U.S., Companies 'Absolutely Not' Prepared for Nation-State Cyberattacks
Businesses and the Fed aren't even ready for unsophisticated attacks.
![Nation-State Cyberattack Nation-State Cyberattack](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltcd6beae30c4b1a13/652450c6ab64d43fadcd3640/Nation-State-Cyberattack.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Booz Allen’s Jerry Bessette said attackers like the ones that hacked SolarWinds do what’s called “low and slow.”
“In this case, it’s such a sophisticated attack,” he said. “The malware, the backdoor, was embedded into the code of the update that clients went to download. And once that update was downloaded, the malware was designed to just sit quiet for two weeks and then after two weeks, it would call home. And once it called home, they would download additional access, additional malware, that was designed to embed itself into the memory and not make tracks on the network.”
Once on the network, they would compromise someone’s credentials, Bessette said.
“And the Orion software is designed to monitor network traffic, so the malware would disguise itself as normal network, and constantly move back and forth,” he said. “And then once on the network, they would harvest credentials and try to act like someone within that individual organization as they moved around. So a very, very sophisticated adversary. They didn’t rush, They took their time, waited and used very sophisticated tools that were designed to circumvent and look for standard security procedures.”
Unless someone was employing a multifaceted, defense-in-depth approach, they wouldn’t have uncovered this, Bessette said.
Digital Directors Networks’ Robert Zukis said SolarWinds’ boardroom accountability for cyber risk oversight was “very atypical.” That’s because the board’s governance committee was tasked to oversee cybersecurity risk.
“We gleaned all of this from public discloser information, and as you dig into that, you start to see some interesting anomalies and disparities in how they were approaching this issue,” he said. “For one, that’s not a stated responsibility within the charter.”
Overall, the board was “fairly shallow” when it comes to cybersecurity skills and capabilities, Zukis said.
“If you look at their risk factor disclosures, how they’re understanding risk, they weren’t bad actually,” he said. “They talked about nation-state issues and third parties. They were fairly comprehensive in terms of how we assess these against our framework. But you have to question whether they were, frankly, dialing it in around these issues.”
Based on the actions taken after the breach, “I think it’s an admission on their part that maybe they weren’t doing enough at the governance level to truly do the work of oversight,” Zukis said.
“This is a critical control point,” he said. “You need people in the boardroom that understand these issues. The board has to be organized effectively and you have to understand risk in the right way.”
In terms of communication after the breach was disclosed, Flore Albo’s Kate Fazzini said SolarWinds’ former CEO blaming an intern for the hack was a low point.
“Those of us in the industry know that sort of thing does not fly with the press, it doesn’t fly with the board, shareholders and citizens in general,” she said. “The congressional testimony was fine; it sort of came out with these recommendations that these hearings always come out with, which are we need better cyber hygiene, more public-private partnerships and more information sharing. But I think there are still not a lot of recommendations from Congress that are concrete on how to do that.”
Amazon Web Services (AWS) was called to testify, as a lot of this activity happened on AWS platforms, Fazzini said.
“Regulators are really looking at whether something like a cloud platform represents also one of these systemically important utilities and should be regulated like the Directorate of Defense Trade Controls (DDTC) or similarly,” she said. “So I think out of this, AWS is definitely going to have a target on its back because they’re the biggest. But so many players in the technology space need to be aware that this is the way regulators are thinking.”
The panel also addressed the Biden administration’s recent cybersecurity executive order. Chris Cummiskey, CEO of Cummiskey Strategic Solutions, said it tries to build on an apolitical framework of taking the best practices out there, “things we can all agree on that need to occur,” and putting them in one document to create a framework or at least “start a discussion around what needs to occur.”
One thing it addresses is changing the contracting structure at the federal government.
“One of the things you’ll often find and we certainly found at DHS is that when something like a supply chain attack happens like this, oftentimes the language in there for either reporting requirements or specific things that you want your vendors to do is not written into the contract,” Cummiskey said. “And so as a result, companies are like well, it’s not in there so I’m not doing it.”
In addition, there are a lot of legacy systems running, particularly in the larger federal agencies, and the inability to run zero-trust architecture or advanced vulnerability management detection systems is fairly prolific, he said.
Bessette said information sharing between the public and private sector is extremely important for a number of reasons.
