Last month, it was discovered that a breach at SolarWinds, a Texas-based company that provides IT monitoring and management tools to numerous organizations in both the private and public sectors, had given hackers the ability to insert malicious code into a software update of the firm’s Orion product that was later installed by approximately 18,000 of its customers. The attack, which is believed to have been carried out by hackers working on behalf of the Russian government, subsequently exposed the networks of a range of U.S. government agencies and private corporations.
In a keynote address delivered at CES 2021 on Wednesday, Microsoft President Brad Smith said the attack really speaks to everyone in two critical ways: first, what are the rules of the road that are going to guide everyone moving forward and second, what does it mean for the tech industry in terms of what it needs to do.
Regarding the rules of the road, Smith said that governments have spied on each other for centuries and that it would be naïve to ask them to stop, however; there have long been rules that governed what was acceptable within these games of subterfuge and what was off limits, which clearly were not followed in the SolarWinds incident.
“This wasn’t a case of one nation simply trying to spy on or hack its way into the computer network of another. It was a mass, indiscriminate global assault on the technology supply chain that all of us are responsible for protecting,” he explained. “It represented a vector of attack that first distributed roughly 18,000 packages of malware on organizational networks literally around the world. It is a danger the world cannot afford. We saw this in Ukraine over the last four years, we saw how it was exploited in the NotPetya attack, we witnessed how it disabled more than 10% of a nation’s computers in a single day and when that happened the world came together and rightly said this is not something that is acceptable.”
Similarly, Smith said the tech industry needs to come together and use its “collective voice” to say to all governments globally that this sort of supply chain disruption is not something that any nation-state or organization should be able to pursue. Aside from SolarWinds, Smith said the cyberattacks carried out recently against healthcare institutions to take advantage of pandemic are another reason why the industry and nations need to take a stand.
“This is a set of the issues that we will need to work with governments to address, to work with non-governmental organizations to address, but I think it starts with us because if we don’t use our voice to call on the governments of the world to hold to a higher standard then I ask you this: who will? I hope we will come out of this CES and move forward with this as one of our clarion calls for the future,” he said.
Smith said that the tech industry could look back to recent history as an example of how it could start to address cybersecurity vulnerabilities like those brought to light in SolarWinds hack more forcefully. In the early 80s, for example, Smith said that President Ronald Reagan watched a screening of the film “War Games” at Camp David and was instantly concerned about the potential for a private citizen, or even foreign actors, to hack into the nation’s nuclear weapons defense systems and wreak havoc with devastating consequences. As a result, the Reagan administration created what would become that country’s first directive on computer security.
“We live in a time when, in so many ways, science has caught up with science fiction,” Smith said. “In so many ways, ‘War Games’ was not just important because it showed engineers what computers could do, but it showed all of us and people in government the problems we would need to work together to solve. It literally changed the arc of work needed to protect a country and the world. It’s a powerful reminder that we constantly need to keep learning, we constantly need to keep imagining what comes next. And in this instance, in the year 2021, it’s not a movie that we’re learning from, it’s real life.”
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].
