SolarWinds Breach: Considerations for Cyberpeace
Emma Raffray and Adrien Ogee, staff members of the CyberPeace Institute, argue that cyberpeace requires that the security, dignity and equity of everyone online prime over any other considerations, most particularly in the midst of a global intrusion campaign.
On 8th December 2020, cybersecurity company FireEye reported they were victims of a cyberattack perpetrated by a highly sophisticated threat actor. The attack led to the theft of the company’s suite of offensive tools used to test the defenses of its clients. The US firm made available counter-measures for all of them, yet these are effectively cyber weapons released in the wild that attackers around the world can now use to perpetrate crime. Defense mechanisms were indeed made available, but these still need to be implemented.
Only five days later, FireEye announced that the attack they suffered originated in a global intrusion campaign made possible via a backdoor in a popular business software worldwide made by a company called SolarWinds. This backdoor was inserted in the software code and pushed via a supposedly secure, trusted updating mechanism. Whilst such attack modus operandi isn’t novel, the scale of this attack casts a shadow on the trust of commonly accepted security mechanisms such as digitally-signed code.
The very reason why software companies sign their products digitally is to ensure that attackers will not be able to lure victims into downloading a malicious version of said software. But if attackers are able to bypass the password on the update servers of these companies, which was as easy as SolarWinds123 in 2019, they can insert their backdoors before the code is digitally signed. The latter security measure provides a false sense of security which allows criminals to penetrate into highly sensitive networks, such as those of government agencies. This is called a supply chain attack, one that leverages weak points in the supply chain and that emphasizes the need for strong security standards and procedures.
Why the SolarWinds attack matters for cyberpeace
The breach of FireEye and subsequent release of offensive tools, along with the supply chain attack on SolarWinds are distinct, albeit connected cases. Yet both have a direct impact on human security, taking into account that the compromised tools may have been, or will be used, to infiltrate numerous organizations for a variety of reasons.
In total, up to 18,000 clients of Orion, the Texas-based firm developing SolarWinds, could be concerned by the vulnerable version of their software. Victims include FireEye but also non-profits, public, private and international organizations in several geographies. The US National Institutes of Health is reported as being targeted, which does not come as a surprise following the heightened threat against US healthcare systems since the start of the pandemic. The US Nuclear Weapons Agency was breached too. These attacks may ultimately impact human life much more directly.
Additionally, the ability of targeted organizations and individuals to defend themselves against cyber operations made possible by these events vary greatly across regions. If government organizations or large corporations may be quick to respond in certain places, the digital divide and equity gap online will be further exacerbated by the unfortunate happenings. Vulnerable communities will be even more vulnerable.
From an accountability standpoint, some interesting questions also arise in relation to the importance of information sharing by private companies, where the information could lead to the prevention, detection and investigation of attacks on victims other than their direct customers. FireEye has shown a significant degree of transparency in the aftermath of the attacks allowing for various private and public entities to come together quickly to find ways of limiting the damage caused by the attack. There are nonetheless some questions to be answered in due time in relation to the timing of the release of such information, and how the various stakeholders are impacted, positively or negatively from a security, reputational, and financial standpoints. Cyberpeace requires that the security, dignity and equity of everyone prime over other considerations, in the long term of course, but also very much in the immediate aftermath of a breach discovery.
The SolarWinds breach reminds us that cyberattacks have a long-lasting impact on digital ecosystems. To work towards a stable and inclusive cyberspace, we need to ensure that human security, dignity, and equity are upheld and respected everywhere.
The CyberPeace Institute is an independent, non-profit organization with the mission to enhance the stability of cyberspace. It does so by supporting vulnerable communities, analysing attacks collaboratively, and advancing responsible behaviour in cyberspace.