Introduction by ISA President Larry Clinton
The SolarWinds’ Orion software attack – which occurred nearly three years ago — had devastating impact that organizations are still facing today. Recent reports estimate that government agencies and private organizations will spend $100 billion over the next few years investigating the incident and remediating the damage done in 2020.
This attack was so explosive because of the sheer volume of Orion users- at least one hundred companies and at least nine federal agencies, including the Departments of Defense, State, and Energy all had sensitive information stolen from them in the attack. Essentially, everyone used SolarWinds, so everyone was at risk if it were compromised,
The reason “everyone” was using the Orion software was because it was really good software and judged to be adequately secure by the market and the government for use. However this widespread use of the Orion software – its degree of market penetration — that is precisely what made it an attractive target for Russian threat actors. The Russians knew that if they gained access to SolarWinds servers and entered malicious code into a software update of the management program, it would enable them to move laterally across multiple victim networks, escalate administrative privileges, and impersonate users.
Solar Winds is indicative of a paradigmatic shift in the method of cyber-attack. Traditionally cybersecurity has been thought of primarily on an entity-by-entity basis e.g. the Target attack, the Equifax attack the Office of Personnel Management attack. Solar Winds, and similar subsequent attacks, represents a dangerous change in thinking on the part of the attack community which is now not just looking for a target entity, but rather a target system. While SolarWinds is possibly the most notorious example, it is not one-of-a-kind when it comes to destabilizing a large number of organizations in a single attack. The Cyentia Institute and RiskRecon report that such incidents are increasing at an average annual growth rate of 20 percent.
Just as Solar Winds is emblematic of an evolution of thinking in the attack community, is needs to also be the catalyst for a change on thinking by the defender community. Rather than focusing primarily on the number of technical vulnerabilities in software we need to also begin to think in terms of the market penetration of certain products as these specific products carry increased risk due to their market penetration. Consistent with basic risk management processes, these products demand special attention because of the elevated risk they bring to a wide range of entities that use the product.
The truth of the matter is that we have built a network of highly interconnected and tightly coupled counterparties that rely on common technology products and services. If one part of the network faces a cybersecurity risk, the entire network does. This means that investing in systemic cyber risk management will only increase the United States’ protection.
If we step back and think in terms of the risk created by high degrees of market penetration we can understand cyber risk in a new, and more productive way.
For example, this chart identifies the degree of market penetration of providers in several critical aspects of the cyber eco-system wherein as few as 3 companies – sometimes one company –hold an extensive market penetration meaning that compromise of these specific products generate extensive systemic cyber risk
|Desk/Laptop Operating Systems||100%|
|Mobile Operating Systems||100%|
|Web Server Software||92%|
|Web Server Operating Systems||74%|
|Electronic Medical Records (EMR)||70%|
|Transport Layer Security (TLS)||67%|
|Point of Sale Transaction Software||62%|
|Domain Name System (DNS)||47%|
*Note: Market share statistics are very rough estimates based on many sources, including company financial reports, SEC disclosures, and industry reports. They are not meant to be precise but rather to demonstrate roughly how much concentration exists in each critical service.
As we consider the elevated risk that the products alluded to in this chart carry we need also to be mindful that the reason these products have achieved this degree of market penetration is because – like the Orion software created by Solar Winds – they are very good products.
While we do need to enhance the security of products that carry systemic risk it is just as important that we not inhibit the innovation in IT products. This innovation in the information technology industry is largely the basis of much of the economic, and military, superiority the USA has maintained through the early stages of the digital age. We cannot afford to inhibit the drive and investment in these innovations in the hyper-competitive and dangerous world we now live in.
Rather than knee-jerk to a broad system of regulation we need to evolve a more sophisticated system for dealing with these systemically risky products. This begins by realizing that market penetration is in fact a risk that needs to be managed in such a way so as to promote innovation while better managing the risk. One such solution would be a system such as the following:
1. Determine which companies have products with market share of critical technologies such that they provide an attack surface enabling a systemic cyber incident. When products achieve a market penetration creating systemic risk, they could be required to report this to DHS and demonstrate how they are managing the systemic risk.
2. If companies cannot demonstrate they have appropriately managed the systemic risk, they would work with DHS to identify the methods and costs needed to take these (few) commercially successful products and enhance their security to an appropriate level (for example in retrospect we realized that a different configuration of Solar Winds Orion software could have substantially mitigated its risk)
3. Develop economic incentives to subsidize the investment needed to fill the security gap between the initial commercial level security and the required systemic security.
It is critical that appreciate that twenty century solutions – like traditional regulation –will not be sufficient to address the dynamism of the 21st century cybersecurity issues. The attack community is evolving and we m=need to keep pace if we are to maintain our own security.