The Cybersecurity and Infrastructure Security Agency has directed every government agency to disconnect from the SolarWinds Orion product in response to the cyber breach. The National Security Council now calls for a whole-of-government effort to “identify, mitigate, remediate and respond” to the incident.
One could compare the breach to a theft breaking into a house, but Bob Bigman, former Chief Information Security Officer at the Central Intelligence Agency, said it’s worse than that.
“You have no indication of who did this, it doesn’t look like the lock’s been picked, it doesn’t look like there’s fingerprints, and that camera you have connected to your internet is showing you pictures of springtime in Moscow,” said Bigman.
He said this was a sophisticated attack by a nation-state that had a project plan and all the tools and skills necessary to take advantage of weak areas of IT.
Although CISA has put out some guidance on how to look for indicators of compromise, there is not much the government can do at this point, Bigman said.
He explained that we are limited by our technology and somewhat by a lack of imagination. “The people who built Einstein 1.0, 2.0 didn’t understand that there could be attacks where people spoof the addresses and use internal domains in the United States as opposed to just external domains,” he said. “They also looked for signatures of previous attacks. Well, this was a brand new attack…and there was no signatures.”
To prevent these kinds of cyber attacks from happening in the future, we need to fundamentally change how IT works, Bigman said. “These companies develop this software all around the world, they give out their signing certificates to their code to all of their developers in India, Russia, China … cybersecurity takes a back seat.”
Could government silos and lack of information sharing between cybersecurity experts and others be contributing to the issue? Partially, Bigman said, but the bigger part is that there is only so much that can be done in the cybersecurity realm given the state of IT today. “This is what we built, and you’re not going to be able to change it overnight,” he stated, adding that it will require thought and legislation.
Bigman recommends that agency CISOs strongly strengthen their remote work authentication and remote work isolation from the network. Most importantly, we should reexamine how we perform identity management and determine what someone gets access to if they are coming in from a remote site.
“One of the reasons why they chose tools like SolarWinds is government agencies and everyone has their agents on every part of the network, and perhaps you need to rethink that strategy until we have a better approach,” said Bigman.