Biden’s Post-SolarWinds EO Underscores Need for Better SMB Security
It’s been several months since we first learned about the SolarWinds supply chain attacks. Just as a reminder, SolarWinds announced in mid-December that it had suffered a digital attack where malicious actors inserted a vulnerability called “SUNBURST” into certain versions of its Orion Platform IT management software. That vulnerability enabled an attacker to compromise customers’ servers running the affected Orion versions and to then gain access to their networks.
In response to SolarWinds announcement, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01. It explained in its order that the SUNBURST vulnerability posed “unacceptable risks to the security of federal networks.” Subsequently, CISA mandated that all federal civilian agencies disconnect or power down their SolarWinds Orion products and to not reconnect their affected devices until they received further guidance.
Several federal agencies and departments suffered a compromise at the hands of those attackers regardless. Anne Neuberger, deputy national security advisor for cyber and emerging technology, confirmed in a press briefing for the White House that those responsible for the SolarWinds supply chain attacks successfully targeted nine federal agencies. Those entities included the Department of Justice, NASA, and the Department of Homeland Security.
The Biden Administration’s Response to the SolarWinds Attack
In the spring of 2021, the Biden Administration issued new sanctions against Russia in response to allegations that Moscow was responsible for the attacks. The sanctions applied to 32 entities including government and intelligence officers as well as six Russian companies, reported Bloomberg. At that same time, the Administration also announced it would expel 10 Russian diplomats from Washington and bar U.S. financial institutions from participating in the primary market for new Russian debt.
The Administration didn’t stop there. It also apparently realized the need to better defend the federal government against digital supply chain attacks like the SolarWinds incident going forward. That explains why it’s working on a new executive order (EO) to improve the digital supply chain security of U.S. federal agencies. It seeks to do this by focusing on two things in particular: secure software development and post-mortem understanding.
Secure Software Development
According to NPR, the Biden Administration is looking to use its new EO to emphasize secure software development among organizations that wish to do business with the federal government. A central element of this objective involves enforcing transparency.
“If you or I are going out to buy network management software like SolarWinds and we want to buy the software that is most secure, we have no way of assessing which that is,” Neuberger said in an interview with NPR. “And as a result, we have no way of saying, ‘you know what? I’m willing to pay $5 more for the more secure software because I don’t want to bring more risk into my network.’”
According to Neuberger, the Administration can tackle this issue by defining a set of secure development requirements which federal contractors must follow. Those organizations must then be able to prove their compliance with those guidelines.
That raises the following question: where will the Biden Administration look to develop those secure development standards?
It might start with the National Institute of Standards and Technology (NIST). To be clear, NIST released the Secure Software Development Framework (SSDF) last year before SolarWinds. It’s not as well-known as NIST’s Cybersecurity Framework (CSF), but I’m sure the Administration will still at least consider leaning on the SSDF for guidance to address secure software development and supply chain issues.
With that said, it’s important to remember that this is a starting point and not a finish line. Supply chain attacks first got their day in the sun with Target in 2013. Since then, the software security as it applies to the supply chain has been largely ignored. It’s about time we all acknowledge the issue of secure software development and get it out there to be discussed.
Post-Mortem Understanding
The Biden Administration is also looking to help protect organizations after a security incident has taken place. Towards that end, NPR reported that the EO will help to create something like the National Transportation Safety Board (NTSB). This entity will sift through the “wreckage” of a successful digital attack to figure out its root causes so that it doesn’t happen again.
Additionally, the EO will require federal contractors to be open about digital attacks.
“If you’re doing business with the federal government, then when you have an incident, you must notify us quickly,” Neuberger clarified. “Because we’d like to take that incident and ensure that the tactics, techniques and procedures, the information is broadly shared.”
What This Means for SMBs
The provisions identified in the draft EO promise to help federal agencies and departments. But they could potentially become a problem for SMBs. That’s because it’s the same old problem—that is, how do SMBs compete if these ideas become requirements? Smaller teams already struggle with implementing the CSF or abiding by easier-to-digest basics like the Center for Internet Security’s Critical Security Controls (CIS Controls), much less something like enforcing the SSDF. Then there’s the matter of whether THEIR vendors are worried about the SSDF. And so on and so on.
Someone needs to look out for the little guy. SMBs need a way to hide the network from opportunistic bad actors. They also need affordable tools and security experts to provide internal visibility that they might not have ever had before because it’s too expensive or complicated. Such visibility is helpful not only for the affected organizations, but the use of these visibility tools – even in post mortem analysis –could, through the implementation of Biden’s EO, help others in the industry prepare for the next attack.
Get the internal visibility your SMB needs to defend against digital threats.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.