What SolarWinds should mean in Singapore – and how businesses should proceed

Singaporean companies may be tempted to ignore the SolarWinds hack; by its own account, the Cyber Security Agency believes that Singapore’s critical sectors escaped any adverse effects. While great news for Singapore’s critical sectors, globally, more than 18,000 users of SolarWinds’ IT management software were affected, including some of the world’s biggest companies. Even if a company itself was not a SolarWinds customer, the complicated supply chains woven by every company means that they may still be exposed to the adverse effects of this hack, even if months or years in the future.

Even if Singaporean companies have truly evaded the fallout from the specific SolarWinds incident, given the increasing frequency of these attacks—including some that have happened in waters much closer to Singaporean shores—it will become increasingly hard to ensure that the supply chains that every company is a part of are risk-free from start to finish. Although Singapore says that its Cyber Security Agency’s Critical Information Infrastructure Supply Chain Programme was not in response to any incident, whether SolarWinds or other, more recent attacks, it is clear that there is an imminent threat that organisations need to address.

As the graveness of the SolarWinds attack shows, companies should begin prioritising changes now, as these types of attacks grow in frequency and sophistication.

Why the SolarWinds hack mattered

SolarWinds will hold a particular notoriety for a long while, as the first major supply chain attack of its kind at scale. The hack represents a shift in tactics where a nation-state employed a new weapon for cyber-espionage.

As a supply chain attack, the SolarWinds incident exposed a number of parties across the government and private sectors alike. However, unlike government networks which isolate classified information from internet-facing non-classified environments, private organisations often have critical intellectual property on the same internet-facing network upon which they store non-sensitive information. Because of the nature of the SolarWinds hack, and the surreptitious nature of how attackers leveraged the breach to move within and between networks, attackers may have stolen innumerable amounts of critical IP. The full extent of this theft may never be fully known.

Beyond the private sector effects, this attack, and the ones that follow in its footsteps, should even concern consumers, as in today’s highly-interconnected homes, a breach of consumer electronics companies can result in attackers using their access to leverage smart appliances like TVs, virtual assistants, and smart phones to steal their information or act as a gateway to attack their employers.

The secondary steps that hackers may have taken after gaining access to the victim organisations are endless. They could involve stealing data; destroying data; holding critical systems for ransom; orchestrating system malfunctions that result in kinetic damage; or, simply implanting additional malicious content throughout organisations to stay in control, even as organisations begin to try to rebuild and move on. Being subject to just one of these could be paralysing for an organisation; being subject to many of them, at bad actors’ leisure, could destroy it altogether.

Where Singapore’s Critical Information Infrastructure plan will add benefit for businesses

As part of the changes discussed with Budget 2021, CSA’s Critical Information Infrastructure (CII) Supply Chain Programme will recommend processes and sound practices for all stakeholders to manage cybersecurity risks in the supply chain, and will include several key aspects.

First, it will include cybersecurity requirements for vendors to follow, such as having plans to respond to incidents. Second, it will aim to ensure systems are resilient and can recover quickly from cyber attacks. Third, it will call for regular audits by independent third parties on whether organisations meet the requirements. These requirements add degrees of protection and resilience for businesses that are considered CII in the 11 named critical sectors, and their vendors.

Businesses should also take away two key things from the CII programme. While Singapore is prioritising organisations in critical areas, the CII framework could theoretically be applied to businesses in any field—and businesses can begin by taking the steps that the CSA outlines today, even if they themselves are not CII. Second, even if supply chain vendors were to follow the rules established by CSA to the letter, this would not completely eliminate the risk of attack. Looking back at SolarWinds for example, it was best practices—patching and software updates of the SolarWinds Orion platform—that inadvertently introduced the SUNBURST malware into the SolarWinds customers’ environments.  

Businesses should start planning to protect themselves today

McAfee believes the discovery of the SolarWinds-SUNBURST campaign will expose attack techniques that other malicious actors around the world will seek to duplicate in 2021 and beyond. As such, organisations should prepare themselves for similar hacks to follow, including these learnings that SolarWinds puts into sharper contrast.

Most importantly, organisations must not draw the wrong conclusions from the SolarWinds events. SolarWinds wrongly raises concerns about patching and keeping software updated, as in this case, it was patching and bringing new software into an environment that opened organisations up to attack. It is absolutely critical for organisations to keep their environments up-to-date; not updating to the latest software will open up countless other attack vectors. If we compare the precision and lethality of the SolarWinds attack to others, it can be considered similar to the 2014 Sony Pictures hack, or the 2015 U.S. Office of Personnel Management attack—attacks that are considered rarefied among cybersecurity professionals. Not updating to the latest software will open your organisation up to the countless attacks that lack this precision and lethality.

Next, all supply chain vendors must maintain strong cybersecurity postures, but software vendors must be especially vigilant. As SolarWinds has shown, every such organisation must protect its own environments not only to ensure the integrity of the software it provides, but also the integrity of the operational process by which it delivers that code to its customers. . The compromise of a high-volume commercial software product like the SolarWinds Orion solution in question impacted thousands of organizations simultaneously, from some of the largest U.S. government agencies to dozens of the world’s largest corporations. 

Additionally, attacks of this technical sophistication and reach can create a daisy chain effect, by which  adversaries could modify either source code or a development toolchain within their victims’ environments, plant additional backdoors that are then distributed to  yet another community of customers, to be activated at points unknown, in the future.

Finally, as we have said at length before, organisations must identify their most critical information and data and apply the principles of least privilege to these items. This will ensure that sensitive information such as national secrets and intellectual property are the most protected assets in their respective organisations. 

In Singapore, discussions are focusing anew on Zero Trust, which is as good a place as any for newcomers to this philosophy shift to start—but there is much more that follows once they are on this pathway.

To stay secure, companies must change now, and continue to change moving forward

While Singapore’s progressive cybersecurity measures are preparing the country to successfully navigate the evolving cyber threat landscape, companies can begin with the aforementioned steps to do more to protect themselves. As SolarWinds shows, bad actors are constantly innovating and refining their means of attack—and if your cybersecurity posture is dulled by complacency, then it will be even more susceptible to the latest nefarious supply chain attack scenarios

When the cybersecurity landscape shifts, as it did with SolarWinds, companies must quickly adapt and react accordingly to stay ahead of bad actors.