At a glance.
- Keeping Cozy Bear at bay.
- New European rules for Big Tech.
- US Labor Department zooms in on retirement account security.
- Industry experts respond to the SolarWinds supply chain compromise.
Keeping Cozy Bear at bay.
Stanford Internet Observatory Director Alex Stamos argues in the Washington Post that the US needs a threefold inoculation against APT attacks like SolarWinds’:
1. A cyber analog to the National Transportation Safety Board to probe vulnerabilities, monitor breaches, and propose solutions, and a companion law requiring disclosure of all breaches. Currently, organizations can conceal breaches that don’t expose personal information.
2. Bolstered defensive capabilities via a beefed up CISA. One government official told Politico CISA seems “overwhelmed” at the moment. Another former official told AP News the attack is “a reminder that offense is easier than defense.” CISA has roughly two-thousand employees, while the NSA has over 40 thousand.
3. Cyber defense experts, instead of cyber lawyers, in high places. Stamos analogized that we wouldn’t appoint a malpractice lawyer surgeon general.
SC Media suggests SolarWinds clients form a “war room” in the interim to strategize against Cozy Bear, and stresses that the breach arose from a deeper defect than sloppy cyber hygiene. One Senator called the event “a massive national security failure.”
New European rules for Big Tech.
The Wall Street Journal reports that the EU and UK are contemplating the “most ambitious internet laws since GDPR.” Bills under consideration would tackle content moderation and monopolistic practices using the promise of dissolution and billion dollar penalties. The GDPR took four years to pass, and we can expect a similar timeline here.
Tech giants have cautioned in the past against regulation that could throttle innovation or freedom of speech. Facebook applauded this development, however, while Google and Amazon made noises about disparate treatment.
The rules would not touch the EU’s 230-like protections, but would impose additional responsibilities on large companies. An EU commissioner commented, “We will never say…that this company or that company is too big. But we will say that the bigger they are, the more obligations they have to fulfill.” One bill would require prodigious platforms to follow local laws in policing content and proactively address risky material.
US Labor Department zooms in on retirement account security.
Department of Labor retirement plan auditors are inquiring about companies’ cybersecurity policies and incident responses following a spate of lawsuits and an SEC warning about escalating attacks on financial advisors, according to the National Association of Plan Advisors. This new line of inquiry will test plan administrators’ protections of clients’ accounts and information.
Industry experts respond to the SolarWinds supply chain compromise.
A software supply chain compromise like the one currently unfolding from SolarWinds' Orion platform poses the particularly difficult challenge of third-, indeed nth-party risk. We've heard from several industry experts who offer perspective on how organizations might move forward.
While ordinary sound cyber hygiene isn't proof against nth-party risk, it nonetheless remains an indispensable starting point. “The SolarWinds attack raises important questions that will need to be answered as part of the currently underway investigation," Todd Moore, Senior VP, Encryption, at Thales wrote in an email. He added, "But the most important aspect will be to determine if foreign malware code was injected into their software environment undetected and how long was it there. As processes and security are evaluated, it’s important to remember that basic cyber hygiene, including multifactor authentication and proper code signing with strong certificate management, goes a long way to protecting valuable data and makes it more difficult to establish a foothold in critical systems.”
Jamil Jaffer, senior vice president for Strategy, Partnerships & Corporate Development at IronNet, explained why the SolarWinds compromise has been especially troubling:
"SolarWinds Orion is a monitoring platform used by IT professionals to manage and optimize their network computing environments. Because the platform connects a number of different monitoring capabilities, depending on how it is implemented, it may reach broadly across a given customer's network. According to SolarWinds, of its 300,000 clients, approximately 18,000 (or around 6% of its customers) deployed a version of the Orion platform that may have been compromised. Given previous attacks of this kind, it is likely that the scope of this threat is broader than the handful of agencies confirmed to be involved thus far. Moreover, it's worth noting that Secretary of State Pompeo suggested that a number of private sector entities were also likely targeted. Given the scope and nature of the vulnerability, and the ability to gain and escalate privileges in a significant way, it is important that affected entities apply the current patch available as well as any other appropriate patches as released.
"The jury is still out on whether or not this vulnerability has been exploited before and if it's part of a broader campaign. Although this event is certainly a big deal, the idea that foreign adversaries are leveraging attacks to collect intelligence is not a new concept. Moreover, there is no information yet to suggest that the access obtained through this vulnerability was used to manipulate, modify, or destroy information. Were such information to come to light, we might be presented with a very different scenario than what is currently before us.
"This event does highlight the challenge of managing the supply chain of individual organizations. Specifically, it demonstrates that even if a given organization has good defensive capabilities, it may be vulnerable to attacks targeting its vendors. Supply chain attacks, of course, are not new. Indeed, the classic story of the Trojan Horse itself is, in some sense, a supply chain attack. What is different about the modern era, of course, is how much of the modern supply chain relies on foreign sources. While this issue is not necessarily in play with this particular incident, our nation's reliance on foreign supply chains, particularly in China, are likely to continue to raise concerns. Moreover, this incident highlights the increasingly important national security role of a diverse set of agencies like the Departments of Treasury and Commerce and the increased threat of nation-state attacks targeting such agencies."