Tag: SolarWinds

What the Colonial Pipeline ransomware attack can teach us about national cybersecurity defense

Mary Pat Campbell

Link: https://thenextweb.com/news/what-the-colonial-pipeline-ransomware-attack-can-teach-us-about-national-cybersecurity-defense-syndication?mc_cid=c0c5baa839&mc_eid=983bcf5922

Excerpt:

There are no easy solutions to shoring up U.S. national cyber defenses.

Software supply chains and private sector infrastructure companies are vulnerable to hackers.

Many U.S. companies outsource software development because of a talent shortage, and some of that outsourcing goes to companies in Eastern Europe that are vulnerable to Russian operatives.

U.S. national cyber defense is split between the Department of Defense and the Department of Homeland Security, which leaves gaps in authority.

Author(s): Terry Thompson

Publication Date: 12 May 2021

Publication Site: The Next Web

National Security Risks of Late-Stage Capitalism

Mary Pat Campbell
National Security Risks of Late-Stage Capitalism

Excerpt:

There are two problems to solve. The first is information asymmetry: buyers can’t adequately judge the security of software products or company practices. The second is a perverse incentive structure: the market encourages companies to make decisions in their private interest, even if that imperils the broader interests of society. Together these two problems result in companies that save money by taking on greater risk and then pass off that risk to the rest of us, as individuals and as a nation.

The only way to force companies to provide safety and security features for customers and users is with government intervention. Companies need to pay the true costs of their insecurities, through a combination of laws, regulations, and legal liability. Governments routinely legislate safety — pollution standards, automobile seat belts, lead-free gasoline, food service regulations. We need to do the same with cybersecurity: the federal government should set minimum security standards for software and software development.

Author(s): Bruce Schneier

Publication Date: 1 March 2021

Publication Site: Schneier on Security

Recovering from the SolarWinds hack could take 18 months

Mary Pat Campbell

Link: https://www.technologyreview.com/2021/03/02/1020166/solarwinds-brandon-wales-hack-recovery-18-months/

Excerpt:

Brandon Wales, the acting director of CISA, the US Cybersecurity and Infrastructure Agency, says that it will be well into 2022 before officials have fully secured the government networks compromised by Russian hackers. The list includes at least nine federal agencies, including the Department of Homeland Security and the State Department. Even fully understanding the extent of the damage will take months.

“I wouldn’t call this simple,” Wales says. “There are two phases for response to this incident. There is the short-term remediation effort, where we look to remove the adversary from the network, shutting down accounts they control, and shutting down entry points the adversary used to access networks. But given the amount of time they were inside these networks—months—strategic recovery will take time.”

Author(s): Patrick Howell O’Neill

Publication Date: 2 March 2021

Publication Site: MIT Technology Review

Former SolarWinds CEO blames intern for ‘solarwinds123’ password leak

Mary Pat Campbell

Link: https://www.cnn.com/2021/02/26/politics/solarwinds123-password-intern/index.html

Excerpt:

Current and former top executives at SolarWinds are blaming a company intern for a critical lapse in password security that apparently went undiagnosed for years.

The password in question, “solarwinds123,” was discovered in 2019 on the public internet by an independent security researcher who warned the company that the leak had exposed a SolarWinds file server.

Several US lawmakers ripped into SolarWinds for the password issue Friday, in a joint hearing by the House Oversight and Homeland Security committees.

“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad,” said Rep. Katie Porter. “You and your company were supposed to be preventing the Russians from reading Defense Department emails!”

Author(s): Brian Fung and Geneva Sands

Publication Date: 26 February 2021

Publication Site: CNN