The hack of network management software provider SolarWinds is one of the worst nightmares for cybersecurity professionals: the work of an advanced persistent threat, a sophisticated adversary that seeks an extended foothold in critical digital infrastructure to steal information or cause damage. Tech leaders told the US Congress that the attack was a cyberespionage campaign waged by Russian intelligence on a scale and level of sophistication never seen before. The incident, which U.S. government officials also attributed to Russia, compromised the networks of nine federal agencies and over 100 private-sector companies, and this number may grow.
Cyberattacks have risen dramatically as companies and governments have digitized an ever- widening breadth of services, processes, and customer touch points. Plus, the increasingly distributed nature of cloud-based computing expands the attack surface, especially for well-resourced criminal or nation-state organizations. By one estimate, a common banking app that allows customers to make a deposit by taking a photo of a check can involve upwards of 17 different technology and processing components across as many third parties.
“Companies are ever more reliant on supply chains, or ecosystems made up of many, many pieces,” says Greg Rattray, co-founder of cybersecurity advisory firm Next Peak and a senior advisor to Oliver Wyman. “The problem is the attackers understand the ecosystem as well as and often better than the people integrating operational and technology services.”
Rattray and his co-founder, Jim Cummings, also a senior advisor to Oliver Wyman, discussed the scale of today’s threats and what companies can do to secure their supply chains with Paul Mee, lead partner of Oliver Wyman’s Cyber Risk Platform and co-head of the Oliver Wyman Forum’s Cyber Risk initiative.
How vulnerable are companies’ digital supply chains today?
Greg Rattray: Supply chain and advanced persistent threat attacks have evolved rapidly over the past decade, with attackers being more studious, more creative, and more determined to get into the right places. Entry points can include network management software, domain name system software, encryption key management, workflow management systems, or large-scale data exchanges. It requires intelligence to get into the supply chain. While rogue states, hackers, and criminals are increasing their collaboration, I think targeted attacks are more likely to emanate from a sophisticated nation-state going after a lucrative financial target or intellectual property, or seeking to inflict notable disruption.
SolarWinds wasn’t an attack on a specific enterprise; it was an attack compromising the system. You have to understand your dependencies on such a system, then establish confidence that your supply chain is safer than the next guy’s.
Jim Cummings: Today many sophisticated tools are available on the dark web for purchase, and criminal actors employ advanced tactics, techniques, and procedures that are very similar to those used by state actors. These cyber criminals are more lethal than ever and relatively unconstrained in their actions, having migrated from nuisance attacks to ones that are destructive in nature. That’s pretty worrisome.
Can a company know whether they are more likely to be attacked by a nation-state or cyber criminals?
Rattray: Your defensive strategy needs to be dictated by how attractive you are to attackers. If you’re doing something like leading-edge research, you will attract sophisticated attackers even if you’ve got very good defenses. We know that with enough time, attention, and persistence, attackers will prevail.
The retail industry, on the other hand, is arguably one without significant intellectual property or infrastructure critical to national security or the immediate wellbeing of people. Retailers need to worry that they hold people’s personal and financial information, such as credit cards, and therefore will attract criminals. With the significant growth in digital retail and online shopping, retailers need to make sure they have cyber hygiene of the highest standards and make it particularly hard for criminals to get in.
How many suppliers are there that hackers could exploit to penetrate dozens of companies or government agencies?
Rattray: I believe SolarWinds is the tip of an iceberg and there are hundreds if not thousands of similar companies. If it’s the Russians in SolarWinds, they understand what’s under the surface and they’ve probably got a lot of accesses. Why would you just go after SolarWinds? If that attack gets compromised, a perpetrator would be wise to have three other types of network management supply-chain companies with your code added into their features.
Then there may be a deeper layer in the iceberg. The big software houses tend to use subcontractors as less expensive labor for programming. Those who code for SolarWinds are not all SolarWinds employees. So, if bad actor wants to hack a network in say Austin, Texas, they don’t have to do it directly. They can embed and call upon people acting as subcontractors to do the coding and give it to the operator of the network they are targeting.
You paint a picture of almost limitless potential for attacks. How does a Chief Information Security Officer or a CEO start to get to grips with this?
Rattray: First, analyze what digital and technology risks you have. Bear in mind that stuff can break even if it isn’t attacked. A supplier could go out of business, some code could go awry, reputation can get torpedoed. That happens all the time. So, you have to be resilient. Without a map of your dependencies and knowing what you might need to fix, you will not be prepared to fix things when you most need to.
Once you know your ecosystem and who’s in your supply chain doing what, do some reasonable vetting, some cost-effective risk analysis of who would be motivated to come after you, and how they could do that. You can bring in a wide variety of cybersecurity experts to make sure you’re using the right defensive techniques against the attack tools most likely to be used against you. In addition, there’s probably an important discussion around how much the government enables companies to have a so-called bad boy supplier list. I think we’re going to move more toward that.
Cummings: This can’t be just the CISO’s or a CIO’s responsibility. The company has to embrace defense across the enterprise and understand cyber threat as the critical risk it really is. Good security goes beyond double-checking controls. In some cases, controls are people monitoring things based on historical experience. If you don’t exercise and train people to see the potential threats, those threats could go right by them. Additionally, recognizing that this kind of attack is incredibly difficult to prevent, companies need to plan for the steps they must take in the event that they are part of an infected supply chain. This calls for developing incident response playbooks and running training exercises.
Should companies work with their suppliers to bring them into the fold when designing defenses?
Cummings: The Department of Defense is implementing the Cybersecurity Maturity Model Certification process for defense contractors. They have five different tiers of qualification that they require third-party vendors to get based on what they’re contracting for. Everybody’s looking to see how it works out. A lot of things are happening in DOD that are positioned to influence regulators and the private sector when it comes to considering a common robust standard for cyber defense measures.
You want to have criteria where the suppliers provide a form of certification that they’re following through on their security parameters and cyber defenses. When vulnerabilities appear in the software, IT services, or network you’re using, there will likely be a third-party vendor involved. Attempting to get to know a third party only when a breach occurs magnifies the associated challenges significantly. Familiarity matters and knowing how to contain a situation, rapidly patch systems, and be prepared to recover and resume is predicated on having strong up-to-date knowledge of a vendor solution and support representatives from that vendor.
Does resilience mean companies should have fewer and more trusted sources of supply? Is that feasible?
Rattray: How much are you going to invest in resilience? One way is to say we’re going to be more disciplined regarding the breadth of suppliers and the degree of stringency we apply to them. However, this risks stifling innovation. This can be a tough tradeoff.
If you’re highly innovative and very fast, you’re probably going to be less resilient. You’re speeding towards a potentially fragile result, and you’re going to pay the cost. But this doesn’t need to be inevitable. These risk-management choices need to be embedded in the digital strategy of the company. You have to say, we’re going to be digital and we’re going to keep up, and we’re are committed to understanding and managing the associated risks, which will involve extra due diligence and tempering pace where and when it matters.