“No. 1, first and foremost, as a former FBI investigator, information sharing is important because typically from one attack we don’t get enough of the bread crumbs to put the pieces together to identify the individuals,” he said. “This year, especially at the beginning of the year, there’ve been several major takedowns of groups … and there’ve been significant indictments of advanced persistent threat (APT) groups over the course of the past several years. And that comes from piecing together the pieces from usually multiple hacks.”
Second, information sharing is important during a breach because the feds want to get that information out to similar businesses and individuals in that industry so they can protect themselves quickly, Bessette said.
The more it can be either mandated or encouraged without repercussions, the “better and more secure we’ll be,” he said.
SolarWinds’ stock dropped to a 52-week low right after news broke of the hack, Fazzini said.
“I’ve done a lot of research into how much of an effect these attacks have on a company’s stock price and valuation, and the truth is it typically does not have much effect,” she said. “Equifax, which has so many shareholder lawsuits, really has recovered and recovered fairly quickly in terms of their stock price. But SolarWinds has kind of stayed at 20%-30% below where they were in December 2020 before this was disclosed.”
SolarWinds might have a “little more legs” because the attack itself was done against something the company considered its most valuable asset, Fazzini said.
“Obviously the market is recognizing that,” she said. “This is their software. This has infected their software update. It is right there within their value proposition.”
Boards and companies need to put the most protection behind the “thing that represents their company,” Fazzini said.
Educating board members on cybersecurity is critical, Zukis said.
“It’s a part of our critical control process,” he said. “You can’t govern what you don’t understand. And I always like to say 100% of boards wished they taken a better approach to cybersecurity risk oversight 100% of the time after a breach. Just look at what SolarWinds did in terms of adding an attack and cyber committee, and adding people in the boardroom that can spend more time on these issues, and then actually understand these issues. So let them learn from their mistake. Let them be the leading light, and get the right people and the right structure focused on these issues.”
Educating board members on cybersecurity is critical, Zukis said.
“It’s a part of our critical control process,” he said. “You can’t govern what you don’t understand. And I always like to say 100% of boards wished they taken a better approach to cybersecurity risk oversight 100% of the time after a breach. Just look at what SolarWinds did in terms of adding an attack and cyber committee, and adding people in the boardroom that can spend more time on these issues, and then actually understand these issues. So let them learn from their mistake. Let them be the leading light, and get the right people and the right structure focused on these issues.”
A panel of cybersecurity experts agree the United States is nowhere near prepared to handle sophisticated nation-state cyberattacks.
The Wednesday panel was moderated by Paul Ferrillo, privacy and cybersecurity partner at Seyfarth. It addressed the SolarWinds hack, the Biden Administration’s cybersecurity executive order, and the upcoming Department of Homeland Security (DHS) cybersecurity regulations for the pipeline industry.
In addition, the panel discussed strategies to increase cyber-risk and systemic-risk communications between the board, C-Suite and IT.
Panelists included:
Jerry Bessette, senior vice president of Booz Allen’s cyber incident response program.
Chris Cummiskey, CEO of Cummiskey Strategic Solutions.
Kate Fazzini, CEO of Flore Albo.
Robert Zukis, CEO of Digital Directors Network.
Cybercriminals at a Clear Advantage with Nation-State Cyberattacks
When asked if companies and the federal government are prepared for nation-state cyberattacks, Bessette said “absolutely not.”
Booz Allen’s Jerry Bessette
“Networks are still so complicated,” he said. “And there are still so many organizations, including government agencies, that aren’t doing the basics. So we’re just not prepared for the next attack.”
Zukis said “on a scale of one to 10, and 10 being totally prepared, I’d say we’re at about a two, and we’re not going to move that needle until we start to understand systemic risk and how it interacts with cyber risk.”
“Hackers have clearly figured out the system is in and of itself the weak point and they’re exploiting it,” he said. “And unfortunately we’re at ground zero at this point.”
Flore Albo’s Kate Fazzini
Fazzini said “we are also not prepared for the next unsophisticated attack.”
“If you look at what happened at the Colonial Pipeline, this was not like the SolarWinds attack; it was a ransomware attack,” she said. “And in fact, from everything I understand, the pipeline itself was shut down and all this disruption was caused because the company was confused about what it should do.”
See our slideshow above for more discussion of SolarWinds, federal response and more.
About the Author(s)
You May Also Like