By Rohit Tandon, Chief Information Security Officer, State of Minnesota
January 19, 2021
After a challenging year of responding to unprecedented cyber activities related to the global pandemic, racial injustice, and election security, the 2020 Holiday Season was finally in sight. Then, on December 13th, news broke that the year had one more surprise for our industry; a highly skilled adversary had penetrated FireEye’s network and stolen the company’s Red Team tools. A very sophisticated supply chain attack, now infamously called the SUNBURST backdoor, was identified as the vector of entry into FireEye’s network. The ongoing investigation has identified other SUNBURST victims in the government, technology, and telecom industries. This is not the first highly publicized supply chain attack linked to a tainted software update. The global NotPetya attack was just three years ago.
In 2021 and beyond, we must learn from these events and start to drive a higher scrutiny on the technology supply chain. Propelled by the global pandemic response, many organizations sped up their digital transformation journeys, and consequentially increased the number of technology suppliers in their eco systems. If not your organization directly, that primary cloud solution your organization depends on has bundled a mix of components from different suppliers to give you that seamless customer experience. A sophisticated adversary just needs to find one weakness in that increasingly complex supply chain to target your business.
In the past, we have placed the defensive burden on our suppliers and trusted them to deliver. For years, we’ve believed their good information security practices help to protect us, too. Now, after these painful lessons, we could tell ourselves that maybe it will start working, but there has to be a new approach worthy of at least experimenting into the future. After all, fool me once shame on you, fool me twice shame on me.
Let’s take an example from another industry dealing with a supply chain challenge: counterfeiting in the wine industry. Increasingly, consumers are finding they can’t really trust that the glass in their hand is the one that matches the label. Are those the grapes grown in that specific harvest and without any excessive preservatives or hazardous chemicals, and did the famous winery produce, package and ship that bottle you purchased? Unfortunately, I am not a wine connoisseur to tell you by smell and taste if you were swindled by the distributor. Supply chain taraceability along with tamper validation is required to ensure consumer trust. Many researchers are trying to solve the challenge of supply chain transparency and trust for the wine industry.
We should pay attention to the lessons from other industries. If we want to deliver a high quality and trusted technology, similar to a fine bottle of wine, we need to explore methods to validate the authenticity and source of every component in our technology portfolio. This must be done at a granular level during every software update, with a way to validate that every line of code was inserted for a transparent purpose and can be traced to the trusted application developer. Finally, as an end product consumer we need a simple way to validate full end-to-end authenticity. This would have prevented a lot of the challenges we’ve encountered with supply chain reliability in recent years, and perhaps 2021 will finally be the year we see that solution come to life.
Rohit Tandon is the Chief Information Security Officer of the State of Minnesota and has 15+ years of information security industry experience in both the public and private sector. Rohit has worked for Mayo Clinic Rochester to build secure systems for Electronic Health Records and championed Medical Device security. Prior to joining the State of Minnesota, Rohit served as the Information Security leader at Strategic Education Inc (SEI) where he merged the information security departments of Capella Education Company and Strayer Education, Inc. into a combined post-merger organization … full bio