Loose lips sink ships, warned US anti-espionage posters during World War II. It turns out loose code can do a lot more.
The world first caught wind of a massive breach linked to cyber firm SolarWinds last December. The breach was unique not only in its scale, but also in its method of attack. Hackers targeted the very first stop of the entire cyber line of defense: the cybersecurity software.
The compromised software let hackers into thousands of government agencies and companies, sending shockwaves throughout the world. GovInsider spoke with cyber experts to understand what Singapore and its neighbours can learn from the SolarWinds attacks.
What was most surprising?
What made these attacks particularly insidious was the way it exploited trust in cybersecurity companies, notes Terence Siau, General Manager of Singapore at the global research institution Center for Strategic Cyberspace + International Studies. Many organisations never thought to second guess their security tools, trusting that cyber firms had done their “due diligence”.
But the hackers targeted the software right from the coding stage, sneaking into it as developers built it. Any vulnerabilities would then be passed down to companies, their employees, and even external customers, Siau explains.
“Imagine you’re using an Android phone, and the compromisation comes in from the Android OS,” he says.
Another surprising factor was the scale of these attacks, say Abhik Roychoudhury, Provost’s Chair Professor at the National University of Singapore’s Department of Computer Science, and Liang Zhenkai, who is Associate Professor at the same department.
There were more than 18,000 SolarWinds customers affected, and an estimated 1000 attackers involved, according to Reuters. But it’s likely that we won’t know the full extent of these attacks until much later, Siau says.
After all, they take a while to find. Investigators believe the hackers had been lurking in the organisations from as early as September, The Wall Street Journal wrote.
The Southeast Asian region has yet to report any ramifications from the SolarWinds attacks, but it has experienced supply chain breaches of its own. Singapore telco giant Singtel was breached through a third-party file sharing system in January this year, Siau shares.
What we’ve learned
Five months on, what are the biggest lessons we can learn from the SolarWinds breach?
First, we need to rethink what makes ‘trustworthy’ software, say Roychoudhury and Liang. “Think of this as extra vigilance – why trust software because it comes from a trusted supplier?” they add.
The second lesson is to prioritise application security, which means making services that run on individual devices more secure. Every device – be it a mobile phone, laptop or IoT sensor – that connects to an organisation’s central network presents an opportunity for attackers to strike.
The bad news is that software for these devices are “most fragile (and poorly written), allowing attackers easy access,” Roychoudhury and Liang note.
The good news? Companies recognise this and are working on it. Siau has observed an increase in the number of new application security-focused cyber companies, both in Singapore and the wider region.
The third lesson is to strengthen detection and response capabilities, Roychoudhury and Liang say. “As the attack surface cannot be fully eliminated, we need to rely on second-line defence solutions and enhance post-attack response systems.”
CyberSecurity Malaysia plans to build up the country’s threat detection and predictive capabilities, CEO Dr Amirudin Abdul Wahab tells GovInsider. It will use data analytics to identify patterns and pick out anomalies.
“Security nowadays is not perimeter defense; it needs to be a multi-layer defense,” he notes.
How can governments in the region respond to these threats to the cyber chain?
Singapore’s Communications and Information Minister S Iswaran has called for a zero trust approach – a strategy which Roychoudhury and Liang deem to be “a safe and sound one”. Organisations should continually verify users before giving them access to their network.
These verifications shouldn’t just be one-off instances, either. Organisations need to work towards “gradual acceptability” by authenticating users at every node in the network, they say. This would lead to “enhanced trust over a period of time”.
AI can help, Siau says. Algorithms can monitor each employee’s behaviour, such as their typing speed or the way they use their mouse, to establish a baseline for their normal activity. Once they detect something that deviates enough from this baseline, they will send an alert to the security team, he explains.
Zero trust isn’t necessarily a new approach, but it’s certainly an ongoing one. The world has received its first major lesson on the importance of securing the cyber supply chain. May it learn well.