Just when we thought 2020 couldn’t get worse, security firm FireEye broke the news that the compromise of a software solution by IT solutions provider SolarWinds had resulted in security breaches across the public and private sector, at dozens of companies and government agencies, including the U.S. Departments of Commerce, Treasury, Justice, Defense, and the Center for Disease Control.
The National Security Agency, the main body tasked with protecting government assets from hackers, did not detect the breach. FireEye did—after discovering that it, too, had been hacked. Some security experts and U.S. government officials have described it as the worst security incident in the past few years.
This is not the first time that an attack spread spread across many organizations and sectors. Consider the NotPetya ransomware outbreak in 2017: the attackers managed to spread the infection after breaching the servers of Ukrainian software company MeDoc and inserting a malicious payload into its tax processing program, which was used by many of the victims.
The SolarWinds breach was a wake-up call for all those who have not begun to consider the reality that, security-wise, we live in a totally different world. You just need to look at the numbers to see how bad things can get.
According to SolarWinds, as many as 18,000 of its customers have downloaded the trojanized version of the Orion platform that the hackers uploaded to its servers, even though the ultimate targets were the U.S. government and specific companies like FireEye. In the NotPetya outbreak, the primary targets of the attackers were Ukrainian government bodies, but the ransomware also ended up locking hundreds of thousands of computers at other organizations in the span of a few days.
With digitization and internet connectivity spreading to all sectors of life, business, and politics, the meaning of peace and security has changed monumentally. Cyber-battles have come to every home and office, industrial control systems, public transportation, personal vehicles, and every piece of a nation’s physical and digital infrastructure.
The nature and identity of the fighters and battles have changed a lot, too. Today, nation-states hide behind faceless hacker groups that are hard to pinpoint and even harder to link to governments, and their activities blend into those by cybercriminals that are primarily after money.
Unfortunately, in today’s world, where software systems, web services, APIs, and the IoT have created a complex web of interconnected ecosystems, every security incident can have ripple effects and spread across many nodes and geographical locations. Companies like SolarWinds or MeDoc, which are relatively unknown to the general public, can end-up becoming windows to national crises because their services are used by many private and public entities.
The key point is that, in our increasingly connected world, we all have a vested interest in promoting security and making sure every piece of software and hardware is secure. Just think of the various applications you use every day at home and work. Think of the multitude of on-cloud and -premise applications that keep your enterprise online and working. Any one of them failing can lead to a chain reaction of security incidents.
Success is no longer an individual achievement. Even if you develop the most secure software, even if you’re FireEye, you’ll fail if the hardware, software, and services you rely on are insecure.
So, what is the remedy? First, we must acknowledge that we’re all in this together. Then, we must act uniformly to secure personal, enterprise, and government networks. While this might sound easier said than done, there are concrete steps that can help us move toward this goal.
One necessary step would be to promote and augment collaboration in dealing with cybersecurity incidents and threat actors. The past few years have seen some positive developments on this front in the form of threat intelligence sharing, where government agencies and private firms consolidate threat indicators and indicators of compromise (IoC) such as IP addresses, domains, binary signatures, and malware source code. These concerted efforts have helped discover the identity and source of many attacks and reduce the response time. Threat intelligence sharing should be complemented with transparency and responsible disclosure.
At the same time, we need to establish a culture of safeguards at every organization that is either developing or using software (that practically means everyone). The need for secure encryption practices, encrypted storage of data, strong authentication options, and proper security policies are often highlighted after an organization is breached when it’s too late. That needs to change.
While we continue to compete for market share and customers, we should also compete for better security standards. Companies should not be valued only for their growth and revenue, but also for the security of their data and infrastructure.