Chris Krebs, Alex Stamos join SolarWinds for hack cleanup

Dive Brief:

SolarWinds tapped Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA), and Alex Stamos, former Facebook and Yahoo security chief, as independent consultants to work together on hack response, the company said in a statement. Financial Times first reported the news Thursday.
The SolarWinds hack "has been a multiyear effort by one of the very best, the most sophisticated intelligence operations in the world," Krebs told the Times. Krebs anticipates more compromised companies to be named.
Krebs and Stamos launched a cybersecurity consultancy firm, Krebs Stamos Group. The website for the group launched Thursday. Stamos is currently a professor at Stanford University, and joined Zoom's CISO Council last year, reporting directly to the company's CEO Eric Yuan.

Dive Insight:

The two security leaders are outspoken and have a reputation for reliability within the information security community. The newly-formed group says the began the business venture to offer more light on the underbelly of cybersecurity.

The duo caught SolarWinds' attention. "Armed with what we have learned of this attack, we are also reflecting on our own security practices and seeking opportunities to enhance our posture and policies. We have brought in the expertise of Chris Krebs and Alex Stamos to assist in this review and provide best-in-class guidance on our journey to evolve into an industry leading secure software development company," a SolarWinds spokesperson said in an email.

Krebs worked for Microsoft before joining CISA. He was terminated by President Donald Trump in the weeks following the election after defending the election's security and integrity. His departure left a hole in the federal government's pseudo cybersecurity coordinating agency.

While Krebs said the SolarWinds hack cannot and did not impact voting, citing a paper trail, he also acknowledged the compromise took place while he was still CISA's director, speaking during a television interview in December. "You've got to start from a position of accepting what happened before you can really fix it," he said.

The supply chain threat of SolarWinds compromise revealed in December is growing by the day, with SolarWinds' vendor JetBrains reportedly under investigation. The company is the latest technology vendor in the supply chain possibly used as a conduit for a larger breach.

The Cyberspace Solarium Commission (CSC) suggested the federal government assess the country's information and communications technology (ICT) supply chain given its ever-growing interdependence. "The strategy should be formed in coordination with trusted partners and allies," the CSC report said.

In the first week of the SolarWinds fallout, Stamos tweeted that if supply chain attacks become more commonplace, "deterrence is less effective."

"I don't think we can realistically stop these attacks," but organizations could "raise the difficulty of each step" adversaries take, Stamos said.

Supply chain attacks grant bad actors the opportunity to subtly hide in a supply chain for widespread access. "Assuming that this access was created only for espionage purposes, I think it is difficult to argue that that is out of the lines that have been created that have been drawn in the past," Stamos said during a podcast Wednesday.

At this point, afflicted organizations don't know how deep the destruction goes beyond initial payloads. While Stamos is hesitant to call the hack an "act of war," the intrusion is one "you do not want your adversaries to have" in light of real conflict.

The idea fits squarely into a Defense Department's Cyber Strategy concept of defending forward, which was further promoted by the CSC. Defending forward is "reimagined as a key element of layered cyber deterrence" and "comprises the proactive and integrated employment of all of the instruments of power," according to the CSC report. The defense method falls short of "armed conflict."