Sens. Mark Warner (D-VA) and Marco Rubio (R-FL) are calling for a single leader to coordinate cleanup efforts after the SolarWinds hack. They write in a letter, “the federal government’s response so far has lacked the leadership and coordination warranted by a significant cyber event.”
There are two major pieces to the response to the hack: understanding what happened, and figuring out what to do next.
To understand what happened, every department and agency must be pulled in order to determine who downloaded the contaminated software and employed it throughout their systems, according to Brig. Gen. Gregory Touhill, former federal chief information security officer. Touhill said this step has already been done across the federal government.
Now the federal government is in the process of finding out how many people were involved and whether there are indicators that someone from the outside leveraged any of the weaknesses introduced by the corrupted code, Touhill explained.
The broader and more difficult task, however, is determining what to do next, said Touhill. “If, in fact, you have had this type of breach or you’ve had a supply chain dividend erode where you’ve had some contaminated code, typically a very capable nation-state actor is going to come in and they’re going to leave behind other pieces of code that leave a backdoor that they can come into later,” said Touhill.
High-risk enterprises will need to make some tough decisions about possibly burning down their infrastructure and replacing it. “That kind of risk management decision is part of the calculus not only in the federal government, but across the private sector as well,” Touhill said.
Touhill said this decision making authority should ideally go to the chief information security officer. According to Touhill, as of late last night, Anne Neuberger has been announced as leading the effort of incident response throughout the federal government.
“Ultimately, nobody wants to burn down any infrastructure,” said Touhill. “And I think what’s going to happen is this is going to accelerate the implementation of Zero Trust as a security strategy, because this is probably going to happen again.”
As far as ensuring the infrastructure is safe again in the case that it is not burnt down, Touhill said relying solely on tools alone is not enough to get risk to zero. He emphasized that the response to this event must include people, process and technology. Zero Trust as a strategy takes into account all of those three things.
“As you take a look at trying to minimize risk, using the Zero Trust security strategy takes the blast radius down from the entire enterprise down to the individual,” Touhill said. “And the federal government has been late to need in implementing it.”
Touhill said he does not believe we will ever see the end of these types of breaches, so executing strategies to minimize risk is critical. “We’re going to see supply chain breaches in the future just as we’ve seen them in the past. This one is the most serious one that I’ve seen thus far,” said Touhill.