Here are some of the top reasons why the SolarWinds-enabled data breach against the federal government should be concerning. In short, this breach is very, very bad. I don't think there's a single infosec person who is optimistic about this in any way. Here we go:
1. We know that one of the first entities affected by the SolarWinds vulnerability was FireEye. FireEye is a company that's considered at the very top of infosec. The tools that FireEye uses to probe its clients' defenses have likely been compromised. This is very bad.
2. To date, the federal government departments that were hacked include the DHS, Commerce, Treasury, Agriculture. There are many more that we may not know of, maybe ever. Out of 300,000 SolarWind users, 18,000 ran the vulnerable version. This is very bad.
3. Hackers were able to gain access to sensitive information by compromising Orion, the platform that provides software updates to SolarWinds' products. Unwitting users were prompted to update their software, an update which contained malicious code...
4. which enabled the intruders to exfiltrate massive volumes of data. In cybersecurity, update/patching software is among the most important steps an organization can take to protect itself from intrusions. This malicious update could undermine trust in software updates.
5. This is an example of how one's cybersecurity posture is as strong as its weakest link. No matter how strong your defenses are, if you have a vulnerability *anywhere*, then you're exposed.
6. Security experts warned SolarWinds back in 2019 that it may be vulnerable. As far as we know, SolarWinds took no action based on these warnings. This is not the first time that this is happening. Ignoring security experts is bad. https://www.businessinsider.com/solarwinds-warned-weak-123-password-could-expose-firm-report-2020-12
A security expert reportedly warned SolarWinds in 2019 that anyone could access the company's...

A security researcher warned the firm, which suffered a massive hack, last year that its "solarwinds123" password could make it vulnerable.

https://www.businessinsider.com/solarwinds-warned-weak-123-password-could-expose-firm-report-2020-12
7. If we assume that the attribution to Russia is correct, then the possibilities for Russia are endless. They may, for example, fake federal government emails. They could also do a lot more in the future. What's clear is that this isn't the last word. https://www.newsweek.com/solarwinds-hack-cyberattack-russia-fake-emails-thomas-bossert-joe-biden-1555472
Russia could fake government emails after SolarWinds hack: ex-Trump adviser Thomas Bossert

The former homeland security adviser has said the Biden administration should "assume that any government data or email could be falsified."

https://www.newsweek.com/solarwinds-hack-cyberattack-russia-fake-emails-thomas-bossert-joe-biden-1555472
8. What about the law? Surely, the DOJ could always pursue the individuals responsible with indictments. It would be virtually impossible to apprehend these individuals given no extradition treaty with Russia.
9. International law may not have anything better to offer. U.S. maintains that cyber operations only violate sovereignty if there's physical harm, and that espionage is not per se illegal. The U.S. itself engages in similar activities in cyberspace.
10. We really need to conceptualize data harm in both domestic and international law. Clearly, the value of physical items pales in comparison to sensitive data. Physical destruction rarely seems to be the goal of cyber operations. The law's obsession with physicality is outdated
11. Many were concerned about the OPM Breach. The SolarWinds breach is OPM times 10,000. The reason why this keeps happening is because of what @amatwyshyn called "reciprocal security vulnerability."
12. Reciprocal security vulnerability is the reality whereby vulnerabilities in private sector products (like SolarWinds) cause harm to the public sector. If we want to take information security seriously, we need to protect both the private and the public sectors.
13. Concrete policy solutions to the reciprocal security vulnerability can be found in Matwyshyn's "Cyber Harder," link below: https://www.bu.edu/jostl/files/2018/10/Matwyshyn-Macroed-9.11.18.pdf
14. Microsoft recently responded to the SolarWinds vulnerability by revoking the digital certificate of the malicious SolarWinds update. This would only apply to systems that run Windows. Microsoft has been mitigating such vulnerabilities over the years.
15. On the one hand, this is good. Having a powerful, dynamic tech corporation that also happens to control one of the most popular operating systems around the world is great, especially in time-sensitive crises such the one we're facing with SolarWinds.
16. On the other hand, giving Microsoft too much power and little to no accountability could be problematic. @K_Eichensehr laid out some of these concerns in "Public-Private Cybersecurity" which I highly recommend. https://texaslawreview.org/wp-content/uploads/2017/03/Eichensehr.pdf
17. All in all, the consequences of the SolarWinds vulnerability will be felt for years. We're in for a bumpy ride, and it's not going to be pretty.
You can follow @idokilovaty.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.