It’s been 20 years since Dan Erwin’s famous quote that “The best way to get management excited about a disaster plan is to burn down the building across the street.” Federal Inspectors General must feel at least a little bit of that frustration after the elaborate compromise of SolarWinds’ Orion system.
While the fallout of this attack is far from over (in fact, the attack itself is likely far from over) it comes after years of Inspectors General warning of security shortcomings in federal networks. Last year, the Department of Defense IG identified $32 million of purchases of products with known security risks. Last month, the US State Department’s OIG found “pervasive” problems with workstation audits in multiple offices across the world – they were under-documented, incomplete or not done at all.
Most distressingly, the Office of Personnel Management went for years without a workable plan to address its IT shortcomings following the 2015 hack of its personnel data. That agency’s Inspector General released an annual report in October praising the current leadership for finally building a detailed plan that could close those gaps.
A New (And Scary) Approach
The SolarWinds hack, however, likely would not have been stopped by addressing any of these security shortcomings. That’s because the SolarWinds hack didn’t result from known software flaws, leaky workstations, too many overlapping Systems of Record or any other known vulnerabilities. Instead, Russia targeted one of the most trusted pieces of software on the planet (it’s used by 80% of the Fortune 500) and spent millions of dollars building a tunnel into its distribution network.
By burying malware into a software update that was being distributed directly from SolarWinds’ servers, the hackers ultimately gained a foothold in more than 18,000 organizations. For now, it is only thought that they used the backdoor in a tiny fraction of those organizations. Unfortunately, the handful of organizations that had data exfiltrated include federal agencies with enormous amounts of sensitive information. Even worse, the data stolen from large technology companies may have given the hackers insight into how to design similar attacks in the future. Microsoft and Cisco have already acknowledged that portions of their networks were compromised as part of the hack.
By executing the attack, the hackers have done more than just stolen sensitive data. They have sowed mistrust in highly trusted and widely used software, making the effort to secure networks seem nearly futile. If federal agencies can’t even avoid buying hardware and software with known vulnerabilities, how can they possibly hope to validate the security of every product on the network?
The Beginning of a New Paradigm?
The nation has endured data exfiltration before without adequately addressing the root causes of security failure. The scope of this attack, however, may lead to major changes. Congress is already trying to figure out the response, and the incoming administration will no doubt have input as well.
There’s no way for agency networks to be overhauled en masse – they are far too complex, and the expense would be unimaginably large. But going forward, it’s possible that (yet to be announced) laws or regulations will require more scrutiny be placed on technology purchases.
Commercial products may no longer be trusted simply because they’re made by multi-billion dollar companies. Instead, companies may have to prove that their security processes are adequate to ensure the security of their product.
Whatever the new approach is, Inspectors General offices will certainly be a part of it. They’re already some of the most vocal advocates of agencies modernizing their networks and merging dozens of outdated systems into something that’s actually manageable by agency IT officials. Soon, they may also be auditing programs with broad and unfettered access to agency networks to ensure they’ve been properly vetted.
If this materializes, it may require IG offices to retain staff with technology skills – talent which is hard to acquire. Alternatively, the expense of hiring external agencies to analyze the security of agency networks may increase as the breadth of their analysis grows.
Expanded auditing of network security is also likely to lead to heightened conflict with some agency executives. IT modernization is an incredibly difficult challenge at large agencies, and any negative findings regarding technology or security may lead to negative publicity and challenging interviews on the Hill.
As for Congress, Senators and Representatives have always been happy to receive updates on agency technology from IG offices, and they’ve certainly been willing to berate agency leadership for their inaction. But after this hack, they might also be more willing to fund fixing the problem – and to advocate for the removal of agency executives who can’t get the job done.
To learn how CMTS can help your investigative agency close cases more efficiently, call us at 855-667-8877 or email us at Team_CMTS@securecasemanagement.com.