/ Learnings from SolarWinds cyber-attack
January 20, 2021In December 2020, SolarWinds reported a massive cyberattack that affected customers such as Microsoft. Cybercrime will continue to grow as long as the digital environment grows. This case serves as a warning to discuss the National Cybersecurity Policy.
In December 2020, SolarWinds reported a massive cyberattack that affected customers such as Microsoft. Cybercrime will continue to grow as long as the digital environment grows. This case serves as a warning to discuss the National Cybersecurity Policy.
In December 2020, the cybersecurity industry made headlines around the world due to one of the most serious events of recent times. The US company SolarWinds, a publicly traded provider of network, systems and technology infrastructure management services, was the victim of a cyber-attack of enormous proportions. The company has close to 300,000 clients, both in the public and private sectors (including more than 425 Fortune 500 companies). The cybercrime was carried out by inserting malicious files in the updates of its Orion software.
With the cybercrime reported to the authorities and other measures such as the creation of patches and the new Orion software update, it is interesting to approach this incident from the perspective of compliance standards. It is essential to have a multidisciplinary crisis team that define the mitigation and service continuity actions, the scope of the investigation, coordinate the expertise of experts, give instructions, coordinate notifications to the authorities, the general public and employees, and takes legal action, among other tasks.
What is really surprising about this case is related to (i) the use of never-before-seen tools, where the hackers’ strategy focused on a weak link in the software supply chain on which these companies and government institutions rely, and (ii) the pronounced dependence of a considerable number of large and important companies on SolarWinds as a provider of these types of services.
Experts have already stated that this attack, which has acquired political dimensions and in which many suspect the presence of espionage work coming from Russia, could go back as far as four years, precisely because of the stealth and caution employed by the hackers, where unconventional methods have been detected, such as accessing the content and not deleting it to demand a reward, but rather staying in the systems and monitoring the source code of the affected software.
In these preventive tasks, it will be extremely useful to have compliance models, certifications and other documents that demonstrate the company’s due diligence in preventing unauthorized access to its systems, which must be carried out prior to incidents. This will have a value that will be reflected in a better coordination of the teams involved in the investigation, reaction to the attack and resilience. It will be a route to follow in accordance with contingency plans (such as disaster recovery), in the medium and long term, together with promoting an organizational culture oriented to prevention and training against this type of circumstances.
The SolarWinds case should serve as a warning for the legislative debate in our country, especially in relation to the National Cybersecurity Policy and the discussion of the bill on cybercrimes in the Chamber of Deputies, regarding which there is still no consensus on issues such as the figure of the “ethical hacker”, the scope of concepts such as “deliberate action” or certain procedural rules in the investigation of this type of crimes.
Cyber-attacks and security incidents will continue to grow as long as the digital environment continues to do so: they have already increased by 40% after the onset of the pandemic. It is urgent to move forward with the modernization of the regulations governing this form of crimes, in line with the commitments assumed by Chile when it joined the OECD and with international best practices.