Monday, May 24, 2021

This was a warning – but we didn’t understand it

Last week, Wired published a great story by Andy Greenberg on something that happened more than ten years ago: the RSA hack by the Chinese army. The RSA executives who were involved in discovering and responding to the attack – and in the huge effort to reach out by phone to every one of their customers and walk them through the mitigations they needed to put in place – are finally able to talk about it, because their 10-year NDAs have expired.

Tell me, does any of this sound familiar?

1.      A supplier of important IT products to organizations worldwide is attacked, and their primary product is reported to have been compromised.

2.      Because of the nature of that product, it occupies a very privileged position in the customers’ networks. The fact that the product might be compromised strikes fear into everyone who understands what the product does and how it is used.

3.      Because the customers include many federal government agencies, including three-letter agencies, this becomes a national security event - meaning it could be a disaster not only for a large number of private companies, but for every American citizen (and many citizens of foreign countries as well, since this product was by far the market leader). In other words, this was really an attack on critical infrastructure – we just didn’t realize it.

4.      Despite the breach’s potential to literally destroy the company, its leaders responded to it well and took the hard steps necessary to win customers’ confidence back.

5.      On the other hand, because the attackers were inside the company’s network for a long period, they very likely left backdoors – meaning they’ll probably be able to get back in whenever they want.

You’re right! The above applies to RSA, but it could just as well apply to SolarWinds. I’ll let you read the article, but here are some of the key differences between the two breaches:

1.      It seems only three companies – including defense contractor Lockheed Martin - might have been breached due to the RSA attack and even if they were, they swear up and down that the hackers never compromised anything having to do with national security. In the case of SolarWinds, 18,000 customers received the compromised updates, but “only” 1-200 were actually penetrated by the Russians (including a number of federal agencies, of course). None of them have reported any serious losses, although it’s unlikely a federal agency will make an announcement like “We regret to say that the Russians discovered our most closely held secret, namely….” On the other hand, given that the Russians were inside those 1-200 organizations for many months, they have certainly laid the groundwork to remain undetected for years. Who knows what they’ll ultimately do?

2.      The Russians were inside the SolarWinds network – and more specifically their development environment – for about 15 months; even then, they were only detected because someone at FireEye (a SolarWinds customer) happened to ask about a new device that showed up on someone’s account. The Chinese were inside RSA for I believe just a few weeks, and for most of that period, they were tracked in real time by the RSA security staff. Unfortunately, the staff was literally just seconds too late to prevent them from making off with the crown jewels.

3.      The RSA breach was a classic information security breach: the Chinese attackers stole the seeds that supported the process of generating security passwords on RSA hardware and software tokens. It was obviously a very sophisticated attack, yet at heart it wasn’t too different from any other attack where important data is stolen.

4.      The SolarWinds attack was completely different from any previous supply chain attack, in that the software development process itself was compromised, in such a manner that no current technology (other than perhaps in toto, which was just developed in the last couple of years, and only got a lot of attention after the attack) could have discovered it.

5.      After the SolarWinds attack, people began to realize (including me) that the systems and processes used by software developers like SolarWinds are as much critical infrastructure as the systems that run the power grid – and they need to be regulated as such. However, I never expected that I would get my wish so quickly, since the recent EO does exactly that.

Ten years ago, I don’t remember anybody calling for cybersecurity regulation of companies like RSA. Perhaps this was because the idea of any cybersecurity regulation was new (for example, CIP version 1 only fully came into effect at the end of 2010). I believe the CIP standards were among the first cybersecurity regulations anywhere – other than perhaps the military, and breach notification laws in a few states. The general feeling was that, if a private company was breached and it affected their customers, that could be handled well in the court system – there was no need for government regulations.

We seem to have finally learned our lesson with SolarWinds: Just like the hack of an electric utility is more than just a financial issue to be settled between the utility and its customers, the hack of the provider of a vital technology to the federal government – and a huge number of private organizations – is much more than something to be settled with a bunch of lawsuits. As much as possible, it needs to be prevented through regulation. SolarWinds and RSA are both critical infrastructure organizations. They both need to be regulated – as well as a number of other providers of IT/OT products and services to the federal government.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the National Technology and Information Administration’s Software Component Transparency Initiative, for which I volunteer. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment