February 08, 2021//Tony Howlett
By now, everyone on the planet has probably heard about the massive supply chain breach that occurred when network management software from SolarWinds had malware inserted into a trusted software update. This attack has exposed over 18,000 of their customers who used the affected software, which includes Federal government agencies like the Commerce Department and Homeland Security to potential breaches.
The SolarWinds supply chain hack of late 2020 has rocked large government agencies and Fortune 500 companies to their core. It will be many years before all the effects of this mega-hack become known and cleaning up and securing things fully will take even longer. Many state and local governments might be hoping they were not targeted, as the Russian state hackers are generally not interested in small fish. And small cities and towns don’t tend to use the more complex enterprise-grade software, like SolarWinds, to manage their networks. However, just because these organizations tend to be small and unsophisticated, IT-wise, it doesn’t mean they aren’t susceptible to supply chain dangers of their own.
Being small does have some advantages. You don’t tend to attract the attention of the serious, well-funded hacking groups like the Russian SVR intelligence group that was allegedly behind the SolarWinds hack. But they are plenty attractive to criminal hacking gangs like the ones who took down 22 Texas cities simultaneously in what has been called the first “mass ransomware” attack in 2019. They know that residents of even the smallest towns depend on critical government services such as law enforcement, court services, and utilities. And as evidenced by the many small towns and cities that have paid handsome ransoms to get their data and services back online after successful ransomware attacks, it can be highly profitable for hackers.
And national information security standards such as the Criminal Justice Information Standard (CJIS) still apply to data handling by these local organizations, so it’s not as if they’re exempt from needing good cybersecurity in place. And for good reason. Hacking into a small, local law enforcement department might allow a hacker to access sensitive federal government databases at agencies like the FBI. And even the smallest town might still have an EU citizen living in it, so international data privacy standards like GDPR would still apply to them.
While they may have many of the requirements of larger governments, they do not have the staff or budgets to handle them like the big guys. Often these small entities have very small IT departments with no dedicated security personnel. Or in many cases, they may have no in-house IT staff, outsourcing it to Managed Service Providers (MSPs). Sophisticated hacking organizations know this and have targeted MSPs in recent years as a “force multiplier for their efforts. The “hack once, breach many” strategy has been used to great effect, notably on the Texas city hack mentioned above.
Also, smaller government organizations are just as susceptible to supply chain attacks on more mainstream software that everybody uses. Microsoft’s source code was accessed as an offshoot of the SolarWinds attacks, and while no code was supposed tampered with, it is only a matter of time before this happens (or may have already happened and we just don’t know). They also use many of the same IoT devices that big cities do, like IoT cameras, door locks, and other common IoT tech.
Many millions of devices were affected in the exploits discovered in Treck IP software and smaller IT departments have a hard time keeping up with the patches that are issued for these holes. Small governments are also more likely to use smaller providers of software that do specific functions such as utility billing. These software providers are often “mom and pop” shops, which can include poor security practices and infrequent patching. And even when patches are available, many small towns have to rely on their service providers to stay on top of breaking developments and get their systems patched. Suffice it to say, that small government organizations are at least as at risk if not more, to supply chain attacks, given the combination of the ubiquity of vulnerable software and the lack of resources to properly secure it.
So, what should smaller government entities do to protect themselves from supply chain cybersecurity risk? Well, first of all, practicing good third-party risk management goes a long way. Even with limited resources, some minimal vetting and monitoring of vendors can be done. And buying from reputable technology providers who can prove their security postures protect you quite a bit even though it’s no silver bullet.
If you are going to use a managed services provider for some or all of your IT functions, make sure those companies have good security bonafide. Are they compliant with all the standards you have to meet? Do they have sufficient insurance to cover your costs if you are hit with ransomware as a result of a security failure on their part? A minimum of $10 million is recommended even for the smallest organization.
Finally, you can leverage some of the protections that the larger governmental organizations have with their complicated purchasing requirements and more sophisticated vetting by using the same products and services that they contract with. Sometimes you can even save money by purchasing under a blanket discount program. However, sometimes these larger solutions are not designed for small government and can be price prohibitive. And as the SolarWinds debacle shows, even if a company is a large, well-known technology provider, it is not enough to ensure the security of a purchased product.
Regardless, state and local governments are going to have to up their game, with partnerships, cooperatives, and information sharing along with evolving their cybersecurity programs as best they can with their limited budgets or end up as roadkill on the information superhighway. The bad guys are getting better all the time and your citizens and taxpayers will demand that you do the same.