Described as “stunning” by major news outlets, the SolarWinds hack on U.S. government agencies is unprecedented and alarming. It is now estimated that at least 250 businesses and federal agencies were impacted by a malicious update in the SolarWinds software.
Now being thought of as an intelligence attack by Russia’s Foreign Intelligence Service, the breach reveals shocking vulnerabilities. While the distributed malware was admittedly intricate, dismayed reporters relay that the update server was accessible with the password “solarwinds123.”
With elements that prompt both incredulity and concern, the reality couldn’t be clearer: improvements must be made or supply chains will be an open playing field for cybercriminals.
The malware appears to have exploited a blind spot in federal agency cybersecurity. While an execution of this magnitude prompted immediate response, long-term strategies are needed for reliable protection.
Government Software and Cybersecurity
National security depends on cybersecurity software. Secure software is expensive and complex. The SolarWinds hack targeted weak links in supply chains. In the aftermath of this hacking campaign, private sector companies and government agencies are all having to reassess the effectiveness of their current security measures.
While this breach brings heightened awareness, it occurs as important public-sector supply chain security conversations are already happening.
- The Information Technology Industry (ITI) Council has advocated creating a uniform supply chain security policy. ITI published National Security Principles earlier this year that included holistic national security measures and cooperation between public and private organizations.
- The Department of Defense (DoD) has a Cybersecurity Maturity Model Certification (CMMC) program that is already addressing security issues through the supply chain. In that initiative, both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will have to meet certain standards. Depending on which standards a company meets, it will receive a ranked level that qualifies it to obtain defense contracts.
- The Software Bill of Materials takes secure practices down to its discrete parts, stipulating approved processes for software assembly.
- The IoT Cybersecurity Improvement Act was signed into law on December 4, 2020. This bill allows the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to increase cybersecurity for IoT devices. It specifically relates to federal government standards and guidelines around appropriate use and management of IoT devices that are owned or controlled by an agency. The intent is to implement a protocol that better manages the cybersecurity risks on those devices.
As always, the challenge is to create, inform and enforce criteria that are not unduly restrictive or unattainable. However, in a climate of seemingly imminent and sophisticated cyberattacks, that concern feels less relevant.
Improving Supply Chain Cybersecurity
Even as global practices and protocols are being created and moved forward, implementation is always the key. Each organization and agency has to seriously assess their current vendor security policies and supply chain practices.
While stricter standards are difficult, time-consuming and can be costly, it’s more apparent than ever that these standards are the only thing standing between solidity and collapse.
Attila Security has some of the simplest and most effective cybersecurity solutions on the market. The GoSilent Cube is a hardware VPN that secures any IP-enabled device and can be used to quickly recover from SolarWinds security issues if needed. Learn more in this article.