Opinion: SolarWinds breach shows underlying cyber risks

Amid all the news about the pandemic and the presidential transition in recent weeks, it was easy for many to miss the most significant cybersecurity story in years: the breach of Texas-based network monitoring company SolarWinds. Though ostensibly an attack on a single company, the breach provided an opening for bad actors to access the systems of a slew of U.S. government and private sector organizations.

Experts in the field are alarmed, in part, because we are still learning the full implications of this event and likely will be for months if not years. The public should be concerned, as well, but for reasons that go beyond this one incident. We need to be concerned about the general lack of understanding and preparation for cybersecurity incidents at all levels of government and industry.

There are two important steps we can take to help correct this: Furthering the public’s basic understanding of cybersecurity and bolstering our readiness against future attacks by boosting the talent pipeline in the field.

First, it’s essential for the basic language of cybersecurity to enter our public discourse. We regularly hear about breaches in the news, but what does that really mean? For most, it’s just a headline. Our lights are still on, ATMs are still running, and day-to-day business continues. In order for the public to better understand these incidents, we should all have a greater understanding of the “CIA triad,” which stands for: confidentiality, integrity and availability. These are three areas by which security professionals evaluate threats and vulnerabilities.

Confidentiality refers to keeping data private and secure. Many, if not most, of the cybersecurity incidents in the headlines fall into this category and are typically what we think of as hacks. We’ve become all too accustomed to hearing about such companies as Target, Equifax or Sony being hacked and bad actors gaining access to consumers’ financial information or sensitive company documents.

Integrity refers to the completeness and reliability of an organization’s secure data. It’s one thing to simply access or steal files; it’s another to tamper with them to the point that organizations can’t be sure of their reliability. Having the balance changed in your retirement account is an example of a breach of integrity.

Availability is the third, and in many cases, the most serious component of the CIA triad. Availability means systems and networks are up and running as normal. If they are not – either through an attack such as a distributed denial of service attack or perhaps a ransomware scenario – then the results could be dire. Having your hospital unavailable in a ransomware attack is an example of a breach of availability.

The recent SolarWinds episode was a breach of confidentiality and integrity. The bad actors gained access to the source code for SolarWinds’ flagship product, the Orion Platform, and were able to create a back door, i.e. the integrity. They then used that backdoor access to breach the networks of customers served by SolarWinds, i.e. the confidentiality. SolarWinds is a third-party partner to many of America’s largest private companies and federal government agencies, and it has very high-level access to its customers’ networks. The breach allowed someone – believed to be Russian – to access those organizations’ most secure systems. It was a reconnaissance mission. But we don’t yet know what they were seeking. The potential for integrity and availability issues down the road remains high.

Despite the ongoing threats, most organizations still do not have a robust cybersecurity team. The need for education and growing the profession is already great and only going to grow in the years ahead. We must encourage young people to take an interest in the field. Missouri is far behind the nation when it comes to computer science education at the high school level – only half of our schools teach a foundational computer science course, according to nonprofit Code.org. And the nation as a whole is behind the global community, despite the fact that the Bureau of Labor Statistics predicts a 31% increase in the need for information security analysts in the coming decade.

Technology is evolving by the minute and cybercriminals continue to advance their skills nearly as quickly. The onus is not only on the next generation of cybersecurity defenders to take up the mantle, but also on educators to ensure they’re trained and ready for battle.

Information security issues will only grow as our reliance on technology grows. Our society and educational systems should be ready to understand the threat and train more professionals to meet it head-on.

Shannon McMurtrey is an assistant professor of computer information systems at Drury University’s Breech School of Business. He can be reached at smcmurtrey@drury.edu.