TECHNICALLY SPEAKING
CYBERSECURITY: It’s not just TECH BY HAILEY MINTON
The majority of cyber attacks come from criminal organizations; however, nation states backing cyber attacks in the U.S. has become one of the large challenges facing our country. Nation states have resources beyond most criminal organizations’ capabilities. “Our adversaries are willing to spend unlimited amounts of money creating a team environment, giving them all the technology they could possibly consume and as much time as that team wants… to embed itself into our infrastructure and to potentially impact us kinetically through a cyber attack,” says Edward Vasko, Director of the Institute for Pervasive Cybersecurity at Boise State University. The hacker group known as Cozy Bear is an example of a nation state-backed group. According to The Washington Post, it is part of the Russian foreign intelligence service. The group is believed to be responsible for the SolarWinds incident 28
that allowed them to access the network of 30,000 public and private organizations in the U.S. However, the Russian government denies involvement. The SolarWinds incident highlighted the importance of software supply chain security. Most people think that technology is the biggest defense in cybersecurity, but this incident occurred due to a faulty business process. SolarWinds offers IT management software that essentially acts as an administrator for the system using it. According to businessinsider.com, in early 2020, hackers successfully added malicious code into SolarWinds’ software system. The breach went undetected and the company sent out an update to their clients, which is common practice with software products. The update included the malicious code that provided a backdoor into the companies and organizations using it. This gave hackers administrative power in each of the systems they infiltrated, explains Vasko. SolarWinds has many
www.idahomemagazine.com
high-profile clients, including government agencies like the U.S. Departments of Treasury and Commerce and even the U.S. cybersecurity firm, FireEye. “We’ve known for a time that the source code supply chain could be compromised,” says Vasko. Twenty or thirty years ago, companies built source code for their technology platforms in-house. For example, Microsoft had a team of people dedicated to building out Word. The world has since shifted to using distributed code. Let’s say a person builds a great piece of code that would take anyone a long time to build. Instead of someone else building that code from scratch again, they can license that code from the first creator. “You can reduce your cost to build out a new platform and increase the speed you can get to market,” Vasko explains. That code is then embedded into a platform and product. Anyone can build and sell modules of code in different marketplaces. The problem lies in verifying the
