In the wake of the SolarWinds hack, a former presidential adviser was emphatic about the government’s need to require more from providers of software and cloud services.
Researchers agree about the level of sophistication the perpetrators of the hacking campaign have employed in order to pull off the level of access they now have to sensitive systems and communications. But news reports have also suggested the attackers were able to take advantage of weak cybersecurity practices at SolarWinds, the software company which distributed the malware-laced update to its broad customer base. The update server’s password was “solarwinds123,” a security researcher told Reuters.
That led to a question during the event Auburn University’s McCrary Institute hosted Tuesday of whether the government should require tougher standards for the software industry.
“Tougher standards on the software companies? Absolutely,” Melissa Hathaway, a cybersecurity adviser to Presidents George W. Bush and Barack Obama, said. “To have ‘solarwinds123’ on the development software and on the enterprise was, is, irresponsible if not negligent. While they’re working with customers, I don’t actually see them owning the responsibility of how much risk they brought to so many different enterprises. We have to hold all of the software companies to a higher standard.”
At the end of 2018, Congress passed legislation to implement the Federal Acquisition Security Council. The body would be able to recommend exclusion and removal orders to protect the federal government’s supply chain from compromise. It will rely on technical expertise from a task force to be established at the Cybersecurity and Infrastructure Security Agency.
CISA already has an information and communications technology supply chain risk management task force. Two-thirds of its leading members are from industry, which has pushed for the current task force to act in the advising capacity to the FASC.
On Dec. 17, CISA released a summary of the task force’s work over the last two years and teased working group reports that would be published “in coming weeks” with criteria for evaluating supply chain threats based on different scenarios and recommendations for using qualified bidder and manufacturer lists. The work is based on voluntary standards already developed by the National Institute of Standards and Technology and those of a few other government agencies, and creates flexibility, outlining different categories of threats, according to the summary.
“We have the standards published, we hold defense contractors and others to those standards,” Hathaway said. “So absolutely, [third party companies] shouldn’t actually be allowed to be in the core of some of these government agencies without having gone through some due diligence on the software.”
Hathaway also highlighted implications for cloud service providers, noting Microsoft’s position in the breaches.
“Microsoft is part of this problem,” she said, “because it was Microsoft Office 365 and Microsoft cloud that’s enabled, really kind of the launch point and when you look at how many enterprises around the world use Microsoft, you see this huge risk transfer that’s happening. The adversary is there and the adversary is going to be persistent and your Active Directory is most likely poisoned, you’re going to have people in your company that don’t really exist in your company and so there’s going to be a persistent presence for a very long time until you can rebuild.”
Hathaway said Europe has already moved to hold cloud service providers to a higher standard as part of its network information security directive and advocated treating cloud platforms as critical infrastructure “because when they go down, we all go down,” she said.