Last week, Wired published a great story by Andy Greenberg on something that happened more than ten years ago: the RSA hack by the Chinese army. The RSA executives who were involved in discovering and responding to the attack – and in the huge effort to reach out by phone to every one of their customers and walk them through the mitigations they needed to put in place – are finally able to talk about it, because their 10-year NDAs have expired.
Tell me, does any of this sound
familiar?
1.
A supplier of important
IT products to organizations worldwide is attacked, and their primary product
is reported to have been compromised.
2.
Because of the nature
of that product, it occupies a very privileged position in the customers’
networks. The fact that the product might be compromised strikes fear into everyone
who understands what the product does and how it is used.
3.
Because the customers
include many federal government agencies, including three-letter agencies, this
becomes a national security event - meaning it could be a disaster not only for
a large number of private companies, but for every American citizen (and many citizens
of foreign countries as well, since this product was by far the market leader).
In other words, this was really an attack on critical infrastructure – we just
didn’t realize it.
4.
Despite the breach’s
potential to literally destroy the company, its leaders responded to it well
and took the hard steps necessary to win customers’ confidence back.
5.
On the other hand, because
the attackers were inside the company’s network for a long period, they very
likely left backdoors – meaning they’ll probably be able to get back in
whenever they want.
You’re right! The above applies to
RSA, but it could just as well apply to SolarWinds. I’ll let you read the
article, but here are some of the key differences between the two breaches:
1.
It seems only three
companies – including defense contractor Lockheed Martin - might have been
breached due to the RSA attack and even if they were, they swear up and down
that the hackers never compromised anything having to do with national
security. In the case of SolarWinds, 18,000 customers received the compromised
updates, but “only” 1-200 were actually penetrated by the Russians (including a
number of federal agencies, of course). None of them have reported any serious
losses, although it’s unlikely a federal agency will make an announcement like “We
regret to say that the Russians discovered our most closely held secret, namely….”
On the other hand, given that the Russians were inside those 1-200
organizations for many months, they have certainly laid the groundwork to remain
undetected for years. Who knows what they’ll ultimately do?
2.
The Russians were
inside the SolarWinds network – and more specifically their development
environment – for about 15 months; even then, they were only detected because someone
at FireEye (a SolarWinds customer) happened to ask about a new device that
showed up on someone’s account. The Chinese were inside RSA for I believe just
a few weeks, and for most of that period, they were tracked in real time by the
RSA security staff. Unfortunately, the staff was literally just seconds too
late to prevent them from making off with the crown jewels.
3.
The RSA breach was a
classic information security breach: the Chinese attackers stole the seeds that
supported the process of generating security passwords on RSA hardware and
software tokens. It was obviously a very sophisticated attack, yet at heart it
wasn’t too different from any other attack where important data is stolen.
4.
The SolarWinds attack was
completely different from any previous supply chain attack, in that the
software development process itself was compromised, in such a manner that no
current technology (other than perhaps in
toto, which was just developed in the
last couple of years, and only got a lot of attention after the attack) could
have discovered it.
5.
After the SolarWinds
attack, people began to realize (including me)
that the systems and processes used by software developers like SolarWinds are
as much critical infrastructure as the systems that run the power grid – and they
need to be regulated as such. However, I never expected that I would get my
wish so quickly, since the recent EO
does exactly that.
Ten years ago, I don’t remember
anybody calling for cybersecurity regulation of companies like RSA. Perhaps this
was because the idea of any cybersecurity regulation was new (for
example, CIP version 1 only fully came into effect at the end of 2010). I
believe the CIP standards were among the first cybersecurity regulations
anywhere – other than perhaps the military, and breach notification laws in a
few states. The general feeling was that, if a private company was breached and
it affected their customers, that could be handled well in the court system –
there was no need for government regulations.
We seem to have finally learned our
lesson with SolarWinds: Just like the hack of an electric utility is more than
just a financial issue to be settled between the utility and its customers, the
hack of the provider of a vital technology to the federal government – and a
huge number of private organizations – is much more than something to be
settled with a bunch of lawsuits. As much as possible, it needs to be prevented
through regulation. SolarWinds and RSA are both critical infrastructure
organizations. They both need to be regulated – as well as a number of other providers
of IT/OT products and services to the federal government.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared by the National Technology and Information Administration’s
Software Component Transparency Initiative, for which I volunteer. If you would like to comment on what you
have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment