The federal government is stumbling in the dark as it seeks to figure out how deeply its networks were penetrated by a foreign state -- most probably Russia, based on reports and released data thus far, beginning with tainted SolarWinds Orion software. In some ways, the triage which followed the initial discovery is emblematic of the cybersecurity deficiencies it exposed: having failed to properly assess and develop detections and defensive operations that were responsive to the nature and risk of such a widespread attack, the government can’t muster the right mix of people, processes and technology resources to effectively and swiftly re-establish trust in compromised networks, hunt and isolate still present adversaries, and rebuild impacted IT operations.
The government’s repeated attempts at fortification, compliance-driven security programs, and public-private information sharing continue to prove ineffective against the onslaught of new threats. Such measures will forever lag behind both economically and strategically motivated sentient actors who launch such attacks. SolarWinds’ Orion software has already been shown to have been just one of the entry vectors discovered in the ongoing response actions and other security and IT vendors are also coming forward saying that they too were targeted. More vendors will ultimately be compromised - and more paperwork attesting to the seriousness of their security programs will not prevent it.
Data Sharing Isn’t Enough
Security leaders keep telling us -- and themselves -- breaches can be stopped or prevented before they begin. This is a disingenuous mylar security that is offered up in place of hard thinking. It has always been malarkey. Public-private sharing of information, threat intelligence, and more third party risk management data are insufficient and assume a level of visibility and operational maturity. Real progress requires that organizations have sufficient observability of actions on their network to establish some ongoing sense of ground truth.
One such program, EINSTEIN, was supposed to integrate data and detect SolarWinds/Sunburst-style intrusions across Federal agencies as part of DHS. The Army developed a cyber-focused big data platform called Gabriel Nimbus. Other services and agencies drove similar initiatives forward, largely attempting to cobble together various open source technologies and homegrown solutions with armies of traditional government contractors, national laboratories, and consultants in an attempt to replicate more cost-effective, performant and holistically integrated commercial efforts built largely without tax-payer largesse.
Make no mistake: engineering a unified data analytics infrastructure to operate at real scale is hard - especially for cybersecurity where the variety, velocity, volume, and varying veracity of data requires careful attention. But like any arms race, especially one that depends on antiquated government procurement policies, the homegrown capabilities developed continue to lag behind commercial solutions and the architectures behind EINSTEIN, Gabriel Nimbus and other initiatives trailed far behind current best practices by the time any capabilities actually came online and as bespoke solutions, fail to gain benefit from a broader installed base of users.
Beware The Siren Call Of Compliance
The siren call for more compliance and certification efforts, for more written policies about security and its importance, has grown loud following the SolarWinds breach. Armies of consultants are massing for a feeding frenzy to do paperwork, not risk-driven security.
Real security professionals have been more measured - they know that preventing cyberattacks is not a real strategy -- and that such goals can’t be the cornerstone of government efforts. Mitigating actual operational risk by detecting and responding to intrusions more quickly is the best use of tax dollars and engineering mind space. Most organizations, government included, still struggle to understand asset inventories - let us agree to at least count and track the status of machines and digital doppelgängers we employ.
So if the government can neither prevent every attack nor rebuild its infrastructure from scratch, are we doomed to a ceaseless cycle of ever more damaging cyber intrusions? Absolutely not. Developing and maintaining vigilance about authenticating users on the network (whether on-premise or in the cloud), actively using threat hunting capabilities and conducting ongoing operations internally, and ensuring that you have sufficient observability and data fidelity on networks to enable post-event forensics and incident response, will, over time, lead to more consistent and mature defensive operations. Employ the controls before you write the policy; prioritize controls for high-impact scenarios; let selected risk scenarios guide control selections, don’t divert resources away from real defensive operations into more paper-pushing frameworks and compliance standards. Committing to the real work of finding ground truth and grappling with the real-world mess of defending actual networks is the best way forward.
We do need technology to address these challenges at scale, but the first step is to ensure adequate investment in training, education and development of sufficient human capital to win.