How Dare They—How Could They Hack US?
If you are concerned about the recently-discovered, highly successful cyberattack reported by the Cybersecurity and Infrastructure Security Agency (CISA), you are not alone. If you are confused by reporting of the event—by the terms and phrases used in the varied explanations provided—you aren’t alone in that, either. Are you gobsmacked that our President, Cabinet Secretaries, and pundits disagree over the identity of the “malicious actor” responsible for this?
After all, assessment of “They”—who conducted the cyberattack—matters little outside of politics and international relations. The critically important thing is to know the “How” to restore, rebuild, and defend against future cyberattacks. Our systems and approaches to software development, distribution, and integration are responsible.
A recent article published by Politico asserts that:
“The federal government conducts only cursory security inspections of the software it buys from private companies for a wide range of activities…”
How could our federal systems allow commercial software providers to undergo “cursory” security inspections of their products that are critical to the successful and secure accomplishment of government missions?
“Security Is Not A Requirement”
I heard a federal Contracting Officer’s Technical Representative (COTR) make that assertion back in the 1990s during a Project Management Review conducted by a major U.S. software provider regarding a major communications upgrade project for a secure federal system. His answer to my, uh, “innocent” question provoked a rather spirited discussion.
|Cryptography||Designing, testing, and implementing systems to protect information or data assets from unauthorized exploitation and access.|
|Cryptology||Researching, analyzing, and breaking cryptographic systems to access and exploit protected content.|
|Enterprise Software||Software applications and technologies used to support operational and strategic initiatives across or throughout an organization rather than a single user or group of users.|
|Malware Attack||Malicious software (malware) designed and issued by an an unauthorized entity to invade (infect) target computing systems or networks, or both, that executes unauthorized actions on the target. Malware attacks encompass many specific types of attacks, such as ransomware, spyware, and command and control.|
|Supply-Chain Compromise||See: Supply Chain Compromise: Compromise Software Supply Chain|
What Software Standards Apply Today?
More importantly, Are the Standards applied as Requirements?
Federal Information Processing Standards
The National Institute of Standards and Technology (NIST) coordinates requirements and standards for cryptographic modules—both hardware and software components—used by departments and agencies of the federal government.
Note: FIPS 140 does not guarantee that a module conforming to its requirements is secure or that a system built using such modules is secure.
FIPS System Security Publications
|140-2||Security Requirements for Cryptographic Modules|
|180-4||Secure Hash Standard|
|186-4||Secure Digital Standard|
|197||Advanced Encryption Standard|
|198-1||The Keyed-Hash Message Authentication Code|
|199||Standards for Security Categorization of Federal Information and Information Systems|
|200||Minimum Security Requirements for Federal Information and Information Systems|
|201-2||Personal Identity Verification of Federal Employees and Contractors|
|202||SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions|
Common Criteria for Information Technology Security Evaluation
Common Criteria, developed and adopted by Canada, France, Germany, the Netherlands, UK, and U.S., was published in 1994. The Common Criteria were accepted by the International Organization for Standards as ISO/IEC 15408 in 1999, corresponding to version 2.1 of the Common Criteria document issued by the Common Criteria Management Board.
Note: The compliance of SolarWinds® Orion Suite for Federal Government 3.0 with the Common Criteria was certified in 2019. Version 4.0 of the software is under evaluation. SolarWinds Federal Product Certifications
Back In The Dark Age
…Before FIPS and the Common Criteria, that is. The Trusted Computer System Evaluation Criteria (TCSEC) was issued by the National Computer Security Center (a National Security Agency activity) in August 1983. These 35 books, collectively known as the Rainbow Series because the cover of each was a different color, established requirements and standards for:
- Computer system evaluation criteria
- Password management
- Audit in Trusted Systems
- Product security evaluation
- Database design
- Discretionary access control
- Trusted network interpretation
- Configuration management
- Trusted system design documentation
- Computer security subsystem interpretation
- Security modeling
- Verification systems
- Facility management
- Identification and authentication
- Object reuse
How Do We Close the Barn Door?
Some point out that no regulation or standard can be applied because not all systems share the same or similar operational or physical environment.
Hogwash. Is each implementation of SolarWinds® distinct, unique? They may certainly be differently configured, but the software is the same, regardless.
The author of this article states that:
Private companies regularly deploy software with undiscovered bugs because developers lack the time, skill or incentive to fully inspect them.
I wonder how Mozilla avoids this trap.
Private company software developers have the skill to inspect, discover, and correct inadvertent security discrepancies but they lack the time to do so because marketing takes priority; always. For developers, the software release schedule should depend upon successful quality control testing of the software they develop.
The primary mission of a Corporate marketing manager is to sell the next version, or upgrade, as soon as possible. As Marketing sees things, development depends on the market release schedule. So, we see the real-time meaning of the term “conundrum”.
That’s just my guess, however.
- MITRE ATT&CK®—a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
- Guidance on the Essential Critical Infrastructure Workforce
Note: These articles may disappear, based on the publishing and archiving policies of their media source.
- SolarWinds hack continues to spread: What you need to know
- Global Intrusion Campaign Leverages Software Supply Chain Compromise
- 9 types of malware and how to recognize them
- Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI)
- Reflections on the SolarWinds Breach