March 26th marked five years since SolarWinds first unknowingly shipped malicious code to customers, in what would become one of the biggest cyber attacks of all time. The attackers infiltrated SolarWinds in late 2019, laced its Orion product – which helps organisations to monitor and manage their networks – with the SUNBURST Trojan in March 2020, with customers discovering the malware in December – nine months later.
Because SolarWinds’s solutions were so widely used, it’s estimated that 18,000 companies were impacted. This included multiple critical US federal agencies, household names in the business landscape like Microsoft and Deloitte, and even the NHS.
This software supply chain attack changed the security landscape, with shockwaves felt well outside our profession’s usual remit. Geopolitical tensions were raised, with Donald Trump (the sitting President) – wrongly – accusing China of the attack. Within a few months, new President Joe Biden attributed the attack to Russia’s infamous Cozy Bear hacking group. Diplomats were expelled, distrust between nations grew as cyberespionage became front page news.
Lawsuits also followed. SolarWinds was taken to court by impacted customers, and then its own board members over the drop in share price caused by the attack. Perhaps the most devastating lawsuit – particularly for the cybersecurity profession – was that of SolarWinds’s CISO, Timothy Brown, who was criminally charged by the SEC for downplaying security risks. This was a watershed moment – for the first time a CISO was held directly accountable for an attack.
Legislations were also introduced in the wake of the attack. Brown’s case set a precedent, and SEC has since imposed rules that increase accountability on CISOs if financial reports don’t accurately portray their company’s risk posture. To help shore up federal cyber defences, Joe Biden also signed an Executive Order mandating Software Bill of Materials (SBOMs) for all third party software being supplied to government agencies.
Even though the attack shook the foundations of trust, five years on the dust has settled. But its impact is still felt. Our latest State of the Security Profession report had the attack second on the list of poorly handled breaches, more than four years after it took place. With that being the case, as a profession, what did we learn from SolarWinds SUNBURST?
We’ve had to up our game and cooperate more. Biden’s SBOMs laid a foundation for more transparency around exactly what’s in software solutions. Major players like Microsoft and Google, open source organisations such as The Linux Foundation and GitHub, and many more have all been more open about the components that make up software.
There’s been a shift in mentality too. Software supply chain attacks are often out of an organisation’s hands, so being resilient to the damage they cause is just as important as preventing attacks. This shoring up of defences and ensuring that gaps can be plugged rapidly represents a change in the cybersecurity profession – moving away from just prevention towards building resilience.
The profession has also learnt the hard way not to blindly trust security solutions. There’s no doubt that many of the organisations impacted by the attack – including SolarWinds – would have had some great cybersecurity tools in place. And yet, the attack still took nine months to discover. We’ve come to realise that even the best security solutions aren’t perfect, and assuming safety is a dangerous move. Organisations have since taken a much more layered approach to security, and the adoption of zero trust has become widespread.
Finally, security professionals and their roles have had to change. The SolarWinds SUNBURST attack put cybersecurity on the map – in a bad way – and inserted cyber risk into boardroom conversations. But to the layperson, a software supply chain attack can be a difficult concept to understand and cybersecurity is an innately jargon-filled space. Security professionals have been forced to communicate with non-technical stakeholders and learn to speak as the business does. While the core skills of the cybersecurity profession remain the same, we’ve had to adapt to become effective communicators.
That’s why continuous learning, development and professionalisation is so vital to preventing attacks and building resilience by translating the cybersecurity into language that everybody can understand. Bodies like CIISec offer the opportunity to learn new skills and gain new certifications that are crucial to the evolution of the cybersecurity profession.
