Summary List Placement
It’s been more than two months since the SolarWinds hack, and experts are still figuring out exactly what happened and how it could have been prevented. This uncertainty has led to silence as many companies fear the worst — that their own software could be vulnerable to a similar attack.
The reality is that no company is 100% secure, but the best way to get close is to study others’ mistakes, learn from what went wrong, and take action within your own organization.
SolarWinds represents a paradigm shift in how every company should be thinking about cybersecurity, so here’s what executives in every industry need to understand.
Software supply chains will continue to be the attack target of choice
Supply chain attacks are nothing new, but the SolarWinds hack emphasized the urgency with which we need to act. We need to address the security of our software supply chains — meaning all the tools, technologies, and platforms that touch a company, and not just our immediate larger suppliers.
In other words, you’re not only responsible for securing the app or website your customers access, but also the third-party developers’ tools, ad platforms, and workforce apps that your employees and vendors use.
Software supply chain visibility can be incredibly complex, and while the industry is progressing towards greater visibility, many organizations are still early in that process. Right now, supply chains are based on an implicit trust that the suppliers we have influence over ensure the same cohesive practices downstream with their suppliers. Working out how to change the status quo will be challenging and require industry leadership.
As a first step, companies need to catalog all of these entities — including their suppliers’ supply chains, then determine how to cascade this all the way down the supply chain so visibility becomes 20:20.
Next, they need to leverage this visibility to set clear security guidelines that all vendors must meet to renew their contracts and enforce through technology.
This tectonic shift will not happen overnight. The journey to more secure supply chains will be exactly that — a journey.
Complexity = vulnerabilities, and moving to the cloud isn’t enough
The technology industry has developed software rapidly, and as a result, today’s tech stack is complex, diverse, and full of technical debt. Traditional asset and supplier management approaches haven’t kept up with the velocity of software development tooling, and in the race to scale, companies have developed patchwork stacks that all but invite cyberattacks.
While some cloud advocates (myself included!) have used the SolarWinds attack to reinforce the need to move from on-premises technology to the cloud, taken on its own, that’s an oversimplification. Moving to the cloud is an important first step, but it isn’t nearly enough on its own to prevent these kinds of attacks.
Another consideration should be adopting a Zero Trust approach, meaning trust nothing, and verify everything. This approach fortifies the links between systems by improving authentication and minimizing the downstream risk of one system becoming compromised.
Okta has long been an advocate for a Zero Trust approach to identity and access management, but now companies need to apply this ideology to the entire supply chain of products, programs, and businesses that feed into their ecosystems.
The repercussions are far from over
Up to 18,000 SolarWinds customers could have been affected, and the list of confirmed high-profile victims — including Microsoft, Intel, Cisco, and several U.S. government agencies — continues to grow.
It’s still unclear what the long-term ramifications will be for these companies, or more concerningly the ones that we don’t yet know about, but right now, all eyes should continue to be on SolarWinds. Past SolarWinds software releases should still be considered to be at risk.
New information about malware injected into the Orion software packages continues to emerge. It paints a picture of systemic security problems that provided the opportunity the threat actors exploited. Knowing of these systemic issues, the responsible approach is to treat any software released from SolarWinds while these attacks were underway as high-risk until proven otherwise.
One outcome we can expect is a renewed emphasis on cybersecurity in Washington. The White House recently named Anne Neuberger as the new cybersecurity expert who said the government believes it’s still at the “beginning stages” of comprehending the scale of the SolarWinds attack, indicating ample time and federal resources will need to be allocated to it.
She plans to launch a study of the breach to uncover lessons for preventing more major hacks in the future. While it’s positive that lawmakers are prioritizing cybersecurity, the industry will need to support these government initiatives to help achieve the best outcome.
Copycats are coming
The SolarWinds supply chain breach is one of the largest and most successful cyber espionage campaigns in history, and success generates copycats.
The success of this breach leaves us wondering what else lies ahead of us and when we can expect it. The industry has spent years moving towards an automated software security world with regular, automated updates playing a key role. Attackers have found a scalable way to use this very strategy in their favor.
Ultimately, the SolarWinds hack should be a wake-up call for every industry. Given the complexity of our modern software stack, we can only expect to see more of these breaches in the coming years.
While we won’t figure out the solution preventing them before the next one happens, we can try to contain them better. It starts with beginning the journey toward a Zero Trust architecture and taking a step back to rethink your organization’s holistic, long-term cybersecurity strategy — with special consideration given to locating weak links in your supply chain.
Todd McKinnon is the chief executive officer and cofounder of Okta. He is responsible for creating, communicating, and implementing the overall vision and strategy for the company.
NOW WATCH: Epidemiologists debunk 13 coronavirus myths