Informed of the death of President Franklin Roosevelt, USSR boss Joseph Stalin reportedly asked, “Was he poisoned?” We know that when Russian officials want to take someone out, they often turn to poison. Now they’ve shown a more subtle side.
Rather than blowing up systems or stopping them with something as coarse as a denial of service attack, the Sunburst Trojan horse that infected the infamous SolarWinds Orion product was designed to not interfere with the systems of its ultimate victims in any way. As the Cybersecurity and Infrastructure Security Agency puts it, “This threat actor has the resources, patience, and expertise to gain access to and privileges over highly sensitive information if left unchecked. CISA urges organizations to prioritize measures to identify and address this threat.”
The trick is finding out if you have it. Luckily the white hat community, for lack of a better term, is issuing gobs of advice. This started with the company that was both a victim and the discoverer of Sunburst, FireEye. Notice the heliocentric theme? FireEye provided the first and most concise description of what Sunburst can do: “After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services.”
Sunburst operates with a great deal of subtlety to avoid detection.
It can disable, but so far no federal agency has reported a stoppage. If I were the alleged Russian government or government-sponsored hackers, why would I disable a system that’s sluicing valuable information my way?
As with the Great Office of Personnel Management Attack of 2015, we haven’t heard the splash. That is, we haven’t seen evidence of what motivates these latest major attackers. Speculation includes future attacks from spoofed email to strategic nation-state actions based on information taken. Whatever it might be, the attack has rattled the government.
Regardless, the attack prompts you to think that the billions agencies have spent on cybersecurity so far have bought nothing. I don’t think that’s quite right. It does mean there’s a lot more work to do. Systems keep growing more complex. Cybersecurity gets better and better, but never quite keeps up.
So what happens next?
Short term, agencies’ tech shops conduct a fire drill and get to the bottom of the damage. You won’t have any problem finding detailed technical advice from CISA, FireEye, SolarWinds itself and dozens of other companies. Those companies are doing just dandy, with stock prices up 50% or more since the mid-December disclosure of Sunburst. Not for SolarWinds, though.
Longer-term advice comes from NIST fellow Ron Ross, who in this Federal Drive interview renewed his call for a systems security engineering approach. It’s all outlined in NIST Special Publication 800-160, a book that’s been out awhile.
What I hope does not happen is an orgy of lawsuits and False Claims Act cases in which government and industry forget they’re supposed to be partners in all of this cyber business. Maybe SolarWinds was negligent in letting itself get infected. As federal sales consultant and regular guest Larry Allen noted, the government potentially could collect treble damages if the breech was deemed a contract compliance failure in court.
That’s the default American way. Sue ’em. But I hope the cybersecurity situation doesn’t devolve into that. A more useful exercise: Backwards-engineer what happened at SolarWinds and see at which level SolarWinds would be on the Cybersecurity Maturity Model Certification program now rolling out. If it’s high on the scale and this happens, the Pentagon will at least have guidance on adjusting the CMMC program for that bias.