Larry Clinton of the Internet Security Alliance says the massive SolarWinds hack highlights the need for a rethinking of cybersecurity policy that goes well beyond Cyberspace Solarium Commission recommendations folded into the national defense bill, while the Congressional Research Service has issued a paper saying “existing programs” were unlikely to have foiled the sophisticated infiltration of federal government systems.
Clinton praised elements in the fiscal 2021 National Defense Authorization Act such as creation of a National Cyber Director. The bill has passed Congress and awaits action by President Trump, who cited the Cyber Director provision among numerous noncyber elements in a veto threat. Both the House and Senate passed the bill with large bipartisan majorities that would be sufficient to over-ride a veto. The House is taking procedural steps to be ready to vote Dec. 28 on an over-ride if Trump vetoes the NDAA bill.
“However, we are kidding ourselves if we think the new NDAA provisions, if they are enacted, are anywhere near enough to provide ample defense against the sorts of sophisticated cyber-attacks that are becoming increasingly common against both industry and government,” Clinton wrote in a blog post on Monday.
“Positive though they are, the NDAA provisions are far too narrow. They are focused primarily on government and follow a traditionally limited vulnerability prevention model,” Clinton said.
The posting is the latest in a series that ISA launched in November, intended to kick off a dialogue on cybersecurity policy and culminating in a package of recommendations.
“How is it that, with years of warning, our federal government — with the largest, best funded, most sophisticated military in the history of the world — is not only unable to defend itself, it’s unable to understand it’s under attack?” Clinton wrote. “Maybe it’s time to rethink our approach.”
Clinton explained, “The center of the attack, SolarWinds, is a private organization that serves both the public and private sector. It is an example of a growing number of core elements of the Internet whose compromise creates systemic issues. To date virtually all cyber policy has been focused on protecting entities – government or private companies – not the system as a whole.” Further, he said, private cybersecurity firm FireEye discovered the attack.
He warned against “stale replays” of finger-pointing and “quick easy solutions” such as direct regulation and penalties.
Instead, Clinton called for “a much more fulsome partnership model that encourages government and industry to work together as equals. For example, the WH office envisioned to define a strategy to respond to a cyber-attack of national significance needs to be expanded and repurposed to design a full national digital strategy. This broader perspective would include cybersecurity as one aspect of that overall strategy but not be artificially limited to government systems as though they were independent from private systems (they aren’t).”
The strategy would also address issues including competition with China; “how to fund the needed national security obligations private sector companies are inheriting in the digital age but are clearly incompatible supporting with the economic business models designed for the analog economy”; and “practical answers” in areas like ransomware and intellectual property theft.
Another security expert, speaking on background, told Inside Cybersecurity that the Solarium Commission recommendations in the NDAA are “part of the solution,” but “we have to look at implementation, we have to look holistically at technology and society. … What are the real risks and what risk are you willing to accept?”
The Congressional Research Service also put out a report Monday on SolarWinds, “SolarWinds Attack: No Easy Fix.”
“The disclosed attack is likely part of a larger campaign to which there is no easy fix. The Sunburst malware allowed the malicious actors a foothold in their victims’ networks. From there, they could persist in the network through the creation of additional credentials for other software platforms. So merely remedying the vulnerable versions of SolarWinds’ products would be insufficient in eradicating the unauthorized actors from a compromised network,” according to CRS.
The report points to guidance issued by CISA and activation of the National Cyber Incident Response Plan and the Unified Coordination Group by the National Security Council.
“Cybersecurity is not a static goal,” CRS says. “Instead, it is a risk management process, which involves continual work. The National Institute of Standards and Technology (NIST) Cybersecurity Framework categorizes this process cycle as: (1) identify; (2) protect; (3) detect; (4) respond; and (5) recover. Much of the recent cybersecurity policy work has been on the first three processes; the SolarWinds attack highlights the need for the last two.”
According to CRS, “Given the nature of the SolarWinds attack, it is unlikely existing programs would have prevented this incident.”