

From a public policy perspective this means that the usual bromides about “accountability” and the need for government regulation need to be held at bay.  After all our government – and I mean the varsity here — DHS CISA and NSA didn’t even know they were being attacked for months and not until the private sector told them.  Hard to see how a bigger government role is what is needed here.

What is needed is to completely re-think our strategy on cybersecurity.  The fixation on cyber as essentially a technical issue to be managed by the technicians is over-simplistic.  We need to understand cybersecurity in a much larger sense appreciating the economic causes (we will discuss the economics of SolarWinds specifically tomorrow) and the geo-political ramifications.  We will have to spend more money (a lot more money) and we need to develop a REAL partnership between industry and government.

When little – really little – kids begin to play in groups they actually don’t play together.  The initially play alongside each other in “parallel play”.  That is what our current partnership mode, for the most part really is.  The public and private sector are playing alongside each other — not really with each other.  So, we need to mature our model. Ideally the public private partnership should mimic a good marriage, but I’d settle for if we could at least learn to play really together instead of like little kids – just in parallel.

Government looking into all this thoughtfully – while the tech experts try to unravel what the heck is actually going on –is great.  Shooting too quickly will likely means we shoot ourselves in the foot.

Join the Rethink Cybersecurity Community click here