A Canadian cybersecurity expert says Canadian organizations should report cyber incident breaches to a federal authority to develop nation-wide threat intelligence.
“Canada absolutely needs mandatory full incident reporting,” said Brett Callow, a British Columbia-based threat analyst for Emsisoft. “Understanding how and why attacks happen is a key element in stopping them. As it is, [public] disclosures tend to be short on facts — if they’re made at all, that is — which means law enforcement agencies and securities have only limited insight into the threat landscape. And, of course, this is compounded by the fact that cybercrime is under-reported.”
Other cyber experts have called for a global standard for reporting cyberattacks, Callow noted. “Until we have a platform for reporting and sharing information, more attacks will succeed than they should.”
On the other hand David Swan, Alberta-based director of the Centre for Strategic Cyberspace and International Studies, is skeptical of reporting to a government body. “As it stands mandatory reporting has no ‘up side’ and major down sides,” he said in an email. “This will only work if there is an infrastructure that supports recovery and resilience. Increasing penalties for not reporting will not change much if anything. Even the limited liability protection for reporting third parties would be an improvement – if not an incentive, to improve reporting.”
He point out that the U.S. already has an industry-based network for sharing cybersecurity information called Intelligence Sharing and Analysis Centres (ISACs). “I’ll admit I am prejudiced, I worked for a firm that was part of the Financial Services ISAC (FS_ISAC). Their capabilities were impressive then and have steadily improved since I worked there.”
There is some information sharing between government and industry already through ISACs. On the other hand, he said, there are a lot of ISAC, some with more resources than others. “ISACs are an infrastructure that exists, is trusted and could meet both reporting and support requirements,” he said.
A Canadian version of the ISACs is the Canadian Cyber Threat Exchange, (CCTX), a membership-only group that shares threat information.
Dave Masson, Canadian-based director of enterprise security for Darktrace said he looks forward to seeing what the combined powers of the private sector and public sector can accomplish in the future. “We are only going to see both sectors increasingly targeted by nation states and cybercriminals, so it’s so important that, right now, all organizations wake up to the dangers of cyber-attacks and prepare to defend themselves from innovative adversaries.
“Mandatory breach reporting to a U.S. agency that would be responsible for spreading threat intelligence is absolutely a step in the right direction – and the private sector is actually requesting this process as well.”
There is mandatory data breach reporting in Canada to the OPC, he said, but only if there is real harm to an individual. “If Canada can strengthen this law, to ensure more reporting of massive breaches such as the SolarWinds compromise, we will be in a better place for progress. More collaboration and communication are absolutely key when it comes to cyber: transparency is integral.”
Their comments come after Tuesday’s U.S. Senate hearing for federal mandatory incident breach reporting in the wake of the 2020 attack on the SolarWinds Orion network management platform. Support came from executives of SolarWinds, Microsoft, FireEye and Crowdstrike, although the details were vague.
Intelligence committee chair Senator Mark Warner wondered if firms should report breaches to an independent agency similar to the U.S. National Transportation Safety Board. The agency would be empowered to launch investigations into whether the factors behind a breach or breaches are evidence of a systemic vulnerability, he said. Perhaps, Warner added, firms would need some limited liability protection for divulging information about third parties.
Others who spoke at the hearing suggested that instead of victim companies reporting it should be up to “first responders” such as technology firms or firms doing incident response. It was also suggested reporting should only be done in confidence.
The SolarWinds Orion attackers, believed by the U.S. to be from Russia, compromised the Orion software update build process to insert a backdoor. After some 18,000 organizations downloaded that update, the attackers infiltrated about 100 American organizations and nine government departments to gathered intelligence and steal data.
One of those victim organizations is FireEye. After realizing the source of its attack was Orion, it warned SolarWinds and both spread the word to customers, the public and U.S. agencies. However, neither firm was obliged to tell Washington. That was one central issue at the hearing: Had it not been for FireEye, no one would have known how widespread the attack was. That’s why Warner and other senators wanted to know if it was time for mandatory breach notification to the government.
Is it time to notify the government about breaches?
Yes, according to Microsoft president Brad Smith.
