In an exclusive interview with the ThreatConnect Podcast, Robert Bigman, the former Chief Information Security Officer (CISO) at the CIA, said when investigators complete their analysis into how the Russian intelligence service eluded detection for months, if not years, during the Solar Winds hacks, they will likely find the same types of failures that contributed to the 9/11 terrorist attacks.
“I don’t think it’s overblown to say that this is a cybersecurity 9/11,” Bigman said. “I would compare it to the report that was written post-9/11, where correctly, the [9/11 Commission] criticized the government for lack of imagination. Remember that? Well, guess what? We repeated ourselves.”
Bigman, who served as the intelligence community’s most senior information assurance officer for half of his 30-year career in the CIA, said it could be two years before we know the extent of the Solar Winds breaches.
According to media reports, SolarWinds, the software company that the hackers used as a conduit for gaining access to hundreds of government and private sector networks, had a history of lackluster security for its products, making it an easy target. This, according to Bigman, is a symptom of a much larger problem in U.S. national cybersecurity.
“When you go and buy a car, you have a thing called a Lemon Law, that if something goes wrong, you can turn it in and get it adjusted and get a change, or even get a new car. We don’t have that type of law for cyber,” Bigman said. “We have no rules, no regulations for companies to build secure supply chains. We have no rules and regulations that require them to build secure code, to test their code,” he said.
“So the problem we have in cyber, I think it’s the big one, is it’s just unregulated,” Bigman said. “It’s a free for all. And you’re really potentially the victim of companies who don’t act responsibly. And I’ll be honest with you, I think it’s the majority of them.”
The Defense Department, which was also a Solar Winds customer, took action last year to enforce cybersecurity standards on the Defense Industrial Base in a program called the Cybersecurity Maturity Model Certification (CMMC). More than a year into the program, however, the Pentagon has completed a mere 100 audits out of an estimated 300,000 contractors.
Listen to the full interview, now streaming. The ThreatConnect Podcast, Ep. 1: Solar Winds & The Cybersecurity Threat Landscape 2021