In March of 2020, Americans began to realize that the coronavirus was deadly and going to be a real problem. What no Americans knew then was that at about the same time, the Russian government’s hack of SolarWinds’s proprietary software Orion network monitoring program was destroying the security of top American government agencies and tech companies. There were no explosions, no deaths, but it was the Pearl Harbor of American IT.
The Russians may even have the crown-jewels of Microsoft software stack: Windows and Office. In a twist, which would be hilarious if it weren’t so serious, Microsoft claims it’s no big deal.
That’s because Microsoft has “an inner-source approach – the use of open-source software development best practices and an open-source-like culture – to make source code viewable within Microsoft.” It’s nice that Microsoft is admitting that the open-source approach is the right one for security — something I and other open-source advocates have been saying for decades. But, inner source isn’t the same thing as open source.
When hackers, not Microsoft developers, have access to proprietary code, the door’s open for attacks. True, Microsoft’s “threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.” But, making that assumption is one thing. Dealing with reality is something else.
For decades, one of proprietary software’s stupid assumptions is that “security by obscurity” works. While it can help — no, really it can if used intelligently — that’s not the case with proprietary code. Even with the best will in the world, I doubt that Microsoft has really undertaken the hard security code review needed to lock down its proprietary code. The almost weekly revelations of new Microsoft security holes and mishaps doesn’t make me feel warm and fuzzy about the security of its software.
While President Donald Trump has completely ignored the actions of Russian President Vladimir Putin’s government, America’s Cybersecurity Infrastructure and Security Agency (CISA) said the hacks posed a “grave risk” to US governments at all levels.
Worse was revealed. Over the Christmas season holidays, the CISA said that all US government agencies must update to Orion’s 2020.2.1HF2 version by the end of the year. If they can’t, they must take these systems offline.
Why? Because yet another SolarWinds’ Orion vulnerability was being used to install the Supernova and CosmicGale malware. This security hole, CVE-2020-10148, is an authentication bypass in the Orion API that allows attackers to execute remote code on Orion installations.
I have an even better idea than updating Orion. Dump Orion. Dump it now. And start an investigation of SolarWinds’ mediocre security record.
As time goes by more and more government agencies and companies have been shown to have been hacked. This includes the Department of State; Department of Homeland Security; National Institutes of Health; the Pentagon; Department of the Treasury; Department of Commerce; and the Department of Energy, including the National Nuclear Security Administration.
Everyone claims that nothing too important has been revealed, but then, they would say that, wouldn’t they?
Sen. Mark Warner (D-Virginia), ranking member on the Senate Intelligence Committee, told the New York Times the hack looked “much, much worse” than first feared. “The size of it keeps expanding.”
How much bigger will it get? We don’t know. Personally, I’d assume that if my company had been using SolarWinds Orion software during 2020, I’ve been hacked
It didn’t come with bombs like the attack on Pearl Harbor, but this attack on our national agencies and American Fortune 500 companies may prove to be even more damaging to our national security and our business prosperity. Now, we’ll see if American developers, system administrators, and managers can rise to the occasion to rebuild their systems the way their grandparents did in the 1940s.