Chatham House
Printable version |
The SolarWinds Hack: A Valuable Lesson for Cybersecurity
EXPERT COMMENT
While the SolarWinds hack will not be the last of its kind, focusing on what it was not can help ensure effective preventative measures are implemented.
In mid-December 2020, the biggest cyber intrusion known to date was discovered in the United States, the world’s leading cyber power. The global reach of the incident, and the nature and number of affected US government agencies – most notably the US Energy Department which controls the National Nuclear Security Administration – is unprecedented. A joint statement by the FBI, the National Security Agency (NSA) and others, concluded that Russia is ‘likely’ to be behind the hack. Although it is tempting to focus on options for a potential response, such as ‘cost imposition’ or the use of offensive cyber capabilities - and even on the purported failure of the US strategy to ‘defend forward’ – there is also value in paying attention to what this wasn’t, to ensure that future preventative action is appropriately focused.
Maintaining perspective
The conduit for the cyber intrusion was a software update provided by a private company called SolarWinds. SolarWinds and Microsoft have called it a very ‘sophisticated’ operation. The intrusion was able to insert ‘back doors’ into the networks of dozens of companies, government agencies, and think-tanks across the US and beyond, thus gaining persistent access – and it was nearly a year before it was detected. Such elaborate methods require cybersecurity measures which must be constantly revised, tried and tested. This level of preparedness and monitoring is a challenge and engenders discussion about the need for national strategies to proactively counter and deter such cyber operations, rather than focus on the use of offensive cyber capabilities or 'cost imposition'.
It is therefore important to maintain perspective and focus on the original cause of the incident; a supply chain weakness which, in 2020, arguably should never have happened. Some have therefore called this an ‘unacceptable... big failure’ of cybersecurity. So rather than reverting to the kind of sabre-rattling rhetoric which may only serve to further destabilize cyberspace, the SolarWinds intrusion could prove to be a simple, albeit critical, lesson for everyone involved.
A related point hinges on the fact that the breach was discovered by a private cybersecurity firm called FireEye, which reported it to the US government. Fire Eye was not legally required to report it but did so voluntarily, and we will never know what could have happened had it chosen not to do so. This is a valuable lesson which should inform the debate on the role of the state in private sector cybersecurity and the importance of sharing cybersecurity threat intelligence between the public and private sectors, as highlighted by Microsoft President Brad Smith, as well as the role of non-state actors in technical attribution.
Click here to continue reading the full version of this Expert Comment on the Chatham House website.
Original article link: https://www.chathamhouse.org/2021/02/solarwinds-hack-valuable-lesson-cybersecurity
RESEARCH | EXPERTS | EVENTS | MEMBERSHIP | ACADEMY | ABOUT |