The damage is not yet contained, either, with SolarWinds clients still working to fix the vulnerabilities, Ramakrishna said. Some impacted customers lack the technical know-how or workforce to easily handle these fixes on their own, so the company has been assisting with upgrades.
“A lot of our software runs on premises as well, so it’s not instantaneous that everybody updates at the same point in time,” he said.
It is now six months after the December 2020 discovery of the attack that impacted roughly 100 companies and nine government agencies, and launched “supply chain security” to the top of many public and private decisionmakers’ lists of concerns. Experts continue to try to grasp all that went wrong.
Ramakrishna became SolarWinds’ new CEO in January, under transition plans that predated the breach, and took time during RSA to discuss lessons the software company learned about responding to major cyber events, while others like Anne Neuberger, the National Security Council’s deputy national security adviser for cyber and emerging tech, talked about public policy approaches that could reduce the likelihood of another software supply chain infiltration.
“While we must acknowledge breaches will happen and prepare for them, we simply cannot live with waiting for the next shoe to drop to be the status quo under which we operate,” Neuberger said during the RSA Tuesday keynote.
LIKE SELLING CARS WITHOUT SEAT BELTS
Several cybersecurity experts said during RSA events that software companies’ business models too often encourage cutting corners on security — behavior that played a role in setting SolarWinds up for failure. Government policies may now be necessary to change the competitive business environment in which software companies operate.
Developers often rush software to market despite knowing that it contains errors, Neuberger said. Firms may assume the issues are too small to matter or can be fixed later, but hackers can seize on small weaknesses and turn them into national security issues.
“The current model of ‘build, sell, maybe patch’ means the products the federal government buys often include defects and vulnerabilities,” she said.
This kind of approach wouldn’t fly with other products, Neuberger pointed out.
“We’d never buy a car that was rushed to market, knowing it could have potentially fatal defects that the manufacturer may or may not choose to issue a recall [for] and fix,” she explained. “You wouldn’t buy that car and decide later whether you want to install seat belts.”
THE PROBLEM WITH OUTSOURCING
Speaking during Monday’s keynote, Ross Anderson, professor of security Engineering at Edinburgh University and Cambridge University, similarly suggested that profit-seeking may led to looser security approaches. SolarWinds appeared to have failed to maintain or evolve its security standards as the company grew, which should serve as a lesson to other large IT operations, he said.
“Recently, it had become a monopoly and much of the technical expertise had been farmed out to engineers in Eastern Europe, and so they weren’t caring as much about security as they used to,” he said.
As organizations grow and incorporate more suppliers and players into their operations, they need to be able to assess and confirm the security of all those elements, Anderson said. SolarWinds may not have been prepared to oversee those it outsourced to, however.
Another risk with turning to engineers in certain countries is that Russia-sponsored cyber attackers also appear likely to target companies in Eastern Europe in order to infuse malware into software components that will then be used further up in the supply chain, said Terry Thompson, John Hopkins University adjunct instructor in cybersecurity, in a recent article.
Thompson noted that difficulty finding U.S.-based cyber talent can also be a driver of outsourcing.
INCENTIVIZING SECURITY
Neuberger said new government policies must reshape business incentives so that it becomes more profitable to create safe products than unsafe ones. As part of this approach, buyers need visibility into the security of software offerings so they can choose among solutions based on that consideration.
Some efforts are already underway at the federal and state levels. President Biden said in a recent executive order that software vendors serving the federal government should be held to better security standards. Biden also called for consumer Internet of Things (IoT) products to bear labels reflecting their level of security.
Similarly, even before the SolarWinds attack, New Hampshire policymakers had put forward a bill that would establish an Information Technology Supply Chain Risk Authority responsible for overseeing state agency-procured software, hardware and telecommunication services.
Much advice in the cybersecurity space has emphasized the need to adopt basic preventative measures. Among them: Requiring companies to only supply the federal government with software that was created in secure environments. Neuberger commented that such security practices may seem obvious, but evidence shows it is still “not universal.”
SOLARWINDS RECOVERY LESSONS
Even diligent companies can fall victim to some attacks, especially ones with the force of a nation-state’s resources and expertise behind them. Examining SolarWinds’ experience can help firms rethink how to respond.
Ramakrishna said strong communication and transparency with impacted clients and others about incidents is an essential part of mitigating damage and retaining trust after a fallout. He recommended providing regular updates as the company learned more, rather than staying silent until it had a full picture of events.
Having the company ready to offer “a stronger media response” when the breach was discovered would have helped the situation, Ramakrishna said.
“Reflecting back, I wish we had more resources, more proactive outreach,” he said.
Ramakrishna also spoke against the common trend that sees CISOs fired in the wake of serious cyber breaches by company heads who may be eager to demonstrate decisive action. CISO removals can often be more symbolic than helpful, he said.
“When a nation-state attacks you, it is impossible for one person to be able to thwart that entire attack, or take full responsibility for it,” he said. “[CEOs] are really paid to get the most and the best out of the people that you have. Yes, accountability matters. But just as CEOs get a lot of undue credit when things go well … some CISOs get undue discredit.”
Editor's Note: This story has been changed to reflect updated information on how many entities were impacted by the attack.