{"id":7020,"date":"2020-12-15T19:49:27","date_gmt":"2020-12-15T22:49:27","guid":{"rendered":"https:\/\/www.fie.undef.edu.ar\/ceptm\/?p=7020"},"modified":"2020-12-15T19:49:27","modified_gmt":"2020-12-15T22:49:27","slug":"contratistas-externos-para-servicios-informaticos-criticos-caso-solarwinds-en-eua","status":"publish","type":"post","link":"https:\/\/www.fie.undef.edu.ar\/ceptm\/?p=7020","title":{"rendered":"Contratistas externos para servicios inform\u00e1ticos cr\u00edticos, caso SolarWinds en EUA"},"content":{"rendered":"
\n

Los incidentes de seguridad reportados a trav\u00e9s del software de un contratista de TI utilizado por los militares destaca los riesgos que asume el Departamento de Defensa cuando debe depender cada vez m\u00e1s de proveedores externos para servicios inform\u00e1ticos cr\u00edticos. El Departamento de Defensa se neg\u00f3 a comentar si sus sistemas se encuentran entre los de varias agencias gubernamentales a las que supuestamente accedieron piratas inform\u00e1ticos afiliados a la agencia de inteligencia extranjera de Rusia. SolarWinds presta servicios a las Fuerzas Armadas, el Pent\u00e1gono y la Agencia de Seguridad Nacional como clientes.<\/p>\n

\n<\/div>\n

WASHINGTON \u2014 The reported cyber breach through an IT contractor\u2019s software used by the military highlights the risks the Department of Defense takes when it increasingly must rely on third-party vendors for digital services.<\/p>\n

As civilian agencies disconnected Monday from the SolarWinds\u2019 Orion platform under government orders, the Department of Defense declined to comment on whether its systems are among those across several government agencies reportedly accessed by hackers affiliated with Russia\u2019s foreign intelligence agency. SolarWinds counts all five military services, the Pentagon and the National Security Agency among its clientele for the network management platform, and said Monday in a Securities and Exchange Commission filing<\/a> that the hack between March and June affected \u201cfewer than\u201d 18,000 customers \u2014 both government agencies and businesses.<\/p>\n

\u201cThe DoD is aware of the reports and is currently assessing the impact. The NSA and JFHQ-DoDIN has issued guidance and directives to protect DoD networks and IT systems,\u201d said Russ Goemaere, a spokesperson for the Department of Defense. \u201cFor operational security reasons the DoD will not comment on specific mitigation measures or specify systems that may have been impacted.\u201d<\/p>\n

With agencies just now unplugging from the platform, the extended time that hackers potentially had access to government emails and other information particularly alarmed experts.<\/p>\n

\u201cThis is just the price that the Department of Defense, the intelligence community and the U.S. government, writ large, are going to pay over and over for their continued and increasing reliance on, at its core, code that someone else wrote and tested on their network\u201d (as opposed to code that they wrote and they tested), said Philip Reiner, CEO of the Institute for Security and Technology, who also formerly served at DoD and on the National Security Council.<\/p>\n

\u201cAs the Department of Defense continues to expand its trust in third-party products and services, because it has no choice, really, this will only get worse. Trust is a transitive property, and threat actors know this, which is why they take advantage of it.\u201d<\/p>\n

The Navy and Army referred questions to the Department of Defense, which declined to comment. A spokesperson for the chief information officer of the Air Force did not respond right away to a request for comment.<\/p>\n

A U.S. Cyber Command spokesperson said the command is assessing the issue. \u201cU.S. Cyber Command is postured for swift action should any defense networks be compromised. We are in close coordination with our interagency, coalition, industry and academic partners to assess and mitigate this issue.\u201d<\/p>\n

Reuters, which first reported the breach<\/a>, identified the departments of Commerce, Treasury and Homeland Security<\/a> as agencies that hackers infiltrated. The Washington Post reported that the group behind the intrusions<\/a> was APT29, which is associated with the SVR, Russia\u2019s foreign intelligence agency. Reuters reported that the breach was severe enough for the National Security Council to call an emergency meeting. The Wall Street Journal reported<\/a> Monday that \u201cnational security agencies and defense contractors\u201d were among the breached organizations. FireEye, a cybersecurity company with significant federal contracts, announced last week that hackers broke into its servers, which the Washington Post attributed<\/a> to the same Russian outfit.<\/p>\n

What this could mean for the Defense Department<\/b><\/p>\n

Greg Touhill, who served as the federal government\u2019s first chief information security officer and helped oversee response to the 2015 breach of the Office of Personnel Management, told C4ISRNET that the DoD needs to be on \u201cred alert.\u201d<\/p>\n

\u201cI\u2019m in the DoD, I\u2019m thinking, \u2018They\u2019re inside, and they\u2019ve been snooping around and laying low,\u2019\u201d said Touhill, a retired Air Force brigadier general and president of Appgate Federal. \u201cSo I\u2019m very concerned to find them in the DoD and across the whole federal government; they should be very concerned. And you know what? Those of us in the industry, we ought to be very concerned as well. So this is a five-alarm fire.\u201d<\/p>\n

Hackers gained initial access through SolarWinds software updates, allowing them to move within networks beyond the contractor-supported systems.<\/p>\n

