I thought I would put pen to paper about this SolarWinds attack. As ever with Supl posts, this is not designed for the IT community, but rather its business masters: trying to put the attack into some sort of historical context, and offering some thoughts as to how we should move forward.
The point is that we have built our Networks the wrong way round. Rather than groupings of computers, our networks should be built around trusted people and the information they need and share.
There has been some excellent technical analysis of what we know of the hack so far: the consensus is that whilst the attackers were sophisticated (particularly in the way they kept their tracks hidden), the methods by which they gained access were probably age-old and pretty basic, requiring no degree in computer science to understand. Somewhere in the SolarWinds estate sat a server that had missed being fully patched, and a bit like a careless zebra getting itself separated from the herd, it was brought down by the marauders. Other parts of the hack were also age-old: in the 1970s British Intelligence had the sense to recruit the IRA's head of internal security, giving him the perfect cover, he had access to all areas and was able to act with broad impunity - would you question the ultimate hardman? Likewise the KGB were clever enough to position Kim Philby as the head of the section in M16 to counter the Soviet threat. Wind forward to the 21st century, and SolarWind's Orion product was the virtual equivalent: Designed with counterintelligence in mind, it had access to all areas, and impunity to execute.
What's the prognosis? Pretty awful, if truth be told. Although the Wannacry ransom ware attack was, on the face of it, more disruptive, at least such disruption was its obvious exhaust. In this case, the objectives were likely to be more insidious (information not a ransomware attack), and so there will never be a point when these networks can be considered "clean". If that sounds apocalyptic, perhaps it is the opposite. Finally the risk of doing things differently might be lower that muddling along as usual.
What does doing things differently look like? Spoiler alert: I have no special abilities to know the future, nor am I trying to sell a tech product that fixes things - that is how we got into this mess in the first place. Rather I see my job as asking the stupid, fundamental questions to tease out those answers, free from the shackles of narrow, deep technical knowledge, or (I hope) bound by the prevailing orthodoxy.
It is interesting to note that just as the past offered a good guide to the attackers, so it does to the defenders. Many years ago soldiers learnt that to build a thin protective crust that did not distinguish between low and high value assets was asking for trouble: rather they learned to defend in depth, accept and exploit the inevitable enemy incursion, and make sure that the dominant hill in your terrain was the one you concentrated most of your defensive resources on. The digital world, not overly stuffed with historians, has singularly failed to learn this lesson. I give you the Network, a collection of connected computers: a digital crust.
Interestingly, even the soldiers I talk to do not question this digital orthodoxy, equipped as they are with centuries of relevant (and clashing) experience. Perhaps their cultural conservatism leads them to favour something where there is a "them" and "us". The Network provides such topography, but it is an illusion. In technology (as in financial markets and the environment), in the words of one cultured West Coast executive, "we all use the same shit". Thus the challenge more akin to managing a global commons than manning the trenches.
It is good to go back to first principles. What is technology for? Essentially, it is to ensure that trusted people can find stuff out to do their jobs. They don't require stuff that they don't need for their job, and if they don't have a job to do, then they should have no access to anything. Simples. Once you bring it back to those two things - people and stuff - you realise that computers are just the support act. Except the Network is predicated the opposite way around, as it is a design that places computers at the centre, pushing people and stuff to an afterthought. With computers at the centre, you need other computers to manage them, using ever-sophisticated (and impenetrable) means to do so. You only need to corrupt one computer to allow it to potter about among all the other computers, asking questions that would be impossible for a person to pull off if not accredited.
So, to the stuff. Too much stuff is parcelled into documents, managed by little programmatic actors that may or may not be corrupted (word, excel etc). This is because most companies pay little strategic heed to how their stuff is organised and described, leaving it to each generation of middle management to reinvent the wheel. Converting stuff to a long-term home in a secure data store will not only improve confidentiality, it will ensure that the business learns as it goes, becoming wiser.
Then, onto the people. Once the stuff is safely inside a datastore (somewhere that allows for the storing of data and the recording of interaction about those data in context), then it becomes possible to organise it such that people have access only to that part of the datastore that they require to do their jobs - let’s call it need-to-know.
What of the computers? Given the stuff is in one place, and the groups of people connected through their access to the stuff, then computers can be relegated to acting as binoculars and so do not need to be connected to other computers.
This begs so many questions, of course. It cuts across so many cultural mores - surely the Network is an Asset that is in physical form, “here” as opposed to “there”? It also shows up a glaring skills gap in most large enterprises: add up the Network engineers and the IT security people, and divide them by the number of specific information specialists, and you probably have a number in excess of 100. Too difficult? SolarWinds tells us we have no alternative.