The recent SolarWinds hack has led to widespread attention on necessary cybersecurity reform across the federal government, with a particular focus on preventing future attackers from achieving a similar scope of infiltration.
One of the most notable aspects of the SolarWinds incident, explained Atlantic Council Supply Chain Cybersecurity Lead Will Loomis, was the sheer volume of federal networks and interconnected private sector companies the attackers managed to breach, largely through using vulnerabilities in their cloud-hosted Microsoft Office 365 accounts to gain new entry points.
This has led to ongoing discussion among lawmakers and federal executives on why certain basic security measures have not already been implemented across government, with the Biden administration looking to instate an executive order that establishes a public rating system for software and connected devices along with mandates to further modernize federal IT.
Speaking at the GovernmentCIO Media & Research Infrastructure Security virtual event, federal cybersecurity experts discussed how to best safeguard public sector IT systems and prevent future network security breaches from reaching SolarWinds’ devastating scope.
“The big thing here is enemies are looking to maximize the blast radius of their operations ... they exploited high-level, large-scale admin or security tool software with significant levels of permissions. These types of systems provide great value for the enemy because of their ability through compromise of these systems and to get deep into networks on a massive scale, particularly within the government," Loomis said. "This is not the first time we've seen these types of activities."
Considering the evolving security environment and persistent efforts by adversarial governments and non-state actors to access U.S. government networks, cybersecurity experts recognize that it would be effectively impossible to stop every last incident of unforeseen breach. Instead, technologists within major federal agencies are looking to prevent future attacks from exploiting vulnerabilities to gain additional layers of access beyond the system in question.
“What we need to do is impart zero trust and have risk-reduction strategies because it's going to happen again," said Katie Arrington, CISO for acquisition and sustainment at the Defense Department. "The likelihood is nothing is ever going to be 100% secure. So you do your best from the get-go to ensure that whatever software you're using or cloud instantiation should have risk reduction built into that."
Much of this will require a more proactive, rather than purely reactive, approach to cybersecurity, with the U.S. government implementing new network security protocol in anticipation of mitigating future threats rather than belatedly preventing forms of attack that have already occurred. As was the case with the SolarWinds attack, the newfound movement to private clouds prevented new vulnerabilities federal agencies hadn’t fully prepared to address.
“We need to be looking forward to make sure that we are positioned for the next level and next tier of threats, not the ones that have come in the past,” Loomis said.
As a priority area, federal leadership and private industry partners are looking to instate cybersecurity measures for the decentralized and remote approach to network connectivity that accompanied a widespread shift to remote work during COVID-19, a dispersed approach that will likely persist to some extent even after the close of the pandemic. As a priority, this will require special attention to endpoint security and vigilance on the part of remote workers.
“Going forward, we should be expecting our computing environments to be more distributed or decentralized," said Josh O’Sullivan, CTO at Ardalyst. "When we talk about zero trust, it's actually about doubling down on instrumentation for security. So it's moving a boundary toward the endpoint, toward the user, toward the identity and the persona."