The SolarWinds supply chain hacking has exposed the brutal reality of the current cybersecurity system, with WSJ calling it the “cyber equivalent of France’s Maginot Line on the German border in 1940.” Collectively, all security measures and systems at 250 US government agencies and Future 500 companies has failed to detect and stop the attack since as early as March 2020. While the system may hold the line against small attempts, it completely melts down against this sophisticated attack. Its failure emboldens the adversaries and serves as a blueprint for the next, and next, attacks.
In the face of this monumental failure, the demand for action has been met with silence from the cyber security industry. No one has come forward with a product or solution that could have stopped this attack or will prevent the next one. Taking a reactive approach, Microsoft’s recommendation merely includes virus scans to remove the malicious code that are being exposed during the investigation and shut down the connectivity to the known IPs used by the hackers, and best practices of many crucial components that are being penetrated or evaded by the attacker without pointing out if any of the actions could have stopped or ever slowed down the attacker from gaining crucial information it targeted. It reveals no defect in any of the software that are being compromised and evaded and provides no fixes, just best practices.
There is a lot of hope riding on the next generation of the “Einstein” network monitoring tool, due in 2023. The problem is that up to this point, there has been no report that any network monitoring tools, AI-based or traditional rule-based, have detected traces from this attack. It is also not unreasonable to assume there could be sleep agents that could have been buried deep in the system which may wake up years later and start the same or even more advanced attack all over again with a new domain or IPs. The current system still has no way to fight against it.
Encryption have done well protecting data: SSL and VPN has a very good track record with stopping data in transit from being stolen, and hardened access and encryption to databases have significantly reduced the breaches from databases. However, the real problem lies with the 80% of unstructured data – the files and emails left on end-point devices, servers, and the cloud. These unprotected data thus become the primary target of the attacks. As Microsoft’s investigation revealed, the Solarwinds attacker “has relied on leveraging minted SAML tokens to access user files/email” and “periodically connects from a server at a VPS provider to access specific users’ emails…the targeted users are key IT and security personnel.”
As these concerns continue to build in the aftermath of the SolarWinds attack, we must rethink the essence of the cybersecurity system. Rather than performing damage control and implementing best practices as a reactive strategy without evidences those will stop the next attack, security systems must implement a preventative approach to ensure the security of all data – structured and unstructured – at all times. The best preventative and comprehensive approach to a cybersecurity system is using end-to-end file encryption. The attacker would have left almost empty-handed if the files and emails were encrypted, with a separated file access app was required to request access to the content of the file and emails, and especially if the access application logged every access attempt and monitors access pattern of any user for early warning. Even if the attackers can evade the access monitor, the app’s hard limit of access count could have stopped data loss and sounded the alarm.
This is a crisis that is still unfolding. Are we going to continue to react or embrace a change that can stop such attacks? The choices to be made in the next few months will have implications on national security and our economy for a long time to come. After all, this is a digital country run on a digital economy.