In one of his first acts as President, Joe Biden has ordered an urgent review into the hostile cyber operation targeting the US tech company SolarWinds and its customers. The SolarWinds hack impacted multiple organisations globally, including US Government departments, tech companies, other corporates, think tanks and NGOs. It was a sophisticated and ambitious operation, almost certainly undertaken by the Russian state. It has raised renewed questions about supply chain security, how companies can protect themselves and how Western governments can prevent other operations of this kind.
By Conrad Prince CB, Pool Re’s Senior Cyber Terrorism Advisor – February 2021
Conrad Prince CB, was formerly Director General for Operations and Deputy Director of GCHQ, and subsequently Cyber Security Ambassador for the UK Government.
How it happened
SolarWinds is the company behind Orion, software widely used by companies to monitor the performance of their IT networks. The Russians may have first hacked into SolarWinds as early as September 2019. They accessed part of the environment used by SolarWinds to develop its software and inserted some malicious code into Orion. When clients downloaded one of the regular Orion updates, this malicious code was downloaded too. It was a classic supply chain attack, hacking into a trusted third party supplier and using its own infrastructure and processes covertly to deliver malware to the supplier’s extensive client base.
According to reports, 18,000 SolarWinds customers downloaded the Orion updates with the covert malware. If the Russians were not interested in a particular victim organisation, no further actions were taken. However, if they were interested, they inserted additional malware, enabling them to start gathering information. Among other things, the hackers appear to have accessed email accounts, viewed Microsoft’s product source code, traversed the on-premises and cloud infrastructure of targets, and stolen tools from cyber security company FireEye that could be used to conduct other hacks. We will probably never know the full extent of the hack and how much data was stolen.
The attack once again reinforces the extent of the supply chain risk. This is not just about defending against direct hacking attempts. It is about malware hidden deeply in trusted software updates from apparently reliable suppliers. Protecting against this sort of attack is hard. But more than ever it needs to be a priority. A 2020 UK Government survey revealed that only a third of companies in the finance and insurance sectors had reviewed the cyber risks of their immediate suppliers, and less than a fifth had looked at their wider supply chain.
So what can companies do?
The obvious problem is that we are reliant on the cyber security practices of our supply chain companies, and there is only a limited amount that can be done independently to assess that. Some technical measures can be employed, for example to look at cyber vulnerabilities in a supplier’s internet-exposed assets. These are important, but will only take us so far.
The key is making cyber an ongoing core part of the commercial relationship with the supplier. All too often, it is not raised at all, or only as part of onboarding a new supplier. Instead, there needs to be regular, detailed evidence-based engagement with suppliers on the state of their cyber security protections. Those responsible for managing supplier relationships need to be confident enough and willing to engage in tough conversations about cyber. And these engagements need to be a core component of contractual negotiations, so there is some real leverage.
Even then, there is no simple solution. In some cases even the most assertive supplier review would not have exposed the sort of issues that enabled the SolarWinds attack to succeed. But this is a start – and it is important to remember that the supply chain is a vector for many kinds of cyber attack, mostly a lot less sophisticated than the SolarWinds operation.
There are also benefits from integrating our approach to cyber security. We can often think of protecting our networks from cyber attack, and the security assurance of our supply chain, as two separate activities. But the SolarWinds attack shows that when a supplier has a trusted presence on our environment these two dimensions are actually closely coupled.
The other key takeaway is about resilience
The SolarWinds operation demonstrates yet again the sophistication and ambition of a serious hostile cyber player like Russia. For months, all the capabilities of some of the most advanced Western tech companies, not to mention the US Government, failed to detect the operation. This just reinforces that we have to think in terms of when not if with cyber attacks, and have the right investment in resilience to ensure a rapid recovery when it happens.
Finally, Western governments will be looking once again at what more can be done about attacks like this. Billions of dollars have already been invested in national cyber programmes. It seems possible that part of the response may be more regulation of the private sector to encourage the development of more secure technology products, and better cyber security standards. The implications of the SolarWinds attacks are wide ranging and will be felt by all of us for some time to come.