The SolarWinds hack revealed in December 2020 underlines the ease with which software and system supply chains can be easy targets if there isn’t a good cybersecurity policy embedded into an organization.
In the official statement, the Cybersecurity & Infrastructure Security Agency (CISA), said the compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor started at least March 2020. And that the APT actor demonstrated patience, operational security, and complex tradecraft in these intrusions. “CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.” The detailed infection vectors and compromise mitigations are listed in the statement here.
Reading its details confirms a lot of what we are told in briefings at embedded.com and EE Times on the topics of internet of things (IoT) security and cybersecurity from semiconductor industry security experts and from companies offering secure elements, devices, provisioning and security lifecycle management.
It really surprises me that such breaches can occur when government departments around the world are so paranoid about security, yet make themselves completely vulnerable via third party systems, software and device suppliers who appear to skip proper security mechanisms and policies. I recall, even working as a contractor for British government a few years ago, the amount of security training, consciousness we needed to always be aware of. Just one tiny example was how paranoid I became to never ever leave my laptop in a locked car or any other place when travelling on business. It always had to be on my person or near me where I could see it. There were of course plenty of other things that we had to diligently observe.
But the SolarWinds breach is more of a fundamental policy issue on whether security should just be the remit of the hardware and software systems designers or be taken more seriously at a higher level in the organization.
Hence, it’s timely that corporate finance advisor Woodside Capital Partners should produce a report outlining ‘seven lessons for CEOs, directors, board members, and private equity firms. Written by its managing director Nishant Jadhav, the report says the SolarWinds supply-chain attack has underlined the need for a deeper cybersecurity understanding at the executive and the board level. Amidst a world of advanced persistent threats that potentially lurk in most business environments invisible to surveillance tools, it is increasingly important to protect reputation and enterprise value in the face of the unknown.
The key thing that executives, advisors and investors need to be asking, it says, is whether the company can answer at board level whether it has cyber assurance. Here are its seven lessons.
Lesson One: adopt a security-first versus a compliance-first mindset – top down
A security-first mindset implies that the executive leadership team and the board understand the risks presented to that specific company. It also implies that the company understands the risks it creates for its clients and partners. A compliance-first mindset on the other hand is a race to just do the bare minimum to receive a passing grade. A compliance-first mindset is regressive in that it measures your baseline on the day of attack and provides you assurance for a fixed amount of time in the future. Unfortunately, that is a failing strategy for cybersecurity protection as threats are constantly evolving and becoming more sophisticated with state adversaries at play. The executive leadership team along with the board needs to sign-off quarterly on what the threat posture of a company is.
Lesson Two: chief information security officers (CISOs) must be a part of the executive leadership team, and not just report into the head of information technology
Good CISOs are trained to think about ongoing threat vectors and evolving attack surfaces for your business as a whole. This includes inadvertent data leakage from your customer facing ranks, risks to customers from using your products, and your company’s risks in deploying technologies for its own use. As a result, the CISO must touch all facets of the business and have the range of influence as a line leader to necessitate change at an atomic level. The CISO must be held accountable to ensure that their recommendations have percolated through the ranks and that ongoing protection and risk exposure is measurable at any point of time. This sounds onerous and can be political, but the liabilities as a result of attack that blindsides the company and can’t contain it could be devastating – temporarily in the capital markets and permanently from a reputation standpoint.
Lesson Three: KPIs for CISOs must include ongoing protection and remediation
It seems to be a common practice to fire a CISO as soon as a new breach is discovered on a network, but this line of thinking is ineffective and archaic. Instead, it’s the conversation around the CISO’s responsibilities in the wake of a threat that needs to change. Empower the CISO with a security budget that is in line with the company’s security gap. Also, measure their success not just on the business uptime in a given quarter, but also on the awareness generated within each faction of the business over time. Add to this mix KPIs around how the business will respond to a threat that originates outside the realm of your own organization like the SolarWinds case. Model that behavior and its impact to your clients, and your reputation and subsequently your valuation/stock price.
Lesson Four: a trusted solution provider/partner does not imply a secure partner
The SolarWinds supply-chain attack has proved that threats can be outside the control of your own best security practices. In essence, no partner is a secure partner no matter how big the company and how reputable their security practices. Creating an “air-gapped” network on which new products are incubated can mitigate threat infiltration through trusted partner solutions.
Lesson Five: compromising security is the wrong lever for increasing profitability
Woodside Capital (WCP) foresees a key valuation metric for a company being its security posture assessment value – a “cyber grade”. The cyber grade being measured on the technology and training investments for ongoing protection policies of the company’s own assets as well as the risks to the company’s clients and partners. A key factor in this cyber grade will also be the remediation efforts that the company has already put in place in the face of prior threats and the time taken to respond (weighted by the severity of the threat). The higher the cyber grade, the higher the valuation of that company. Private equity (PE) firms specializing in cybersecurity companies should pay greater attention to the cyber grades of their portfolio companies, and not forsake them for profitability in the short run. WCP’s recommendation to the approximately 5000 privately held cybersecurity companies is to create a version of their cyber grade which summarizes their continuous commitment to cybersecurity and engagement at their executive leadership team level to realize these outcomes. In the absence of an industry wide standard, it’s easier to define a baseline set of guidelines that the executive leadership team and the board can showcase, which differentiates them as a security-first company.
Lesson Six: cyber insurance needs a closer look at the board level
Most cyber insurance policies provide coverage for financial losses resulting from a data breach or unauthorized access or disclosure of personal or protected information. Some insurance companies offer additional endorsements or specific policy provisions and coverage for losses caused by various other means such as social engineering (i.e., a breach caused by phishing), specific coverage for credit card losses, and denial-of-service attacks, such as ransomware, and more. But a supply-chain attack such as this one changes the playing field. This can’t be written off as an act-of-God since there are real perpetrators causing harm to a business outside the control of manageable tools that a prudent person could use. The CISO must engage the board to mandate new cyber insurance policies that include exposure to malicious state actors and supply chain attacks. These policies must span a wider range of time as subsequent widespread damages from these threats can extend into many months and years after an attack.
Lesson Seven: continuous reputation protection
Despite best efforts, a breach can hit a company at any time, and it can have a tangible impact on the business. The obvious questions here are:
- Does SolarWinds take the hit in this case?
- Does Microsoft suffer because its source code was exposed because they used the SolarWinds Orion software?
- Can SolarWinds regain back its lost reputation?
- Will Microsoft be a good acquirer for security companies?
The answer lies in the continuous actions the executive leadership team and the board have taken to showcase that cybersecurity is a core differentiator for their company – security first, cyber grades. That they’ve learned from their own mistakes and the mistakes of others to continuously enhance the company’s threat posture and reduce attack surfaces for itself and its clients. This includes better cyber insurance coverage and better remediation policies from the company to its clients. Importantly highlight that the company continues to invest and educate its workforce about cybersecurity. Essentially if the company has created cyber assurance for itself and can pass it on to its clients and partners, it’ll be better placed to protect its reputation in the long run.
The WCP report goes on to list a number of growth stage companies that offer the building blocks of a holistic cyber assurance strategy, from risk management and threat remediation, to cyber insurance. The report is available here.
- SolarWinds & CapitolBreach: One Worse Than The Other?
- Protecting the Endpoint in IIoT: A Snapshot of Chip-Level Security
- Know Your Adversary: Think Like A Hacker
- Cybersecurity Standards in OT and Industrial IoT
- Connected devices security legislation outlook for 2021
- Software testing is crucial for embedded system safety and security
- Podcast: IoT Security is only as good as its weakest link
- An introduction to confidential edge computing for IoT security