2021 The Cybersecurity Disaster Year

 2021 has proved to be a disaster year for Cybersecurity.  Events have demonstrated just how porous our cyber infrastructure is.  Perhaps for the first year in history, compromises have grown faster than the increase in use, uses, and users might have suggested.  

CISA, the FBI and the NSA have warned in a joint advisory that Russian threat actors are actively exploiting and seeking to cause disruption to IT and OT networks, especially around critical infrastructure. The advisory outlines technical details of at least 18 vulnerabilities and malware attacks.

It may well have been worse than we know.  We know that many, not to say most, of our systems were vulnerable, to the corrupt supply chain (e.g. SolarWinds) or to vulnerable open source software (e.g. log4j), at least for the time it took us to appreciate and mitigate the exposures.  Few of us know that that window of opportunity was not used to covertly install backdoors into our networks for later exploitation.  It is at least possible, not to say likely, that hostile forces took the opportunity to stockpile compromises that they did not immediately have the motive or resources to exploit.  

it seems unlikely that our adversaries, particularly nation states, missed the opportunity presented to them by these exposures.  SolarWinds was an attack, planned and resourceful.  While we can identify and remove the SolarWinds code, it is near impossible to know about,  identify, or remove covert back doors installed using it.  

How can we mitigate the risk that such covert backdoors represent?

First, we must implement process-to-process isolation.  We can no longer operate a flat enterprise network.  We must structure the network so as isolate high risk applications, such as user owned devices, browsers, and e-mail, from sensitive data and services.  We can do this in part physically structure in the network, and in part by end-to-end application-layer cryptography.

We must implement strong process-to-process authentication ("zero trust") not just horizontally, that is system to system, but also vertically, up and down the stack. For example, the application must authenticate the database manager and the database manager must authenticate the application processes that use it.  It is urgent that we isolate covert compromises, backdoors, and vulnerabilities, before they are exploited and so that they do not put the entire enterprise at risk. 

Second, we must implement a policy of "least privilege."  While such a policy involves somewhat more administrative burden than the all too common laissez faire policy, security does not need to be free to be efficient.  It must only be cheaper than tolerating the risk.  If the covert backdoor has no privileges, it can do no harm.  

Third, we must demand that software come with a digital bill of materials.  When a vulnerability is found in widely used software, we must be able to quickly determine whether or not and where, we may have instances of that vulnerable software installed.  We should not have to beat the bad guys at scanning for the vulnerability.

Fourth, we must hold developers and suppliers of products that include software responsible for the content of that software, if not for its quality, at least for any malicious code which they ship.  While we may tolerate poor quality software and the now expensive patching regime forced on by that poor quality, that is not the same as tolerating malicious code which the supplier did not even write.    

I am tempted to go on but I want you to focus on the first and second.  These are policies that are specifically implicated by the risk that our networks are already compromised but they are not limited to that risk.  They are efficient because they address the entire range of cyber risks.  

SolarWinds

By now most should realize that SolarWinds is a compromise on an almost unimaginable scale. It is a crisis.  While there are "indicators of compromise" there are no indicators of all compromises.  While the attackers have concentrated on gathering intelligence on only a small number of target sites, all SolarWinds customers must assume that they are compromised and that there may be multiple backdoors into their systems for which there are no ICUs.  Only a small number of enterprises, perhaps none, have sufficient control over the content of their systems to be sure that they are resistant to such backdoors.

In https://us-cert.cisa.gov/ncas/alerts/aa20-352a DHS/CISA has suggested that some enterprises under some circumstances will have to "rebuild (from scratch) hosts monitored by the SolarWinds Orion monitoring software using trusted sources."  In fact, we may have to rebuild all enterprise systems.  

President Obama's chief of staff, Rahm Emanuel, famously said in 2008, “You never want a serious crisis to go to waste. I mean, it's an opportunity to do things that you think you could not do before.”  It would be tragic, if after rebuilding our systems, we should come away as vulnerable as when we started.  

We should take Rahm's "opportunity" to introduce "zero trust," indeed zero trust on steroids.  One might well start with a Software Defined Network.  One should include mutually suspicious processes, strong authentication at all levels, and "least privilege" access control.  

Rebuilding systems in month's that took decades to evolve is a daunting task.  I am reminded of what my father taught me when I was just starting out in IT almost sixty years ago.  "Son," he said, "all hard problems in information technology have one and the same answer: one application at a time."  We can do this.  We should use the crisis to overcome the inertia that has kept us from doing what we all know we should have done a while ago.  We know what to do: all we need is the leadership to do it.  

Do not worry about the cost.  Much of what we need to do, we can do with available resources.  For example, we can implement "least privilege" with available tools.  It only requires a change in intent.  In any case, there is always enough money to do that which must be done.