The Senate on Tuesday will hold a hearing investigating the SolarWinds hacks. SolarWinds is a massive IT company that contracted with the federal government. Its ubiquity let hackers get into at least nine federal agencies, including the departments of — just to pick three of the scariest options — Defense, Homeland Security and Treasury.
The breach is what’s known as a supply chain hack. They’re increasingly common because it’s hard for companies and governments to verify the security of every company they work with. But experts say it’s time to create some disincentives for not doing that homework. I spoke with Camille Stewart, a cyber-fellow at Harvard’s Belfer Center. The following is an edited transcript of our conversation.
Camille Stewart: As more things like this happen and people demand of their providers to understand how they can better protect the user, that will drive companies to better understand their supply chain. But quite frankly, we need to impose some requirements or restrictions on our broader supply chain, so that even as companies do so there can be some uniformity in our understanding of our supply chain.
Molly Wood: When you say “we,” do you mean federal regulators?
Stewart: Federal regulators. This is an opportunity for the government to step in and make some demands of critical infrastructure in particular, because we really need to make sure that there [is] some transparency around their supply chain. But even just writ large, technology underpins so much. And as we can see, with a breach like SolarWinds, when a company that spans the federal space, the private-sector space — they’re even in cybersecurity companies — is infiltrated or a cyber-operation is conducted on them, the reach is so broad. And so there is a real opportunity here for the government to step in and close the gap.
Wood: What might these regulations look like? For example, now in the financial network, credit card processors have to go through a pretty rigorous set of tests. Is that the kind of thing that you’re envisioning around regulation, the idea that there really need to be stress tests, if you’re promising a certain level of cybersecurity?
Stewart: I actually want to go even more fundamental and promote transparency around the supply chain. And that can be piloted with government contractors. We have heard a lot of talk from [the National Institute of Standards and Technology] and some other organizations around a software bill of materials, which would just outline where each piece of the software came from. And that level of transparency would mean that when there is a vulnerability detected, when a cyber-operation is conducted, we can identify what might be impacted a lot quicker, which increases the resilience of an organization. The same can be done for the hardware side of things. And piloting in the federal government drives the market. We’ll get an understanding of the impact on the bottom line for our companies, and then we can build out a liability system that supports that disincentivization that we were talking about.
But that transparency piece is a fundamental part of understanding what our supply chain actually looks like and equipping companies to remediate challenges as they arise, because that is a big part of the challenge. Also, there are some funding opportunities to spur innovation in the U.S. that can create new vendors, where companies have more choice in the market about where they are getting the pieces. If companies in certain places, whether that’s the U.S. or otherwise, have done the work to have transparent supply chains themselves, then maybe that’s a vendor that you want to engage with more. And then, how do we respond to these things? How is [the Cybersecurity and Infrastructure Security Agency] equipped to extract all the lessons learned from a breach like this and use that to feed both the federal operation but also the private sector, so we can all learn from a breach like SolarWinds?
Wood: I was going to ask you about that competition piece because it sounds like SolarWinds, for example, is a company that is in wide use. Is there a competition aspect to this? Is that what you’re saying, that there need to be enough companies to choose from that there is, in fact, a market consequence if you screw up?
Stewart: Yes, especially from a components-of-hardware perspective. So yes, SolarWinds needs tools that give us visibility into our networks and facilitate cybersecurity. But also, in the component parts, we are purchasing the cheapest materials, or the very few chips and other components that plug into the thing that we’re trying to make. And if we funded more of these small business programs, and research incentive programs out of the Department of Homeland Security and other entities, we could spark more innovation in those spaces domestically, and start with requirements that they are transparent about every software component and every hardware component in a way that would allow for international partners and domestic partners to push the market towards this kind of transparency, because they would. We’re all dealing with this challenge. Allies, international counterparts in general, are all thinking about how to build resilience in their supply chain and how that affects their critical infrastructure and their federal systems.
Wood: I can understand that small companies may have less bandwidth to do this. But would regulation let bigger companies off the hook in some way? Shouldn’t it just be their responsibility, their fiduciary duty to make sure that their supply chains and their entire ecosystems are secure?
Stewart: It is, and I imagine that there are some that do. And taking on that responsibility more and more, I would imagine that there are companies whose response to SolarWinds, whose response to Target and Home Depot and some of the other breaches that have happened over time, are to invest in these areas. But the lack of consistency and the lack of options mean that they can only go so far, and that we can’t guarantee that they’re going far enough, even if the room is there. So the regulation and the incentivization through federal means allows us to have a baseline that we can all rely on.
Wood: Do you expect any regulation to come from this, especially with the new administration?
Stewart: They are saying we can expect some kind of response within weeks that will span defense and resilience options and maybe some kind of offensive response. I wholeheartedly expect that there will be some push in this space to do more, whether that is limited to federal contractors or something more broad, whether that is a voluntary versus an actual requirement, remains to be seen. But I definitely think that we’ll make a push towards supply chain transparency and resilience as a response.
Related links: More insight from Molly Wood
Stewart wrote an opinion piece not long after the hack was disclosed back in December. She said security supply chains and cybersecurity overall need to become a “whole of society” effort, not just a “whole of government” one, even though she believes that’s clearly the place to start. And she likens the lack of a national strategy to what happened when there was no national strategy for COVID-19: devastation far beyond what is tolerable.
Also, even though we keep calling this the SolarWinds attack, The Wall Street Journal reported last month that in fact something like a third of the companies and agencies breached actually had no connection to the IT firm, meaning it’s likely that other companies along the supply chain were also points of weakness.
One outcome of that attack, and the increase in ransomware attacks on businesses and even hospitals, is that earlier this month the state of New York sent a letter to insurance companies with a first-in-the-nation framework for managing the risk of cybersecurity claims. The recommendations, among other things, instruct insurance companies to establish a specific strategy around cybersecurity risk, get some cybersecurity expertise and evaluate whether their exposure to cybersecurity-related insurance claims is a systemic risk to their business.
Claims related to hacks and ransomware attacks have reached well into the billions in recent years. 2017’s NotPetya attack, Russian malware that hit businesses around the world, resulted in $3 billion in insurance claims. New York’s Department of Financial Services suggested that costs related to the SolarWinds hack could be “substantial.”