After SolarWinds, the U.S. can trust no one


By Andy Purdy, Chief Security Officer, Huawei Technologies USA

The recent cyberattack against SolarWinds, a Texas-based IT firm, has shaken up the U.S. national security establishment. Fortunately, it is also serving as a wake-up call that has inspired the new Biden administration to strengthen the defense of its communications networks and systems.

Attackers thought to be working for Russian intelligence infected the company’s software, which was then downloaded by a still-unknown number of its 18,000 customers. These included the U.S. Departments of Treasury, Defense, Justice, State, Commerce, and Energy, plus governments and companies in at least seven other countries.

Some experts say such attacks are “child’s play” for the best nation-state hackers, including those of Russia, China, the U.S., and a few others. They can break into almost any system, sometimes by compromising otherwise trusted supply chains through a third-party vendor. Their formidable capabilities are quickly being augmented by artificial intelligence.

To ward off these skilled, motivated, and well-resourced cyber miscreants, the U.S. needs a comprehensive national approach. It must start by reexamining traditional notions of trust.

Earlier this month, William Evanina, former director of the U.S. National Counterintelligence and Security Center, said America should adopt a position of “zero trust” in order to start properly managing supply chain risk. Zero trust is the idea that no untested technology should be ever be trusted—or barred—without verification. The fallacy of the “trusted vendor” underpins last year’s Clean Network Initiative, which “fails as a serious effort at cybersecurity,” according to Jason Healey, a former security expert with the U.S. Air Force and the White House.

Instead, we must deploy national-security–level defenses and risk-management protocols for critical technologies. We must abandon the apparent presumption that if you only deploy products and components from “trusted” vendors, you’ll have a “clean network.” After all, SolarWinds was a trusted vendor until it wasn’t, and its supply chain was clean until it got dirty, which it apparently did long before anyone spotted the problem. We must assume all networks are dirty, and act accordingly.

Last year, two colleagues and I wrote an article called “Don’t Trust Anyone” that was published in a journal funded by the U.S. Department of Defense. We noted that blacklisting some technology vendors, while de facto trusting others, is a recipe for disaster—as the SolarWinds hack subsequently made clear.

Instead, we should follow the advice of the bipartisan Cyberspace Solarium Commission and other experts, and start assessing the risk from all suppliers. We should then monitor for any risks that may arise after network gear is deployed.

To make such assessments, it will be crucial to build a consensus around global standards for telecom and mobile operators, and for the security of network equipment. Currently, operators and vendors lack clear, consistent standards-based guidance about what technologies they can deploy in various countries, and how those technologies will be operated and maintained. Standardized guidelines can be built into procurement requirements and contractual provisions, and possibly included in regulatory or statutory frameworks.

Equally important are mechanisms to verify and test key components of network technology. Verification helps ensure that all vendors’ technology conforms to well-defined requirements that fit the risk environment. Security testing provides an objective basis for judging networks and systems to be secure and resilient, even under difficult conditions. Testing criteria can be adjusted—and strengthened, if need be—for critical infrastructure, such as the banking system or the power grid.

The telecom industry’s leading standards-setting organizations have devised a framework called NESAS that could serve as the foundation for higher-assurance standards and testing programs. NESAS lets mobile equipment sellers voluntarily subject both their gear and their tech processes to a comprehensive cybersecurity audit. This provides a baseline for strong telecom equipment requirements, and points to a path forward that envisions rigorous third-party testing—with results to be shared with customers.

In addition, some countries are enacting laws to make networks more secure. Last October, Germany unveiled legislation that raises security requirements for all telecom operators, equipment suppliers, and data processors, and makes them accountable for the security of the technology supply chain. Operators must disclose all of the critical components they will deploy in their networks, while equipment sellers must spell out in detail how they will ensure that their products cannot be used for sabotage, espionage, or terrorism. Players that fail to meet legally mandated thresholds could be fined, banned, or shut down. 

As a society, we need to support those who are working to make critical technology more secure, while at the same time demanding greater accountability from organizations and leaders. The incoming Biden administration has an opportunity to build on the important work that has already been done to help achieve greater security. As SolarWinds made clear, this should be one of its highest priorities.