He said many cybersecurity vendors and U.S. agencies have “slices” of information on breaches of security controls. “We need to enhance the sharing of threat intelligence. It is time to impose in an appropriate manner some kind of notification obligation on entities in the private sector … It’s the only way we’re going to protect the country, to protect the world.”
Smith even predicted the country would find a “way forward” when it comes to breach reporting “this year.”
He also stressed there should be incident “notification” and not detailed disclosure. “We should notify someone. We should notify a part of the U.S. government that would be responsible for aggregating threat intelligence and making sure that it is put to good use.”
He also said it was time for the U.S. and like-minded allies to say to other countries that attacks on security update mechanisms are “off-limits.”
How would this work in Canada?
While many firms in Canada have to report data breaches to the federal Office of the Privacy Commissioner (the OPC), especially when it involves stolen personally identifiable data, there’s plenty of ways to sidestep reporting. If a breach of security controls doesn’t involve personal information, such as the attack on SolarWinds’ Orion network monitoring software, a firm isn’t obliged to report the incident to anyone, and when they do they only have to do so if the firm believes there’s a real risk of serious harm to victims.
Some organizations voluntarily report to the Canadian Centre for Cyber Security, which distributes alerts from vendors such as the latest available patches and mitigations. However, the centre doesn’t have the power to launch investigations of companies’ behaviours to detect wider patterns. The OPC does.
Other Senate session highlights
- Anyone hoping for insight into how the attackers got into the SolarWinds environment is probably disappointed. CEO Sudhakar Ramakrishna said that angle is still being investigated, although it has been whittled down to three theories. He didn’t share them.
- Crowdstrike CEO George Kurtz, whose firm was hired by SolarWinds for incident response said the attack showed a need to ensure software code development platforms and code repositories are protected at least as well as IT environments. He also flogged Microsoft. “The threat actor took advantage of systemic weaknesses in Windows’ [Activer Directory] authentication architecture, allowing it to move laterally within the network, and between the network and the cloud, by creating false credentials, impersonating legitimate users and bypassing multifactor authentication credentials.”
- This was a “golden SAML” (security assertion markup language) attack, he said, in which a forged SAML authentication object is used to authenticate across a number of services. This specific attack vector, Kurtz said, was documented in 2017.
- Microsoft’s Smith said the SAML problem was relevant in only 15 per cent of the 60 attacks on Microsoft customers who used an infected version of Orion. He added that the problem was only leveraged after the attacker was already on the victim organization’s network.
- FireEye CEO Kevin Mandia emphasized how hard it was to find the way his firm was attacked. Almost 100 people fruitlessly hunted for how the intruder got in and stole FireEye’s red team tools. “The only thing left was a compromise in the SolarWinds server,” he said. After looking at 1 million lines of assembly code in 3,500 executable files in an update, the evidence emerged. What the attacker did was unique, he said: Modifying the Orion update build process. That mechanism makes it a “portable” attack that can be used against any software developer in any company.
- Taking that up, SolarWinds CEO Sudhakar Ramakrishna said it’s an “injustice” to call the incident a “SolarWinds hack.” The tool used by the threat actor could have been used anywhere, he argued. Supply chain attacks, he added, happen daily. He also said SolarWinds now uses security by design principles in code development, premised on zero-trust principles and developing a best in class secure software development model “to ensure our customers can have the utmost confidence in our solutions.”
- Several Senators noted that not all of this threat actor’s victim organizations had been compromised through Orion. The Wall Street Journal has estimated 30 per cent were compromised by the same threat actor in other ways. Microsoft’s Smith said many were compromised by password spraying.
- The Senators were also miffed that Amazon couldn’t provide an official to testify. The attacker used Amazon infrastructure to hide and launch attacks.
- While U.S. law enforcement and intelligence agencies have said the attacker was “likely Russian in origin, it was FireEye’s Mandian who said the threat actor’s actions “most consistent with behaviours we’ve seen out of Russia,” and not consistent with historical tactics used by China, North Korea or Iran.
(This story has been updated from the original with comments from David Swan and Dave Masson)