An evolving cyberthreat landscape leaves companies regularly defending against nation-state actors. Mistakes could make technology vendors the poster child for the fallout of supply chain cyberattacks, as was seen with SolarWinds.
"It's hard not to stare in the immediate past at SolarWindsand say, you know, this is a crisis," said Chris Inglis, commissioner of the Cyberspace Solarium Commission (CSC), professor of Cyber Studies at the U.S. Naval Academy, and former deputy director of the National Security Agency, during a webcast by The German Marshall Fund of the U.S. in January.
But the SolarWinds hack was a thunderstorm in the middle of a larger threat: the slow burn of a cyber climate change. Economic and technological climate change "is what we've seen in terms of our competition and unfair competition with China," said Inglis.
Physical technology or infrastructure supplies outsourced from overseas are subject to scrutiny, with an understanding they could be laced with "mischief," said Inglis. But the supply chain — whether it's domestic or foreign — is more digital and customers have limited abilities to assess vendor code.
Geopolitics are playing a role in how the private sector purchases technology, influencing which on- and offshore vendors companies decide to trust. Complicating their decisions is historical reluctance to share threat information between the public and private sector.
While the SolarWinds hack has accelerated public-private information sharing, the coordination was a reaction to the fallout. As more tech companies disclose compromises of their own, the SolarWinds attack proves how easily supply chain trust can break.
SolarWinds Orion customers likely fell into a false sense of security, as many security customers do with name-brand solutions, said David "Moose" Wolpoff, CTO and co-founder of Randori. They "mentally bucketed in this category of things that keep me safe … People never question, 'What happens when the thing that keeps me safe is the thing that the hackers breached?'"
There are potentially 18,000 SolarWinds Orion customers sitting with suspected Russian activity on their systems. It's unlikely all those customers have the means to combat such an adversary.
"Would we ever expect SolarWinds to defend their headquarters against the Russian military? Of course not," said Grady Summers, EVP of Solutions and Technology at SailPoint. "We tend to rush to victim-blaming in cybersecurity in a way that we would never victim blame in the physical world."
An optimal target
Vendors at the heart of supply chain breaches will likely deal with the fallout of opportunity costs, including lower productivity, reduced research and development (R&D) spending, risk-averse behavior and increased cyberdefenses spending, according to McAfee.
In reaction to cyber incidents, 39% of victim companies increase their cybersecurity budget. Whether proactive or reactive, companies grew the cybersecurity market to $145 billion in 2020, compared to $113 billion 2015, according to McAfee.
Companies strapped for security funding are more likely to outsource security than develop it in house.
It's fine and to be expected, but companies can't view proprietary vendor code and take outsourced resources at face value, said Drew Daniels, CIO and CISO at Druva. Companies can rely on static to dynamic analysis, and strong governance for spot testing and population sampling, but there's no one-size-fits-all governance strategy across industries.
Vendors have to perform threat modeling within their software development life cycle (SDLC) process. Each layer of a product's security will have unique security challenges, and it's up to the developers to uncover them before a bad actor does, and certainly before a customer finds it first.
Because companies commoditized much of their supply chain, "we're now reaping the wind in terms of the dependence we have on sources that might not strategically or tactically be trustworthy," said Inglis. The U.S.'s dependence on outsourcing struck a chord with the CSC.
"In the absence of strategy, nothing can be strategic," Inglis said.
Identifying supply chain threats can feel like a free-for-all. There are resources for guidance, including through the National Counterintelligence & Security Center and the Cybersecurity & Infrastructure Security Agency (CISA), but a lack of consolidation guiding companies on what threats take precedence.
While the CSC is establishing guidelines for developers in terms of a digital risk impact assessment of vendors, it also wants to provide companies a "whitelist or blacklist" of where money is allowed to be spent, said Robert Morgus, senior director of the CSC, during the webcast.
After this analysis, and "those supply chains are set in motion, you can't assume that they defend themselves, you need to actually defend them," said Inglis. "I think that's the principal failure that we're observing in SolarWinds."
The Orion update design wasn't "inherently flawed," he said. But the supply chain SolarWinds uses for software delivery is similar to other tech giants, which is where the fundamental design flaw might actually exist. The compromise is testing the ability for organizations to defend against a supply chain flaw.