Adapting to the Post-SolarWinds Era: Supply Chain Security in 2024

COMMENTARY

In December 2020, the SolarWinds attack sent shockwaves around the world. Attackers gained unauthorized access to SolarWinds' software development environment, injected malicious code into Orion platform updates, and created a backdoor called Sunburst, potentially compromising national security. The attack affected 18,000 organizations, including government agencies and major corporations, and the malicious actors responsible for the breach may have been preparing to carry out the attack since 2019.

Although three years have passed and governments and other organizations have reevaluated security best practices and legislation, new developments in this story continue to emerge. This shows that more must be done to help prevent such a drastic attack from happening again.

Revealing New Insights Into the SolarWinds Attack

Recent developments about the attack underscore how vulnerable supply chain security is to highly skilled attackers. New insights also emphasize the critical role of swift and effective cybersecurity practices in protecting against nationwide threats.

In April 2023, it was disclosed that the US Department of Justice detected the SolarWinds breach in May 2020, six months before the official announcement, and informed SolarWinds of the anomaly. During the same period, Volexity traced a data breach at a US think tank to the organization’s Orion server. In September 2020, Palo Alto Networks identified anomalous activity related to Orion. In each case, SolarWinds was notified but found nothing suspicious.

In October 2023, the SEC charged SolarWinds and its CISO with fraud and internal control failures, accusing the company of "[defrauding] SolarWinds' investors and customers through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened — and increasing — cybersecurity risks." These accusations suggest systemic problems within SolarWinds and raise questions about its cybersecurity posture and diligence.

Taken together, these revelations indicate that the SolarWinds incident had a more significant and long-lasting impact than initially understood. They also underline the complexity of improving supply chain security.

Federal Responses and Regulatory Action

In response to this breach, regulators began investigating SolarWinds' security practices while considering new regulations to improve supply chain security. The Cyber Unified Coordination Group (UCG) was formed, consisting of the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Office of the Director of National Intelligence (ODNI), with support from the National Security Agency (NSA). The UCG exemplifies a collaborative approach to addressing such threats.

In January 2022, CISA issued emergency directives to inform federal agencies of vulnerabilities and actions to take. It also provided guidance through advisories and reports. CISA's efforts expanded threat visibility, fostering a "whole-of-government" security operations center where participants can share real-time attack information. Organizations affected by the attack have since implemented incident response plans, enhanced monitoring, and improved vendor risk management.

And in June 2022, President Biden signed the State and Local Government Cybersecurity Act of 2021 into law, promoting collaboration between the Department of Homeland Security and state, local, tribal, and territorial governments.

Future Preparedness and Collaborative Measures

The SolarWinds attack prompted calls for comprehensive cybersecurity legislation worldwide. Governments must strengthen cybersecurity frameworks, improve information sharing, and implement auditing and risk management for critical infrastructure. Organizations, too, must establish robust vendor risk management programs, including comprehensive due diligence processes, before engaging with third-party vendors.

Information sharing between private companies and government agencies remains crucial, necessitating quick and efficient processes for detection and response. Public-private partnerships are encouraged to share insights on emerging threats. In the wake of the attack, organizations around the world must place greater emphasis on information sharing and collaboration. Cybersecurity vendors need to invest more in threat intelligence-sharing platforms and broader partnerships to strengthen collective defenses against sophisticated threats.

The SolarWinds incident highlights the importance of software security by design. The attackers exploited weaknesses in the development process, emphasizing that secure coding practices should be an integral part of the software development lifecycle. Organizations must prioritize secure coding standards, regular code reviews, vulnerability assessments, and penetration testing.

Even so, the process of how code is developed, updated, and deployed won't eliminate cyberattacks. That's why many organizations need to improve security auditing, endpoint security, patch management, and privilege management processes. Implementing a zero-trust approach is essential, as it can limit lateral movement within networks and minimize the potential damage from compromised systems.

Another area for improvement is penetration testing, which actively looks for potential vulnerabilities in networks. One option for an enterprise is to build a red team — cybersecurity personnel who test network defenses and find potential flaws or holes that could be exploited by attackers — before the attackers find them.

Conclusion

The SolarWinds attack serves as a constant reminder that organizations must remain vigilant against evolving cyber threats. By staying informed, collaborating, and continuously improving cybersecurity practices, organizations can enhance their defenses against supply chain compromises like SolarWinds while safeguarding their digital ecosystems in 2023 and beyond.