Government agencies and the private sector will spend $100 billion or more to recover from the SolarWinds hack, which went undetected for at least nine months and may have compromised 18,000 government and private sector organizations using SolarWinds Orion software. Even if breached organizations successfully mitigate the damage from SolarWinds, they know adversaries aren’t going to stop trying to get in. If they plug one vector of attack, the adversary will find another to exploit.
Preventing the next breach requires doubling down on routine measures, from enforcing robust passwords and multifactor authentication to emphasizing end-user cyber training. Agencies must also take new actions, such as requiring a software bill of materials, so agencies can inspect the components of software before implementation; and using vulnerability detection tools when developing software.
Even the most well-constructed, best protected systems can be fooled by novel tactics, techniques and procedures (TTPs). Agency sensors were set to detect known TTPs, but unprepared to detect the novel TTPs targeting SolarWinds users. When this happens, agencies must rely on technologies that can contain bad actors and prevent them from delving deeper into agency networks.
“Once an attacker breaches a network and begins moving laterally, or east-west, it’s very difficult to determine where the attacker has navigated to and what they have touched,” said John Minasyan, director of product management, Commercial Products at Belkin International. “This is where secure KVMs can play a crucial role in containing bad actors.”
A secure Keyboard, Video, and Mouse (KVM) device bridges computer systems, enabling users to share the same peripherals with multiple computers. It can be used to control more than one computer, for example, or a group of servers in a data center.
Assuming networks are segmented and isolated, secure KVMs maintain the air-gap isolation where separate networks meet shared peripherals at end-user desks. They help to ensure that a breach is contained within a single network and physically block attackers from accessing high-value assets.
KVMs also help prevent insider threats, such as a remote employee connecting a compromised home monitor or other peripheral to an agency-issued laptop.
“The problem is created when a government employee leaves, grabs a government-issued laptop and goes home,” Minasyan said. “If that laptop connects to a home monitor and something nefarious is sitting in the memory, the malware theoretically has a path to flow into the laptop. Nothing is stopping it.”
The SolarWinds attack has intensified congressional and executive branch attention on cybersecurity. At a Feb. 10 hearing of the House Homeland Security Committee, Chairman Bennie Thompson, D-Miss., called on the Federal government to “raise the baseline” on cyber defense and “treat cybersecurity as a national priority, and not a boutique add-on.” A day later, Anne Neuberger, deputy national security advisor for cyber and emerging technology on President Biden’s National Security Council (NSC), said the Biden administration is working on a new national cybersecurity strategy. Recommendations on software supply chain security are under consideration, Neuberger noted.
During a speech at the State Department, President Biden said his administration is “launching an urgent initiative to improve our capability, readiness, and resilience in cyberspace.” That initiative could be bolstered by cybersecurity funds proposed in the president’s coronavirus relief plan, which is moving through the budget reconciliation process in Congress. Although the president’s request for a $9 billion boost to the Technology Modernization Fund was axed by Congress, $1.2 billion of Federal IT funding still hangs in the balance. That funding includes:
- $200 million for the IT Oversight and Reform (ITOR) Fund targeted at the Federal CISO and the U.S. Digital Service to allow for rapid hiring of hundreds of IT experts;
- $300 million for the Technology and Transformation Services unit within the General Services Administration (GSA) to advance secure IT projects forward without requiring agency reimbursement; and
- $690 million for the Cybersecurity and Infrastructure Agency (CISA) to secure civilian Federal networks and support pilot programs for new shared security and cloud computing services.
At CISA, the National Risk Management Center (NRMC) is supporting remediation efforts stemming from the SolarWinds breach, “perhaps the most significant software supply chain attack” in history, according to Bob Kolasky, who heads the NRMC.
“There is no bigger risk” facing critical infrastructure sectors than attacks on their supply chains, Kolasky noted. Industry and government can collaborate on strategies to improve supply chain security through the NRMC’s Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force, which was rechartered in early February for six more months. The rechartering will allow for the operationalization of recommendations to build additional resilience into ICT supply chains, CISA said.