The major current cybersecurity story involves a popular SolarWinds network managing software package, Orion. A sophisticated actor, with the signatures of a nation state, infiltrated Orion in a software update. Once inside, it duplicated itself, flowed into adjacent environments, upgraded its privileges, and cloaked its presence. Those affected included major companies, governments, and United States federal agencies.
SolarWinds’s SEC filings suggest that almost 18,000 clients downloaded the poisoned Orion update. The incident is a painful reminder of some fundamentals in the software context. There are no guarantees against powerful cyberattacks. That is particularly the case when it appears to originate from a sophisticated nation like Orion’s. Risk cannot be eliminated. But it can be mitigated.
The first mitigation step is pre-contract diligence. Virtually all entities, even the National Security Agency, rely on outsourced computer functions. But each additional vendor grafted onto a business infrastructure is one more potential point of entry for trojan malware. So businesses should evaluate a vendor’s security profile. Check their record. Vet their security practices. Negotiate an incident response as part of the service agreement. There are no guarantees. But these practices highlight potential problems hiding in the tall grass.
The second step is getting insurance. Cyber insurance is a complex topic. We have previously written on it. The pivotal point, for now, is that cyber insurance provisions can be negotiated. Unlike CGL and other policies, insurers have not yet set standard provisions in stone. A company that has evaluated a major vendor’s security posture has a current assessment of its own cybersecurity profile. It can instruct its broker to identify policies that offset its specific vulnerabilities. Since vulnerabilities are not static, this practice should be repeated periodically.
The third mitigation step is data minimization. The Orion affair repeats a lesson that we learn at regular intervals: everyone may be successfully targeted. Insurers, contractual recovery, and technical prowess can mitigate the damage. Even so, data stolen by a sophisticated hacker is like proverbial spilled milk: the damage can never be undone. So what should companies do?
We repeatedly stress data minimization to our clients. Limit the data you collect. Minimize the data you share. Companies need to work with their employees and counterparts to streamline data collection processes. Optimized databases conserve resources. More importantly, they minimize potential exposure in a breach. If the system does not have the data, any breach cannot expose it.
Fourth, consider the collateral consequences of a breach. Whether or not the breached data turns up on the Dark Web, the potential exposure has potentially mammoth implications. For example, when hackers breached Panamanian law firm Mossack Fonseca, the fallout reached the highest level of world politics. Countries ousted heads of state and government from office. High profile individuals from Cabinet-level officials to titans of industry had to do awkward explaining. Unsurprisingly, the firm no longer exists.
So what can you do to avoid becoming the next Mossack Fonseca? Perform a brutally rigorous evaluation along with your data inventory. All organizations have data they prefer not to see the light of day. Have counsel, public relations, and crisis response in place to respond to an emergency. But if the data is mission critical-the secret sauce that could kill the organization if leaked-then more drastic measures are called for.
This could range from secure standalone networks such as those used by intelligence agencies to avoiding computerization altogether. After all, Russian President Vladimir Putin reportedly insists that his office limit itself to typewriters. Whatever your views on President Putin, no one accuses him of being an alarmist. Consider what measures are appropriate. That decision hinges on the sensitivity of the data.
Fifth, the measures may not require a return to pre-computer days. Remember the earlier admonishment regarding data minimization? The same principle applies internally. The advent and flexibility of cloud computing has proved irresistible to organizations. Cloud computing providers have some of the best security in the business. But as the Orion breach shows, a catastrophic breach is always a possibility.
So what options are available to an organization unwilling to revert to typewriters (or papyrus), but is acutely aware of some highly sensitive data? Compartmentalization. Rather than retain all data in a massive cloud database, consider siloing data. In particular, the most sensitive data must be insulated, either within the organization or in a separate provider. This does not guarantee protection against a SolarWinds event. Nothing short of typewriters would. But it would avert most intrusions. And the perfect plan should never be the enemy of a good plan.
Finally, protect privilege. Unfortunately, as an organization evaluates the fallout of a security breach, it creates potentially inflammatory documents that are eagerly sought by the plaintiff’s counsel or aggressive regulators. And courts have not always shielded them from discovery. While judges consider the totality of circumstances in determining whether such documents are privileged, recent caselaw has highlighted a few factors as pivotal.
For instance, what was counsel’s role? The greater counsel’s involvement, the readier a court will be to distinguish the assessment from regular course of business investigations. What was the evaluation’s purpose? The more the assessment focuses on legal issues, the more likely it is to be privileged. And what was the disposition? The more closely work product is held, the more likely the court is to view it as privileged. A recent federal case found no privilege in part because that report was distributed to IT staff and the FBI as well as counsel.
Ultimately, the SolarWinds episodes serve as yet another reminder that organizations must implement “technical, physical and administrative safeguards” to protect themselves. But it has introduced another element. The intrusion can come from a trusted vendor. The threat can be cloaked within your system. Be ready. The calls can come from inside the house.