The list of victims of the cyberattack is expected to expand as more information comes to light Given that the agency set-up to safeguard the U.S. from cyber and physical threats was also breached highlights how any government agency is at risk from state-sponsored threats.
With the attack, the hackers were apparently able to access internal emails sent by the US Treasury and Commerce Department.
The hackers got in by ensuring they first breached the company SolarWinds and then used this incident to infiltrate government departments, harnessing a complex supply chain network. The name of the massive hack has been dubbed Sunburst. Providing insight for Digital Journal into how the U.S. government should recover and learn from this incident, is Casey Ellis, who is the Chief Technology Officer for Bugcrowd.
According to Ellis, the threat from rogue states (or at least actors within the state) is very real: “There is a crowd of potential adversaries with diverse skill sets, a variety of motivations and goals, and incentive to get results.”
Ellis moves on to consider the complexity of the attacks “The Solarwinds incident demonstrates he complexity of supply chains as well as the dependency upon upstream security programs to maintain the integrity of the supplied software, What happened with Solarwinds could happen with open source software, and well as with other providers.”
In terms of lessons to be learned, Ellis finds a glimmer of hope: “The potential upside of this breach, as noted by Dmitry Alperovich, is that the scope of the impact creates a dilemma for attackers when it comes to choosing what to exploit. The matter also shifts the burden to incident response to other firms as they seek to establish if the incident affects them.”
However, there are other actions that need to be taken, suggests Ellis: “Vulnerabilities exist in every platform and every company. This is in part to the growing demands of remote work. Government agencies need to acknowledge the scale and distributed nature of the threats.”
Further with preventative actions, Ellis recommends: “Governments and private organizations around the world have recognized the threats faced and are leaning into the benefit of well-run Vulnerability Disclosure Programs (VDPs) and develop digital locksmiths of the Internet, to counter the adversary and to create confidence in the security ecosystem.”