The Most Painful Lesson From The SolarWinds Hack

The breach of U.S. government agencies from the department of Defense to the Treasury Department will likely go down as one of the most impactful cyberattacks in history, impacting not just Federal agencies, but likely tens of thousands of American businesses—and their customers—as well.

The reason? Not only because of the potentially unprecedented size and scope of the attack, but because the hackers took full advantage of one of the most-discussed, but perhaps little checked, strategies available to those looking to break in to networked computer systems: third-party software.

Boards and CEOs at large multinational companies have spent over a decade introducing increasingly robust cyber defense systems—often after discovering the hard way the downsides of not doing so. The issue of cybersecurity routinely tops our polls of U.S. directors when it comes to what keeps them up at night, driven by high-profile breaches at companies from Marriott to Target to Equifax.

But as the companies themselves have gotten more sophisticated, that’s pushed hackers to find new weak spots. Often, that means attacking a company through its suppliers.

In this case, the attack by what officials say is agents of the Russia’s foreign intelligence service, went after a particularly valuable target: SolarWinds, an Austin, Texas based network management company that counts more than 300,000 customers including the bulk of the Fortune 500 and many government agencies.

Worse, according to The Wall Street Journal, the hackers were able to create a malicious software update that was then passed on through the company, which is deeply embedded in the “plumbing” of many networked computer systems. “Hacks of this type take exceptional tradecraft and time,” Chris Krebs, the former head of cybersecurity for the Department of Homeland Security said on Twitter, the Journal reported. “If this is a supply chain attack using trusted relationships, really hard to stop.”

What should CEOs and boards do? Immediately, security experts say, they need to know whether they are using SolarWinds products on their systems. If so, they should assume they have been breached and get their CISOs to take appropriate action to secure company data.

Longer term, they should push their security teams to focus on potential threats that could come via supply chains. The National Institute of Standards and Technology, the part of the U.S. Department of Commerce that acts as a standard-setter for cyber risk, offers guidelines. Among them:

• Develop your defenses based on the principle that your systems will be breached. “When one starts from the premise that a breach is inevitable, it changes the decision matrix on next steps. The question becomes not just how to prevent a breach, but how to mitigate an attacker’s ability to exploit the information they have accessed and how to recover from the breach.”
• Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem. “Breaches tend to be less about a technology failure and more about human error. IT security systems won’t secure critical information and intellectual property unless employees throughout the supply chain use secure cybersecurity practices.”
• Security is Security. “There should be no gap between physical and cybersecurity. Sometimes the bad guys exploit lapses in physical security in order to launch a cyber attack. By the same token, an attacker looking for ways into a physical location might exploit cyber vulnerabilities to get access.”

For directors and corporate leaders looking to get smarter on the issue, NIST offers a great rundown of key questions to ask your IT folks as well as third parties, as well as a checklist of best practices.

The most essential thing is to remember that even in a situation like this, companies are not powerless. As we’ve counseled in the pages of Corporate Board Member and Chief Executive for years, that’s absolutely critical to remember—you must not let this lead to paralysis. Cyber risk—like lots of other risks—can be mitigated. Some essentials we’ve picked up along the years:

• Know what the “crown jewels” of your data sets are, and make sure they are safeguarded appropriately—and separately.
• Focus on being able to bounce back from an attack, not just harden yourself to one, which may ultimately prove impossible.
• Hedge risk through insurance products.
• Foster a culture of security, perhaps elevating the CICO to report directly to the CEO.

At our annual Cyber Risk Board Summit in February, Shawn Edwards, chief security officer for RSA and head of Dell’s Business Unit Security Organization, said that when it when it comes to board-level business continuity planning and cyber risk, he looks to see first and foremost: Is there a plan? And is it focused on the right things?

“It sounds silly, but you’d be surprised sometimes,” he said. “It’ll be picking out a specific area of the business and not looking at it holistically. And I think it’s important that the continuity plan covers all of your operations.” Now more than ever.