\u201cThis is just an unprecedented breach of commonly used network management tools,\u201d said Trey Herr, director of the Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security at the Atlantic Council. \u201cIf you\u2019re DoD, you\u2019re looking at a significant impingement on your ability to do every basic office function in a way that you can be assured is not subject to significant compromise.\u201d<\/p>\n

The hack through the supply chain comes as the Defense Department works to ramp up contractor cybersecurity requirements through the Cybersecurity Maturity Model Certification<\/a>, which evaluates contractors\u2019 cybersecurity strength.<\/p>\n

\u201cIt certainly highlights the criticality of improving the security posture of the supply chain,\u201d said Jacob Olcott, vice president of government affairs at BitSight Technologies. \u201cHowever, one of the significant gaps in CMMC today is the real-time, timeliness issue<\/a> \u2026 You could imagine a situation where an organization would have answered positively to a lot security checkboxes and then something like this happens.\u201d<\/p>\n

Across the military services, components are turning to managed service providers for many \u201cas a service\u201d functions, particularly IT as a service. In a recent webinar, a top official at the Army program office task with managing the service\u2019s enterprise network said that there\u2019s \u201cprobably nothing that we\u2019re not looking at as \u2018as a service<\/a>.\u2019\u201d<\/p>\n

Jon Bateman, a fellow in the Cyber Policy Initiative at the Carnegie Institute for International Peace, told C4ISRNET that the situation highlighted the limits of cybersecurity.<\/p>\n

\u201cYou\u2019ve got the leading entities in the world, the U.S government or … FireEye, and then you\u2019ve got the leading hackers in the world, some of them are in Russia. And just given enough time and persistence and effort, the offense can win in huge ways,\u201d said Bateman, who served as special assistant to former chairman of the Joint Chiefs of Staff Gen. Joseph Dunford. \u201cI think that shows us something about the limits of cybersecurity.\u201d<\/p>\n

While initially, the goal of the intrusion was purely espionage, the access could have been used for disruption, Herr said. In a hypothetical example, he noted it could have been strategically timed with a significant event crippling DoD\u2019s ability to send emails or other functions, which would be a significant handicap.<\/p>\n

The access provided by the intrusion to a foreign actor would be a goldmine from an espionage perspective, Herr added. Being able to read interdepartmental communications and exchanges affords the hackers the opportunity to learn about more about the decisions made within the U.S. government and what is important to leaders.<\/p>\n

\u201cI could, for example, from an espionage standpoint, get a much clearer sense of where my redline might be and run significantly closer to that, or see where there\u2019s less interest in or focus on certain geographic or topical areas and policies and push my activity in that direction away from the adversary\u2019s focus, which in this case, be the United States\u2019 focus as a way to avoid penalties,\u201d he said.<\/p>\n

Moreover, the duration of the access means that the actor has a good snapshot of the U.S. decision making process rather than just a small snapshot in time.<\/p>\n

On Sunday, the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, which is tasked with securing federal networks, directed federal civilian agencies to unplug all SolarWinds Orion products<\/a>. In the directive, CISA categorized the breach as grave. Across the government, an effort to assess the damage from the breach is underway.<\/p>\n

\u201cThe NSC is working closely with @CISAgov<\/a>, @FBI<\/a>, the intelligence community, and affected departments and agencies to coordinate a swift and effective whole-of-government recovery and response to the recent compromise,\u201d NSC spokesman John Ullyot wrote in a tweet Monday morning<\/a>.<\/p>\n

Reaction from the Hill<\/b><\/p>\n

On Capitol Hill, lawmakers expressed great concern about the supply chain tactics to reach into federal agencies.<\/p>\n

\u201cSoftware supply chain attacks of this nature can have devastating and wide-ranging effects \u2014 whether it\u2019s via niche Ukrainian tax software or, as here, network management tools relied upon by some of the world\u2019s largest companies,\u201d said Sen. Mark Warner, D-Va., vice chairman of the Senate Select Committee on Intelligence. \u201cAs we gather more information on the impact and goals of these malign efforts, we should make clear that there will be consequences for any broader impact on private networks, critical infrastructure or other sensitive sectors.\u201d<\/p>\n

California Democrat Adam Schiff, chairman of the House Permanent Select Committee on Intelligence, called cybersecurity breaches like this a persistent problem.<\/p>\n

\u201cThese intrusions reinforce the need to secure our unclassified government networks and those in the private sector that partner with the government,\u201d Schiff said.<\/p>\n

Sen. Angus King, I-Maine, who chaired the bipartisan Cyber Solarium Commission, pointed to the risks posed by the sheer magnitude of the federal government\u2019s supply chain.<\/p>\n

\u201cI hesitate to even imagine how many vendors there are to the United States government,\u201d King said. \u201cSo that underlines that danger.\u201d<\/p>\n

Companies doing business with the Pentagon total around 300,000.<\/p>\n

Fuente:<\/strong> https:\/\/www.c4isrnet.com<\/em><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Los incidentes de seguridad reportados a trav\u00e9s del software de un contratista de TI utilizado por los militares destaca los riesgos que asume el Departamento… <\/p>\n","protected":false},"author":1,"featured_media":7021,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[23],"tags":[],"_links":{"self":[{"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/posts\/7020"}],"collection":[{"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7020"}],"version-history":[{"count":1,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/posts\/7020\/revisions"}],"predecessor-version":[{"id":7022,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/posts\/7020\/revisions\/7022"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/media\/7021"}],"wp:attachment":[{"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7020"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7020"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7020"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}