A range of key government networks, including the Treasury, Commerce and Homeland Security Departments, have all reportedly fallen victim to a major cyberespionage campaign by the Russian government within the past 48 hours. The list of victims is likely to grow and include more private companies too.
The fact that the agency tasked with protecting the U.S. from cyber and physical threats was breached highlights how all government agencies are at risk from state-sponsored threats. To provide insight into how the U.S. government should recover and learn from this incident, please consider reviewing the below commentary from cybersecurity leaders.
The primary motivation for cyber attacks are monetary, theft, and destruction. While many news cycles have covered the more consumer-facing monetary impacts of ransomware, campaigns for theft and destruction of data are still being heavily waged. Recent attacks on the cyber security firm FireEye, and now multiple government agencies including the Treasury and Commerce Departments have been publicly attributed to Russia, but many nation-states use advanced persistent threats (APTs) as a means of espionage and potential destruction. With the Electoral College casting ballots today, an incoming administration will have to recognize the growing threat of cyber attacks from prominent world powers and terrorist nations alike.
Well funded, talented, motivated nation-states exist as a crowd of potential adversaries with diverse skill sets, a variety of motivations and goals, and incentive to get results. The \”Mossad/Not-Mossad\” threat model introduced by James Mickens suggests that while a sufficiently motivated and resourced adversary will ultimately always achieve their goals, an army of allies stands ready to help raise the bar, increase the cost of an attack, and route the adversary into places where they can be more easily detected.
The Solarwinds incident also highlights the complexity of supply chains and the \”no look\” dependency on upstream security programs to maintain the integrity of the supplied software, as well as the systems and environments of all users of that software. What happened with Solarwinds could, and has, happened with open source software, and well as with other providers – The use of M.E.Doc in the NotPetya attacks in the Ukraine is a recent example, as was the 2011 attacks on the RSA SecureID authentication software. In this case, the breach of SolarWinds Orion’s code poses a major threat to the Federal Civilian Executive Branch agencies that were using its software, as well as the 425 Fortune companies in their client list, and many, many other organizations worldwide.
The potential upside of this breach, as noted by Dmitry Alperovich, is that the incredible scope of its impact creates a dilemma for attacks when it comes to choosing what to exploit. This will shift the burden to incident response and threat hunting teams over the coming weeks to establish if the incident affects them, and if so, was the access provided by the breach used by APT29.
Vulnerabilities exist in every platform and every company, and the number of exploitable and their potential impact compounds as developers innovate at unprecedented rates, in part due to the new demands of remote work and widespread access triggered by the COVID-19 pandemic. While there are still many questions remaining about this breach, government agencies must acknowledge the scale and distributed nature of the threats they face in the cyber domain, and realize that they need to accept the assistance of that army of allies who are offering to help defend against the legion of adversaries.
Governments and private organizations around the globe have recognized the threats they face and are leaning into the benefit of well-run Vulnerability Disclosure Programs (VDPs) to roll out the red carpet to the digital locksmiths of the Internet, who work to counter and outsmart the adversary and – more importantly – to help create confidence in their constituents’ security ecosystem.
The kind of security research and discovery of security issues that could frustrate the efforts of nation-states is happening whether there is an invitation or not, and the truth of this is making the implementation of a VDP an increasingly easy decision to make.