Professional Documents
Culture Documents
Perspectives on the
SolarWinds Incident
Sean Peisert | Lawrence Berkeley National Laboratory and University of California, Davis
Bruce Schneier | Harvard University
Hamed Okhravi | MIT Lincoln Laboratory
Fabio Massacci | University of Trento and Vrije Universiteit Amsterdam
Terry Benzel | USC Information Sciences Institute
Carl Landwehr | University of Michigan
Mohammad Mannan | Concordia University
Jelena Mirkovic | University of Southern California Information Sciences Institute
Atul Prakash | University of Michigan
James Bret Michael | Naval Postgraduate School
Editor’s Note
A significant cybersecurity event has recently been discovered in which malicious actors gained access to the
source code for the Orion monitoring and management software made by the company SolarWinds and inserted
malware into that source code. This article contains brief perspectives from a few members of the IEEE Security &
Privacy editorial board regarding that incident.
1540-7993/21©2021IEEE Copublished by the IEEE Computer and Reliability Societies March/April 2021 7
PERSPECTIVES
incident, the Editorial Board still is owned by Thoma Bravo part- that aren’t vulnerable to cyberattack.
wanted to address it in some way ners, a private-equity firm known The government needs to set mini-
without waiting two months for for radical cost-cutting in the name mum security standards for software
the next issue. Therefore, this issue of short-term profit. Under CEO that’s used in critical network applica-
contains two pieces related to the Kevin Thompson, the company tions, just as it sets software standards
SolarWinds incident: This first underspent on security even as it for avionics.
article contains brief perspectives outsourced software development. Without these two measures,
from some members of the IEEE The New York Times reports that the it’s just too easy for companies to
Security & Privacy Editorial Board, company’s cybersecurity advisor act like SolarWinds: save money by
including numerous questions quit after his “basic recommenda- skimping on safety and security and
asked by Editorial Board members tions were ignored.” In a very real hope for the best in the long term.
and also some suggested solutions. sense, SolarWinds profited because That’s the rational thing for compa-
The second is a companion “Point– it secretly shifted a whole bunch of nies to do in an unregulated market,
Counterpoint” column article by risk to its customers: the U.S. gov- and the only way to change that is
Fabio Massacci and Trent Jaeger ernment, IT companies, and others. to change the economic incentives.
that digs specifically into the quan- This problem isn’t new, and, while
daries and questions of software it’s exacerbated by the private-equity Hamed Okhravi
patching that relate to the Solar-
Winds incident. Additional details
will undoubtedly continue to sur-
funding model, it’s not unique to
it. In general, the market doesn’t
reward safety and security—espe-
T he SolarWinds hacks are not
novel or unique. Software Tro-
jans and supply-chain attacks have
face, and IEEE Security & Privacy cially when the effects of ignor- been understood in the community
expects to cover this occurrence fur- ing those things are long term for many decades; as a case in point,
ther and in greater detail in future and diffuse. The market rewards even the logo of the IEEE Sympo-
issues as we continue to learn about short-term profits at the expense sium on Security and Privacy, one
this compromise and its effects. of safety and security. (Watch and of the top-tier venues in computer
— Sean Peisert see whether SolarWinds suffers any security, is a Trojan horse! However,
long-term effects from this hack, or the SolarWinds hack highlights some
Editorial Board Members’ whether Thoma Bravo’s bet that it of the troubling trends and impor-
Perspectives could profit by selling an insecure tant lessons that we, as a community,
product was a good one.) should pay attention to and work on
SolarWinds and Market The solution here is twofold. resolving with better technologies as
Incentives The first is to improve government well as policies.
software procurement. Software First, for decades, one of the
Bruce Schneier is now critical to national security. main paradigms in security has been
T he penetration of government
and corporate networks world-
wide is the result of inadequate
Any system of procuring that soft-
ware needs to evaluate the security
of the software and the security
“additive” security. We “add” tools,
antiviruses, intrusion detection/
prevention systems, m onitoring
cyberdefenses across the board. practices of the company, in detail, and management tools, and so
The lessons are many, but I want to to ensure that they are sufficient to on to make a system more secure.
focus on one important one we’ve meet the security needs of the net- Every new tool, while it might
learned: the software that’s man- work they’re being installed in. If reduce parts of the attack surface,
aging our critical networks isn’t these evaluations are made public, also adds a new attack surface: vul-
secure, and that’s because the mar- along with the list of companies nerabilities in the tool itself become
ket doesn’t reward that security. that meet them, all network buyers a new possible vector of compro-
SolarWinds is a perfect example. can benefit from them. It’s a win for mise for the system. Numerous
The company was the initial infection everybody. recent vulnerabilities discovered in
vector for much of the operation. Its But that isn’t enough; we need a security software further highlight
trusted position inside so many critical second part. The only way to force this tradeoff.2
networks made it a perfect target for companies to provide safety and secu- This is not an easy problem to
a supply-chain attack, and its shoddy rity features for customers is through resolve. While some security soft-
security practices made it an easy target. regulation. This is true whether we ware programs close many more
Why did SolarWinds have such want seatbelts in our cars, basic food holes than they open, others, by
bad security? The answer is because safety at our restaurants, pajamas that the virtue of their sheer size and
it was more profitable. The company don’t catch on fire, or home routers complexity, can make the system
www.computer.org/security 9
PERSPECTIVES
Terry Benzel the signing key has been compro- attacks every now and then. As of Jan-
www.computer.org/security 11
PERSPECTIVES
types of reconnaissance, command securityadvisory (accessed Dec. 24, Institute of Technology (MIT)
and control, and other aspects of 2020). Lincoln Laboratory, Lexington,
penetration that were employed by 2. “How to compromise the enterprise Massachusetts, 02421, USA .
