Skip to main content Link Search Menu Expand Document (external link)
LIS 640

Week 7 Studio: Solarwinds

For this week, we will be looking carefully at the SolarWinds attack. SolarWinds was a company that made software that monitors networks and helps companies manage their networks. Lots of other companies and government agencies, including Microsoft, Intel, and Cisco, as well as the US Department of Treasure, Department of Justice, and the Pentagon, use SolarWinds software to monitor and manage their networks.

This is what is known as a “supply chain attack”: The attackers compromised a piece of software “upstream” on the supply chain; that piece of compromised software was then sold to the actual targets, which allowed those targets to be compromised. It is one of the first big supply chain attacks, and probably one of the biggest, most scary cyberattacks the US has seen.

The US Government Accountability Office has a short overview of the attack with a very useful infographic: https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic

Lots of places have written up descriptions of what happened. For this week, I recommend reading a good long-ish article from NPR: https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack

Understanding the Case

You have been analyzing cybersecurity cases for 7 weeks now. You are getting much better at analyzing them. Let’s begin in our normal way: by making a list of actors and motivations. You’ve read through the case report from NPR. Open up the article again, and go through it to figure out who the relevant actors are. We’ve got the attackers (hackers), the victim, the multiple companies that tried to respond, additional defenders, etc. Fill out an actors and motivations worksheet for each of them to try to think through who was doing what, and why they did what they did.

You’ll notice a couple of things about this case:

  1. We know surprisingly little about the attackers. The US government has confidently asserted that it was the Russians that did this. But even the other cybersecurity experts aren’t comfirming that. We also don’t know much about their motivations, and many of the companies/organizations that were attacked aren’t saying what happened in detail. This means that we also are going to have a hard time even guessing at motivations. Do the best you can to make a guess.
  2. There were a LOT of incident responders. Most of the NPR article – and most other news coverage of the incident – mostly talks about the incident responders who detected parts of the attack and/or worked together to figure out what happened and notify everyone who needed to be notified. Look closely and try to identify their motivations; WHY did make the choices that they did – to notify people, who to notify, when to not notify people, etc. The NPR article has quotes from most of them that can be used to try to understand incident responder motivations.
  3. While SolarWinds was clearly a target of the attack (victim/defender), there were many other targets and victims. And we don’t actually know much about them. The NPR article has very little information about what happened to those victims, what was compromised or stolen, and how they handled the attacks. The victims in this case are keeping pretty quiet about the whole thing. Identify the ones you can, but don’t spend a lot of time on it.

Three Policy Changes

The US government and US cybersecurity industry’s reaction to this incident is interesting. In some respects, this was a success: private industry successfully detected an extremely complex and sophisticated intrusion, and worked together across public-private partnerships to address the intrusion quickly. Some people saw this as a success of the US strategy of relying on private companies to work in the public interest to help protect our infrastructure.

But most people in the government and in industry viewed this as a giant disaster. The incident revealed a major type of vulnerability that the US was unprepared to deal with: supply chain attacks. Companies and government agencies rely on major companies that they buy software from to provide software that is secure and safe to use. Those companies but parts for their software from other companies, and so on – the “supply chain” of software is surprisingly long. And a compromise anywhere in that supply chain can be used to compromise everyone downstream.

It also revealed that the US government was completely unprepared to deal with an attack of this scope and sophistication. Almost all of the important work was done by private companies, not government agencies. Those companies kept a lot of information secret, which prevented people in the government from knowing and understanding the full extent of the attack.

As a result of SolarWinds, the US government became VERY interested in creating new policies to try to help the US better handle sophisticated cyberattacks like this. There are at least three major policies that are now in place directly because of the Solarwinds attack. They are listed below. All of them were enacted hastily after SolarWinds, without a lot of careful thought and debate. Two of them were done by executive order of the President, and two were done by government agencies (NTIA, SEC). None of them had extensive periods of public comment and consideration. And none were formally approved by Congress or tested in the courts yet. We also haven’t had an attack like SolarWinds again yet, so we don’t know if these policies are actually helping or not.

Your goal for today is to try to analyze one or more of these policies: try to understand what the policy is, what problem it is trying to solve, and why it might or might not work. I want you to discuss the policy with your group members. At the end of class, you will have an opportunity to describe the policy to the class, why it is supposed to work, and whether you think it will help or not.

To help you think through the policy, consider filling out a Policy Worksheet. This worksheet helps you think through the policy, identify some of the relevant aspects of the situation, and better understand what is going on here.

The three policy proposals:

Policy #1: SBOM: The Software Bill of Materials

Any computer software purchased by the US Government needs to come with a “Software Bill of Materials”: an explicitly and accurate list of all 3rd party software components contained or bundled in that program. So, if you are SolarWinds and you sell your Orion software to the US Government, you have to provide a list of all software/libraries that are included inside Orion, including version numbers. That way, if one of those libraries has a bug, vulnerability, or compromise, then (at least in theory) we can check all of the software the US government has, and determine whether it might also be compromised.

The National Telecommunications and Information Administration (NTIA) coordinated a multi-agency process to create this policy, which is currently in effect. They have an “at-a-glance” overview here, and a page with LOTS of details here.

Policy #2: CSRB: The Cyber Safety Review Board

Whenever there is a major airplane or car accident, the US government has a group called the “National Transportation Safety Board” (NTSB) that investigates the accident and issues a report that explains what happened, why it happened, and what the country should do differently to prevent similar accidents from happening. This board is an important part of why air travel is so safe, and much safer than 50 years ago.

The US Government recently created a new group called the “Cyber Safety Review Board” (CSRB), modeled after the NTSB. Whenver there is a major cyber incident in the US – either against the US government or against private companies in the US – the CSRB has the authoritiy to investigate the incident and issue reports.

This board was created by an Executive Order of President Biden and is part of CISA, the Cybersecurity and Infrastructure Security Agency. CISA has a webpage about the CSRB with a lot of information. So far, the CSRB has reviewed 3 incidents, which are summarized in the FAQ. The FAQ also includes a lot of good information about what the CSRB can and cannot do (e.g. it relies on voluntary participation, and does not have subpoena authority).

Policy #3: SEC Disclosure Rules

The US Securities and Exchange Commission (SEC) recently created a new rule for private companies. That rule requires all companies to disclose “material” security breaches that are sufficiently important to affect the stock price within a short time period (4 business day). We heard about this rule earlier in the semester, when a ransomware gang reported one of their victims to the SEC for not reporting their breach.

In theory, the SEC already had a general rule like this. They required companies to disclose major risks to their business, and also to disclose when one of those risks happened. Almost all companies included some form of boilerplate “we might get cyber attacked” in their list of risks disclosed. After this incident, the SEC sued SolarWinds and claimed that this boilerplate disclosure was not sufficient to help investors understand the risk to the company. Interestingly, they sued not just the company, but also the Chief Information Security Officer (CISO) personally.

This rule is intended to force companies to know more about whether they are being attacked, and to reveal any knowledge they have of specific attacks in a timely manner. The SEC argues that SolarWinds had some knowledge that something was weird months before the attack actually became public, and that such a rule would have forced SolarWinds to investigate sooner and to disclose the breach sooner.