Do you think the SolarWinds breach will have a significant or lasting impact on how IT approaches supply chain risk management?

I was pulled into a wide variety of peer dialogues from the day that the SolarWinds breach discovery occurred, because of my time at Intel and stuff that I had done there in supply-chain risk. My concern, when I was Chief Security and Privacy Officer at Intel, was always a nation-state actor looking to weaponize the technology that Intel created, to do harm. I always saw information security as inextricably linked to the product security and the technology. I think the SolarWinds issue is a clear example of that linkage. I've been at odds with a number of my peers in the industry who still see them as quite separate, now it's probably a little bit different, but many of them had InfoSec completely separated from product security and they very rarely intertwined themselves. And Intel, as I said, had this in their environment. When you think about that in firmware, Bios, validation engineers doing that type of stuff, it brings into question some aspects of the foundation of computing. Because if they were in Intel's infrastructure, if that report was accurate, and they did have a foothold, if it was that type of nation-state actor, they would be trying to do things more surreptitiously, well below the operating system to keep stronger footholds in other organizations. I think it's a Richter 10 type item but I've always seen this as a Richter 10 type item. I'm just, frankly, surprised that it took this long for this type of thing, at that level of infrastructure, to be found. And I'm sure it's not the first one. I'm sure there's other ones that are there that are yet to be found.

Anonymous Author
I was pulled into a wide variety of peer dialogues from the day that the SolarWinds breach discovery occurred, because of my time at Intel and stuff that I had done there in supply-chain risk. My concern, when I was Chief Security and Privacy Officer at Intel, was always a nation-state actor looking to weaponize the technology that Intel created, to do harm. I always saw information security as inextricably linked to the product security and the technology. I think the SolarWinds issue is a clear example of that linkage. I've been at odds with a number of my peers in the industry who still see them as quite separate, now it's probably a little bit different, but many of them had InfoSec completely separated from product security and they very rarely intertwined themselves. And Intel, as I said, had this in their environment. When you think about that in firmware, Bios, validation engineers doing that type of stuff, it brings into question some aspects of the foundation of computing. Because if they were in Intel's infrastructure, if that report was accurate, and they did have a foothold, if it was that type of nation-state actor, they would be trying to do things more surreptitiously, well below the operating system to keep stronger footholds in other organizations. I think it's a Richter 10 type item but I've always seen this as a Richter 10 type item. I'm just, frankly, surprised that it took this long for this type of thing, at that level of infrastructure, to be found. And I'm sure it's not the first one. I'm sure there's other ones that are there that are yet to be found.
2 upvotes
Anonymous Author
I think the biggest concern that's coming out of this is where do we go from here? If JetBrain is compromised, SolarWinds is compromised, who do we trust? And if you're also going to assume breach, that's fine, but assuming breach also means you are still dependent on technology, and how do you cross-check each other? There are a number of questions that come to my mind. I believe the supply-chain is definitely going to get scrutinized more. It started with the whole Home Depot and Target event, that's where the whole genesis of the TPRM efforts at firm’s started off. It spun off a whole big industry over there. It's just going to change the dynamics a little bit for the practitioners who are trying to get a little ahead of it. It's going to result in a few more barriers being put up, a little bit more due diligence will be needed, which in turn is going to impact the cost of the products that come in, either from the vendor side or from implementation side.
1 upvotes
Anonymous Author
In healthcare, it's a pretty complex ecosystem we're working with. We have to deal with network partners, channel partners, pretty much everybody who's trying to integrate into the platform that we currently operate in. And the whole digital transformation itself, is a foreign concept for a lot of vendors we work with. So I think the concept of what level of access they have into our existing systems and also, how we track them, that's still a risk at this point and that's something that we're tracking. But also, when we're talking about how much control we have, like for example if there's a third-party risk in this case, so somebody from our vendor ecosystem is compromised, it really depends on how much control they have and what access they have into our environment. As an industry, we rely heavily on the vendors, on a lot of things. I think that's the economies of scale and I think that's organically, the structure that's been built into the fabric of the whole vendor ecosystem. But I think the one thing we were thinking about is, "How do we maybe draw the demarcation a little further out so we have better control?" Like some kind of an abstraction where we have better control in terms of what's being managed and what's being accessed. And also, the secret management is a big piece. Especially having access into the healthcare system and the PHI is a big deal, and very heavily regulated too. Our control can only go so far today and I think that one thing we're thinking about is how to extend that. You get access to some kind of a proxy network or an abstraction framework and then you would get access into something which is more trustworthy, into the systems. But again, this is all not yet built out. This is just a concept at this point. But just extending that trust into something we can control is certainly going to be a big thing, not just for healthcare. I think across the industry we just need to take more control on how these assets are being managed.
1 upvotes
Anonymous Author
The levers that drive behavior in cyber and in tech, are compliance and regulators or revenue components related to share price or market access. And if it's not one of those levers, I don't think it actually will be impactful and drive a first principles change for how security leaders will function. Because what they're going to say is… The board asks them, "Hey, what are we doing? Are we good?" And they'll be like, "Yeah, SolarWinds was crazy." "Okay, so you're telling me that we've been giving you all of this money for budget and, as an expert, you didn't think about the totality?" And like, "No, no, no, no, no. We were definitely focused on the highest priorities." "Oh, okay cool. So we don't need to reprioritize things for SolarWinds?" It was either, you were negligent as a security leader or this truly was something that nobody could've expected. But the average lay person would look at this and be like, "Man, the IT infrastructure that runs most of the IT monitoring for the... Yeah, I could see that as being a target for a nation-state, theoretically. I don't have to be crazy smart to do that." So, the security leader is going to say, "No, no, no. In our prioritizing of the highest risk, we're not pivoting the program. We're just going to manage that a little bit differently, pay a little more attention here," which is not actually indicative of driving behavior.
0 upvotes
Anonymous Author
There’s plenty of content already on this thread, but in short, yes there will definitely be significant and lasting impact.
0 upvotes