SolarWinds. However, the first step endpoint.” Google Project Zero. Okharavi received a Ph.D. in elec-
should be to use a bit of common June 28, 2016. https://googlepro- trical and computer engineering
sense to think through the problem jectzero.blogspot.com/2016/06/ from the University of Illinois at
before trying to apply AI. how-to-compromise-enterprise Urbana-Champaign. He is also
SolarWinds takes advantage of -endpoint.html (accessed Jan. 8, 2021). the recipient of two R&D 100
vulnerabilities in widely used plat- 3. A. Nappa, R . Johnson, L. Bilge, Awards, MIT Lincoln Labora-
forms (.net) and protocols (e.g., J. Caballero, and T. Dumitras, tory’s Best Invention and Early
Domain Name System). Can they “The attack of the clones: A study Career Technical Achievement
be fixed? What does it take to get of the impact of shared code on vul- Awards, and NSA’s Best Scientific
them fixed or replaced? nerability patching,” in Proc. 2015 Cybersecurity Paper Award. He is
Initial findings indicate that adv IEEE Symp. Security Privacy, pp. a Member of IEEE. Contact him
anced tactics, techniques, and pro- 692–708. doi: 10.1109/SP.2015.48. at hamed.okhravi@ll.mit.edu.
cedures (TTPs) were employed by 4. “Emergency directive 21-01.” Cyber-
SolarWinds. The c yberdefense security and Infrastructure Secu- Fabio Massacci is a professor at
teams are always trying to catch up rity Agency, U.S. Department of the University of Trento, Trento,
with the latest TTPs and new imple- Homeland Security. Dec. 13, 2020. 38123, Italy, and Vrije Universit-
mentations of well-known TTPs https://cyber.dhs.gov/ed/21-01 eit, Amsterdam, 1081 HV, The
used by the attackers. Addressing (accessed Dec. 13, 2020). Netherlands. Massacci received a
TTPs requires better communica- 5. T. Pericin. “SunBurst: The next level Ph.D. in computing from the Uni-
tions between the offensive and of stealth.” Dec. 16, 2020. https:// versity of Rome “La Sapienza.”
defensive sides of the house. blog.reversinglabs.com/blog/ He received the IEEE Require-
Overreaction by governments to sunburst-the-next-level-of-stealth ments Engineering Conference
SolarWinds could have a profoundly (accessed Jan. 8, 2021). Ten Year Most Influential Paper
negative effect on global innovation. Award on security in sociotech-
Then again, governments are not in Sean Peisert leads computer security nical systems. He participates in
the driver’s seat here. The private sector R&D at Lawrence Berkeley Natio the FIRST special interest group
will continue to innovate. nal Laboratory, Berkeley, California, on the Common Vulnerability
The way forward may be to take a 94720, USA, and is an adjunct associ- Scoring System and the European
fundamentally new approach to secu- ate professor at the University of Cali- pilot CyberSec4Europe on the
rity in the near- (e.g., cloud hypervisors fornia, Davis (UC), Davis, California, governance of cybersecurity. He
pushing security rather than individual 95616, USA. He is the editor in chief coordinates the European Assure-
customers patching—or not), mid- of IEEE Security & Privacy. Peisert MOSS project. Contact him at
(e.g., zero-trust, or something like it), received a Ph.D. in computer science fabio.massacci@ieee.org.
and long-term (e.g., quantum-based from UC San Diego. He is a Senior
approaches). The other part of the Member of IEEE and the Associa- Terry Benzel is the director of net-
equation that needs to be addressed tion of Computing Machinery. Con- working and cybersecurity re
is motivation—getting the market to tact him at sppeisert@lbl.gov. search at the Information Sciences
include security as a requirement. Institute of the University of
Bruce Schneier is a security technolo- Southern California, Los Angeles,
Disclaimer gist, fellow, and lecturer at the Har- California, 90292, USA. Benzel
The views and conclusions contained vard Kennedy School, Cambridge, received an M.A. from Boston Uni-
herein are those of the authors and Massachusetts, 02138, USA, and versity and an executive M.B.A.
should not be interpreted as neces- the chief of security architecture from the University of California,
sarily representing the official policies of Inrupt, Inc. Boston, Massachu- Los Angeles. She is a senior mem-
or endorsements, either expressed or setts, 02210, USA. He blogs at ber of the IEEE Computer Society,
implied, of the authors’ employers. www.schneier.com. Contact him an associate editor in chief of IEEE
at schneier@schneier.com. Security & Privacy, and a member
References of the Board of Governors of the
1. “SolarWinds Security Advisory.” Solar- Hamed Okhravi is a senior staff IEEE Computer Society. Contact
Winds. https://www.solarwinds.com/ member at the Massachusetts her at tbenzel@isi.edu.
www.computer.org/security 13