In retrospect, 2021 passed as a whirlwind for those of us in cybersecurity. We experienced an accelerated shift toward a world in which its distinctions, definitions and categorical identities grew ever more porous.
The physical and digital worlds continued to merge, so much so that any barrier that had existed between them is now nearly gone. The growth of this porosity and its associated increase in attack vectors was exacerbated by expansion of the Internet of Things (IoT) and the more intertwined and connected environment it creates.
This brings us to what we might consider the core of this year’s challenges, as reflected in the SolarWinds and Colonial Pipeline compromises: the continued growth of successful ransomware attacks and the promulgation of the Executive Order regarding software bill of materials (SBOM). These events stand out as a reflection of what I consider most significant when it comes to what we saw in 2021 and are the basis of what we might expect to see in the year to come.
Adding to the complexity evidenced in this compromise was the growth and acceptance of Continuous Introduction/Continuous Delivery (CI/CD) over the years as the backbone of modern-day DevOps operations. CI/CD represents an approach to software development that seeks to leverage shorter development cycles in delivering a steady stream of potentially disruptive innovations to customers who incessantly clamor for “more… faster.”
SolarWinds forced upon us an unsettling realization of the implications of a foundational system whose updates were compromised and propagated in the manner revealed. The contextual battlespace in which that propagation occurred was further exacerbated by the growing porosity mentioned above that makes up the modern supply chain, giving an adversary an almost unlimited number of “weakest leaks” through which to explore the options and realize the fruits of their efforts.
The lessons heralded by last May’s Colonial Pipeline compromise were recently punctuated by the Iranian Gas Pumps affair. These taken-for-granted aspects of daily living don’t have to be denied us for very long before an unacceptable pain settles in. The Colonial Pipeline, which supplies 45% of the East Coast’s supply of various fuels, was taken offline after it was impacted by a ransomware attack. Now, on the other side of the world, another cyberattack has left drivers in Iran with virtually no fuel. The online attack reportedly crippled essentially every gas station across Iran — ironic, as that nation is a leading exporter of oil.
Ransomware on the Rise
The Colonial Pipeline affair was just one instance of how ransomware attacks took the headlines by storm in 2021 — notwithstanding the existence of validated, AI-supported math models whose prowess against such attacks continues to be well-documented. That an inertia seems to yet hold major Fortune 500 companies and infrastructures of nations prisoner and doggedly committed to outdated models of defense staggers rational comprehension. That modern ransomware attacks appear to easily circumvent the established pillars of traditional cyber protection punctuates the need to find new ways to solve this problem. Advancing the same old solutions while expecting different outcomes is the classic definition of “insanity.”
Proving that the supply chain implications of these standout events did not go unappreciated, the U.S. presidential administration issued an Executive Order, the heart of which requires those who manufacture and distribute software a new awareness of their supply chain to detail what is actually in their products — particularly open-source software — and the ability to reflect that awareness in an accurate SBOM. With announced vulnerabilities growing ever more prevalent, these SBOMs will provide purchasers with a means of determining how relevant any announcement may be to their interests.
Where to Go From Here
Although predicting the future is a challenging business under the best of circumstances, it is perhaps made easier by the fact that we, as humans, so often refuse to learn from the past and are, therefore, condemned to repeat it, as George Santayana is often quoted as saying. Predicting the future thus becomes, in part, the practice of isolating those lessons we should have learned but did not and translating that into what we are then likely to experience again. Heraclitus of Ephesus opined that you can’t step in the same river twice, but these repeat experiences should be similar enough to afford insights into what mitigating actions might be open to us.
We’ve learned that, apparently, our math models can predict and continue to do so at least in the limited sphere of malware. They actually do know what attack will come next — oftentimes years in advance. In other spheres, we’re not so fortunate. What we can do, however, is use the available information at hand to best prepare ourselves for every possible scenario. We know what technology is being developed and we know the potential risks that come with it. We’ve seen how adversaries can harness the power of good to do harm. It’s up to everyone in the cybersecurity community to ensure smart, strong defenses are in place in the coming year to protect against those threats.
Check back in next month for 2022’s inaugural column where we will explore predictions for the coming year.