Cyber-attacks by state-sponsored hackers can be considered an act of war with far more consequences than a plot to steal company data. Now we have to ask: Whose responsibility does it have for protecting our technology? As the dust settles on the December 2020 SolarWinds Orion hack, there is more attention worldwide to cybersecurity and the global consequences of sophisticated digital attacks. As the world attempts to figure out how to navigate digital security and what to do if a strike is initiated by a state actor, the attack raised many issues for IT professionals and businesses.
Attacks launched as a government strike can blur the lines of business security and become espionage rather than malicious activity. The implications of a state-sponsored attack, which is an act of intelligence gathering and espionage (a long-standing and well-established tradition in global governments), are far more significant than a simple attempt to retrieve company data. Attacks can be considered an act of war. We now face the question: Whose responsibility it is to protect our technology?
The Threat to IT Supply Chains
Many businesses were left with their heads in the sand after the SolarWinds attack. The threat itself is the true genius of this incident. Russian-sponsored hackers created a vulnerability in the build process, rather than attacking the systems directly. After the back-door update was deployed the attackers gained access at least 18,000 customers. Many of these were government employees.
The attack on the IT supply chains was a brilliant stroke of genius and has caused businesses, and everyone, to reevaluate how they manage their supplies. Companies are often the ones that suffer from data breaches and are subject to shame and, in some cases, even loss of business. The finger has always been pointed in one direction: towards the companies that have disclosed their data loss. But is it really so simple for most breaches?
There is a expectation of trust in any supply chain. The expectation is that food suppliers have been properly vetted by grocers. However, consumers are not expected to take responsibility for ensuring that quality suppliers are provided. IT is more difficult to regulate.
Businesses should expect the same security from the equipment they receive. Despite having some national security regulations like ISO and NIST, the U.S. does not have the same oversight over the IT supply chain as other industries.
Who is responsible for securing our technology?
Public outcry often launches a blame game on companies for failing to protect consumer data when there is a breach. Many are questioning this general practice after the SolarWinds attack. Companies should be able trust that their IT suppliers are protecting what they provide. Even with secure supplies, how can businesses expect to defend against sophisticated, state-sponsored attacks?
These questions were discussed in a CompTIA podcast entitled “Supply Chain Attacks & State Actors: Cybersecurity’s Evolving Challenge.”
“If the CIA and the NSA and FireEye, which companies we would normally call in if there were a need, can’t defend itself, then how can they be living in fear of losing all because we suffer an attack such as this?” stated Kevin McDonald, COO and CISO at Alvaka Networks. It is not fair to assume that SMBs and enterprises can defend themselves against the looming threat from breaches designed to compromise government.
There are many other questions that remain. Is it possible to set a standard for businesses that they are responsible if they have followed best practices and done their research? Experts agree that industry practices such as insufficient safe harbor and anonymity in identifying breaches are detrimental to our ability to respond quickly to incidents and minimize damage.
“It is vital that we know what’s happening. This is more important than knowing who it’s happening too, in the early stages,” said MJ Shoer (CompTIA senior vice president, executive director of CompTIA ISAO).
Adding Security and Resiliency
How does public shame of breached businesses really help us in our fight against attacks? If we want to reduce the impact of these attacks, then we must change our culture of blame and allow open discussion about attacks while encouraging greater vigilance from IT suppliers. According to podcast guests, there are several ways we can create a safer IT Supply Chain.
Businesses should be given greater protections: