Cybersecurity Lessons from the 2020 Russia-U.S. “SolarWinds” Attack
To top off an already dismal year, there was one final parting shot from the dumpster fire that was 2020: cyber-espionage. In December of 2020, the federal government acknowledged a massive data breach. U.S. Secretary of State Mike Pompeo identified Russian state actors as the likely culprit behind this massive cyber attack on America’s digital infrastructure.
The attack began in March as the attackers exploited vulnerabilities at Microsoft, VMware, and SolarWinds, to breach three federal agencies. Affected agencies include the Departments of Defense, Homeland Security, and Treasury along with hundreds of private companies bringing the total to 250 targeted entities.
It’s not as if government employees were giving out their social security numbers to win a free trip to Aruba. These were cybersecurity-savvy agencies. Yet still, the hackers were able to access the email inboxes of high-ranking officials at the U.S. Treasury and Commerce Departments.
A concerning pattern
Cyber attacks from state actors are a growing trend. Remember the 2014 Seth Rogan comedy The Interview? Probably not, because North Korean state-affiliated actors hacked Sony Pictures, leaked personal information about Sony executives, and demanded that Sony withdraw the film. The film, a comedy about stoners trying to assassinate North Korean leader Kim Jong Un, was never widely released.
In a considerably less whimsical example, in 2014 Russian state actors staged a series of cyber attacks against American and European water and electrical systems. They gained access to power plant control systems and, even though they never actually shut down or sabotaged the plants, they may still retain access. In June of 2019 the U.S. retaliated against Russia with a similar attack on Russian water and power stations.
These are only two examples of the latest in state-sponsored cyber warfare. Some estimate there have been nearly 700 major cyber security breaches since 2006, each with at least $1 million in damages. So what can we learn from this latest train wreck of a breach?
Lessons
The newest front in international negotiations, espionage, and, yes, warfare is online, right behind the screen you’re reading this on now. So this is everybody’s problem. Here are some tips:
1) This could happen to you.
This isn’t just a problem for governments. Private companies, like Belkin, Equifax, and Nvidia, were targeted for hacking, along with government agencies. It’s not like the Treasury Secretary kept his password “Password1234.” These are sophisticated hackers and this breach could have affected you too. So no more mental compartmentalization. This is a problem for all of us.
2) Government and industry must share cybersecurity intelligence.
Cybersecurity is one of the most siloed and piecemeal national security concerns in the United States. As 9/11 taught us, the only way to avoid future attacks is to continually pool and unify our intelligence about the threat.
3) Cyber warfare is an equalizer.
In traditional warfare, one country’s soldiers fight another country’s soldiers. In cyber warfare, there are no civilians. Any company with valuable information can be targeted by anybody else. Private companies must become accustomed to assessing their vulnerability to state-sponsored hackers. All is fair in love and cyber warfare.
4) Know your cybersecurity vendors.
With the rise of the “smart” devices, vendors of all kinds can act as a Trojan horse. In 2014, Target was breached by means of an HVAC vendor: the epitome of “not cool.” In 2017, attackers stole millions of credit card numbers and related data from Mandalay Bay, a casino, via a smart fish tank aquarium vendor. So vet many different vendors; there are other fish in the sea. Also, try not to be paranoid, but your smart fridge might be spying on you.
SolarWinds is now famous for being a vector for cyber attacks but before that it was a popular network monitoring company based in Austin. It was then probably compromised some time in October 2019. In March 2020, the hackers hid malicious code in a standard SolarWinds software update. About 18,000 companies downloaded the tainted update. In sum, Russia’s cyber attack was so successful and wide-ranging because they attacked the supply chain.
So know your vendors. A company that doesn’t make cybersecurity a priority should not have high level access to your networks.
5) Red flags today mean white flags tomorrow.
There were so many warning signs that SolarWinds should not have been trusted with this sort of access. Executives at the company ignored security warnings three years prior to the attack. . According to one employee, the company was using out-dated web browsers and operating systems. As if things couldn’t get any worse, in 2019 the password for one of their servers leaked online. What was that password? … solarwinds123. Yep, really. Finally, the company didn’t even remove the tainted software update from its website for several days after the Russian attack was announced publicly.
6) We’re all in uncharted waters.
Most people don’t expect to deal with any sort of warfare (cyber or otherwise) when they start businesses. Hacks on the scale of the 2020 attack are truly unprecedented and actors at every level are scrambling to determine the appropriate response. Governments and private companies are still calibrating how to respond.
But here’s some positive news. While these hacks are insanely dangerous, they also haven’t [yet] caused any physical damage. So… hooray?
7) Be Open-Minded
Remember that the pessimist says that things can’t get any worse. But the optimist says… yes they can.
The discovery in 2020 of this recent attack is the latest and loudest alarm bell we’ve had yet. Sophisticated, state-sponsored cyber attacks are coming. But, since we’ve all received a crash course in immunology this past year, we know that in response to a breach, the body produces antibodies. Similar to an immune system, our cybersecurity efforts will have to rise to the level of the antagonist trying to infect our systems.
So if you’re a cybersecurity professional yourself, or if you’re interested in improving your firm’s cybersecurity strength, keep these lessons in mind.