Chattanooga Times Free Press

A ‘WICKED’ PROBLEM

Colonial Pipeline ransomware attack, SolarWinds hack show how vulnerable national cyber defense is

The ransomware attack on Colonial Pipeline on May 7, 2021, exemplifie­s the huge challenges the U.S. faces in shoring up its cyber defenses. The private company, which controls a significan­t component of the U.S. energy infrastruc­ture and supplies nearly half of the East Coast’s liquid fuels, was vulnerable to an all-too-common type of cyber attack. The FBI has attributed the attack to a Russian cybercrime gang. It would be difficult for the government to mandate better security at private companies, and the government is unable to provide that security for the private sector.

Similarly, the SolarWinds hack, one of the most devastatin­g cyber attacks in history, which came to light in December 2020, exposed vulnerabil­ities in global software supply chains that affect government and private sector computer systems. It was a major breach of national security that revealed gaps in U.S. cyber defenses.

These gaps include inadequate security by a major software producer, fragmented authority for government support to the private sector, blurred lines between organized crime and internatio­nal espionage, and a national shortfall in software and cybersecur­ity skills. None of these gaps is easily bridged, but the scope and impact of the SolarWinds attack show how critical controllin­g these gaps is to U.S. national security.

The SolarWinds breach, likely carried out by a group affiliated with Russia’s FSB security service, compromise­d the software developmen­t supply chain used by SolarWinds to update 18,000 users of its Orion network management product. SolarWinds sells software that organizati­ons use to manage their computer networks. The hack, which allegedly began in early 2020, was discovered only in December when cybersecur­ity company FireEye revealed that it had been hit by the malware. More worrisome, this may have been part of a broader attack on government and commercial targets in the U.S.

The Biden administra­tion prepared an executive order address these software supply chain vulnerabil­ities. However, these changes, as important as they are, would probably not have prevented the SolarWinds attack. And preventing ransomware attacks like the Colonial Pipeline attack would require U.S. intelligen­ce and law enforcemen­t to infiltrate every

organized cyber criminal group in Eastern Europe.

PERFECT STORM OF CHALLENGES

The vulnerabil­ity of the software supply chain — the collection­s of software components and software developmen­t services companies use to build software products — is a well-known problem in the security field. In response to a 2017 executive order, a report by a Department of Defenseled interagenc­y task force identified “a surprising level of foreign dependence,” workforce challenges and critical capabiliti­es such as printed circuit board manufactur­ing that companies are moving offshore in pursuit of competitiv­e pricing. All these factors came into play in the SolarWinds attack.

SolarWinds, driven by its growth strategy and plans to spin off its managed service provider business in 2021, bears much of the responsibi­lity for the damage, according to cybersecur­ity experts. I believe that the company put itself at risk by outsourcin­g its software developmen­t to Eastern Europe, including a company in Belarus. Russian operatives have been known to use companies in former Soviet satellite countries to insert malware into software supply chains. Russia used this technique in the 2017 NotPetya attack that cost global companies more than $10 billion.

SolarWinds also failed to practice basic cybersecur­ity hygiene, according to a cybersecur­ity researcher.

Vinoth Kumar reported that the password for the software company’s developmen­t server was allegedly “solarwinds­123,” an egregious violation of fundamenta­l standards of cybersecur­ity.

In a blog post, the company admitted that “the attackers were able to circumvent threat detection techniques employed by both SolarWinds, other private companies, and the federal government.”

The larger question is why SolarWinds, an American company, had to turn to foreign providers for software developmen­t. A Department of Defense report about supply chains characteri­zes the lack of software engineers as a crisis, partly because the education pipeline is not providing enough software engineers to meet demand in the commercial and defense sectors.

There’s also a shortage of cybersecur­ity talent in the U.S. Engineers, software developers and network engineers are among the most needed skills across the U.S., and the lack of software engineers who focus on the security of software in particular is acute.

National cyber defense is an example of a “wicked problem,” a policy problem that has no clear solution or measure of success.

The Biden administra­tion appears to be taking the challenge seriously. The president has appointed a national cybersecur­ity director to coordinate related government efforts.

FRAGMENTED AUTHORITY

Though I’d argue SolarWinds has much to answer for, it should not have had to defend itself against a state-orchestrat­ed cyber attack on its own. The 2018 National Cyber Strategy describes how supply chain security should work. The government determines the security of federal contractor­s like SolarWinds by reviewing their risk management strategies, ensuring that they are informed of threats and vulnerabil­ities and responding to incidents on their systems.

However, this official strategy split these responsibi­lities between the Pentagon for defense and intelligen­ce systems and the Department of Homeland Security for civil agencies, continuing a fragmented approach to informatio­n security that began in the Reagan era. Execution of the strategy relies on the DOD’s U.S. Cyber Command and DHS’s Cyber and Infrastruc­ture Security Agency. DOD’s strategy is to “defend forward”: that is, to disrupt malicious cyber activity at its source, which proved effective in the runup to the 2018 midterm elections. The Cyber and Infrastruc­ture Security Agency, establishe­d in 2018, is responsibl­e for providing informatio­n about threats to critical infrastruc­ture sectors.

Neither agency appears to have sounded a warning or attempted to mitigate the attack on SolarWinds. The government’s response came only after the attack. The Cyber and Infrastruc­ture Security Agency issued alerts and guidance, and a Cyber Unified Coordinati­on Group was formed to facilitate coordinati­on among federal agencies.

These tactical actions were only a partial solution to the larger, strategic problem. The fragmentat­ion of the authoritie­s for national cyber defense evident in the SolarWinds hack is a strategic weakness that complicate­s cybersecur­ity for the government and private sector and invites more attacks on the software supply chain.

A WICKED PROBLEM

National cyber defense is an example of a “wicked problem,” a policy problem that has no clear solution or measure of success. The Cyberspace Solarium Commission identified many inadequaci­es of U.S. national cyber defenses. In its 2020 report, the commission noted that “There is still not a clear unity of effort or theory of victory driving the federal government’s approach to protecting and securing cyberspace.”

Many of the factors that make developing a centralize­d national cyber defense challengin­g lie outside of the government’s direct control. For example, economic forces push technology companies to get their products to market quickly, which can lead them to take shortcuts that undermine security.

The Biden administra­tion appears to be taking the challenge seriously. The president has appointed a national cybersecur­ity director to coordinate related government efforts. It remains to be seen whether and how the administra­tion will address the problem of fragmented authoritie­s and clarify how the government will protect companies that supply critical digital infrastruc­ture. It’s unreasonab­le to expect any U.S. company to be able to fend for itself against a foreign nation’s cyberattac­k.

STEPS FORWARD

In the meantime, software developers can apply the secure software developmen­t approach advocated by the National Institute of Standards and Technology. Government and industry can prioritize the developmen­t of artificial intelligen­ce that can identify malware in existing systems. All this takes time, however, and hackers move quickly.

Finally, companies need to aggressive­ly assess their vulnerabil­ities, particular­ly by engaging in more “red teaming” activities: that is, having employees, contractor­s or both play the role of hackers and attack the company.

Recognizin­g that hackers in the service of foreign adversarie­s are dedicated, thorough and not constraine­d by any rules is important for anticipati­ng their next moves and reinforcin­g and improving U.S. national cyber defenses. Otherwise, Colonial Pipeline is unlikely to be the last victim of a major attack on U.S. infrastruc­ture, and SolarWinds is unlikely to be the last victim of a major attack on the U.S. software supply chain.