ARGUMENT: CybersecurityA Key Step in Preventing a Future SolarWinds

Published 8 February 2021

In the weeks since news of the SolarWinds incident became public, commentators have offered no shortage of prescriptions for responding to the incident. Natalie Thompson writes that as information continues to emerge about the scope and scale of the incident and policymakers struggle with thorny questions regarding appropriate responses, urgent attention also is needed to actions that could prevent such large-scale catastrophes in the future.

In the weeks since news of the SolarWinds incident became public, commentators have offered no shortage of prescriptions for responding to the incident. Natalie Thompson writes in Just Security that as information continues to emerge about the scope and scale of the incident and policymakers struggle with thorny questions regarding appropriate responses, urgent attention also is needed to actions that could prevent such large-scale catastrophes in the future.

She adds:

The SolarWinds incident is a reminder of the systemic security risks posed by outsourcing IT to cloud-based providers of “Infrastructure as a Service” (IaaS) and “Software as a Service” (SaaS). After inserting malware into SolarWinds’ network management software and gaining access to the on-premise infrastructure of the company’s clients, the perpetrators turned their attention to the cloud, deceiving user authentication protocols into allowing access to cloud resources.

To address these vulnerabilities, federal action is needed to establish a cloud security certification that can help deploy security across the ecosystem of information and communications technology, starting with the cloud.

Both IaaS and SaaS providers are attractive options for customers because they offer usability and scalability. Rather than assuming responsibility for building and maintaining on-premise infrastructure, consumers place their trust in companies like Microsoft and Amazon Web Services (AWS) to secure their data.

Thompson writes that in the SolarWinds case, attackers abused the trust placed in on-premise systems to forge credentials that allowed them to access cloud systems and escalate their attacks across compromised networks. “The incident thus demonstrates on a granular, victim-by-victim scale the potentially significant, systemic risks associated with the cloud: Gaining access to a crucial node can enable widespread damage across an entire system.”

She notes that despite its potential utility to consumers and the federal government, a cloud security certification is not a panacea. Even certified systems operated by engaged, knowledgeable users can be breached, and capabilities for threat detection and incident remediation and response must be bolstered alongside defenses.

The only government agency with the capability and capacity to look for this sort of malicious activity, the National Security Agency, has significant legal prohibitions on its engagement in domestic surveillance. As the scope and scale of the SolarWinds incident continues to come to light, further action will be needed to ensure that cyber threats can be identified and mitigated in a timely fashion.

In the meantime, as victims of the SolarWinds incident attempt to determine the extent of the damage and identify appropriate responses, identifying tools to help prevent future incidents must be a priority for policymakers, and the executive branch should direct DHS and NIST to begin the process of developing a federal cloud security certification. The SolarWinds attack has demonstrated the importance of clearly and effectively communicating to customers the level of security they can expect from their cloud providers and the responsibilities that remain with users. Implementing a cloud security certification is an important first step in empowering customers in this endeavor.