Broken Trust: More Regulation Not the Answer

In a May 20 podcast hosted by The Cipher Brief, The Atlantic Council Cyber Statecraft Initiative discussed the Solarwinds/Sunburst attack that has shone a spotlight on supply chain vulnerabilities, and is covered in the Council’s recent report titled "Broken Trust: Lessons from Sunburst." A characteristic of the Sunburst attack was a “highly effective focus on the seams of security in cloud deployments and on-premises identity solutions.”

Attackers exploited Microsoft IAM (Identity Access Management) products on their victims’ systems. SolarWinds/Sunburst was part of the broader campaign, during which attackers created a backdoor to the SolarWinds Orion product.

In their research, the Council documented 138 total supply-chain attacks and vulnerability disclosures since 2010 (102 were realized attacks); many targeted admin and security tools, because these tools enjoy higher permissions and are often not subjected to the same level of scrutiny as network endpoints. A characteristic of the Sunburst attack was a “highly effective focus on the seams of security in cloud deployments and on-premises identity solutions.”

The authors highlight three key problem areas in their analysis of the Sunburst attack:

1. Risk management deficiencies across a varying landscape of federal networks.
2. Hard-to-defend linchpin cloud technologies that were not adequately protected and are not being built as defensible as possible.
3. Limited speed and poor adaptability on the part of federal security policies that are unable to keep up with the pace of threats, and presently happen “by crisis.”

The report rightly points out that the government needs to move away from an offensive-defensive mindset and maintain a “persistent flow” of cybersecurity measures in order to be more adaptable.

We agree that adding additional layers of policy on top of a raft of cybersecurity regulations is a wrongheaded move. By closely hewing to regulations, organizations adopt a “check the block” mentality and assume that they are adequately protected because they “filled out all the proper paperwork.” Moreover, adversaries can study regulatory requirements, learn to find the areas that are not sufficiently covered and exploit those.

Of greater concern, however, is that the fundamental underpinning of the cybersecurity framework is fatally flawed: using outdated measures like Public Key Infrastructure (PKI) that rely on secrets, which that are impossible to keep. Instead, a truly effective cybersecurity posture should endeavor to remove complexity and to keep fallible humans out of the decision-making loop.