Following the SolarWinds hack, the Cybersecurity and Infrastructure Security Agency believes it has developed a better understanding of critical software across government.
CISA’s National Risk Management Center has spent the four months since the hack was discovered determining the risks such software poses to national critical functions and developing tools to mitigate the threat, said Assistant Director Bob Kolasky.
The SolarWinds hack compromised at least nine agencies when Russian operatives used its updating system to push malware to Orion software users, and now all agencies should take stock of their IT infrastructure, Kolasky said.
“We call this supply chain security; we call it supply chain risk management — about understanding the hardware and software that you rely on to do business and do critical processes,” he said. “But that actually means differentiating between the hardware and software you rely upon to do critical processes and doing your own survey of what your critical processes are.”
Even SolarWinds customers unaffected by the hack had to reevaluate their IT environments now that supply chain attacks of this magnitude are no longer simply theoretical.
A large, nation-state adversary was nothing SolarWinds was “really, truly prepared for,” said Tim Brown, the company’s chief information security officer and vice president of security.
“This adversary was not simple,” Brown said. “They were quiet, they were stealthy, they lived off the land, they only were there when they needed to be there, they weren’t noisy.”
SolarWinds can do better as a software provider when it comes to development transparency and is looking to help industry after pushing releases the last four months, he added.
CISA is a partner in those efforts.
Government information sharing needs to improve, and the National Risk Management Center wants to ensure agencies aren’t entering into software contracts where, should a breach happen to one, it winds up affecting another’s systems, Kolasky said.
“What is the overall national response capability?” he said. “And how are we going to have depth of remediation, so that we can anticipate things bigger than what just happened?”
That will require working with companies like SolarWinds. Adversaries currently share information better than the public and private sectors do, Brown said.
SolarWinds attackers hit the company at the endpoint, and it didn’t have double checks in place. Now SolarWinds not only builds software but installs, decompiles and checks it back against source code, Brown said.
“I truly gave a little too much flexibility to my developers and my development network,” he added.
Many software companies do when it comes to allowing developers different operating systems and administrative and application rights. But SolarWinds has since imposed tighter policies, procedures and controls on its development team. They’ve “kind of slowed things down,” but the development team has been “very accepting” when they wouldn’t have been even six months prior, Brown said.
Check-ins to source code no longer just require a peer review but also an architect review. And SolarWinds stood up a triple-build environment, where it builds in a disconnected clean room — with both a developer and lab environment — compares results and prevents anyone from having access to all three, Brown said.