Catalyst for Change 

Implications for the Canadian public sector in the aftermath of the SolarWinds breach

2020 was a year of immense change. The rapid acceleration of people and processes going digital faster than ever before occurred in the wake of one of the worst global health crises in almost a century. The pandemic also forced many to work remotely and gain access to their information online to maintain productivity and business continuity.

The remaining weeks of 2020 were made even more troublesome in the United States after one of the largest breaches in American history was discovered. Beginning as early as March, SolarWinds unknowingly sent out a software update that contained a malicious code. This code allowed for a point of entry to its customer’s information systems to be accessed, which hackers utilized to install malware in an attempt to monitor and spy.[1] Months later when the company realized what had taken place, thousands of customer’s data had been breached, including many well-known Fortune 500 companies and American agencies.[2] The aftermath of the SolarWinds data breach has set the stage for not only a heightened awareness of just how devasting and widespread this breach is, but also how ill-prepared the American government was to detect and respond.

The SolarWinds breach represents a pinnacle point in our collective cybersecurity history. Without proper action and deeper investigation into its implications, government bodies and authorities will continue to remain ill-equipped to properly manage, detect and respond in ways that do not compromise domestic or global public sector entities. But perhaps more importantly, this cybersecurity incident serves as a timely warning of what a breach of this size and magnitude could mean for Canadian government institutions north of the border. It also raises an important question: How can the Canadian government at all three levels enable its workforce to prepare, combat and manage these types of security risks?

Calls to action can longer remain a gesture

Data breaches have become all too familiar. From the Equifax breach in 2017 that exposed the personal information of nearly 8,000 Canadians[3] to the Desjardins breach of 2019, when several employees of the company stole the personal data of 4.2 million members[4], the ability of organizations to protect personal information is becoming difficult. Additionally, with the continuous news cycles reinforcing the damaging effects of malicious actors gaining access to sensitive information, calls for substantive action can longer be ignored. This is compounded by growing distrustful sentiment harbored by Canadians as to how safe their information is being stored by companies.[5]

The SolarWinds breach reinvigorates the conversation around the need to reinforce the usage of a zero-trust environment, which government institutions will need to embrace in a post-SolarWinds world. The concept of zero trust is simple: “never trust, always verify.”[6] In practical terms, this means the development of a protect surface is identified. This surface is comprised of a network’s most valuable and critical information, assets, and applications.[7] From there, the ability to monitor how traffic moves along an organization can be created. Controls can be levied to safeguard the protect surface through a gateway that permits legitimate applications from gaining access.

The benefits of this model allow for important applications and workloads to be accessed from any location, which provides for a highly dynamic shift in productivity accessible through public, private or hybrid clouds. Utilizing zero trust will become more commonplace, not only within the private sector and corporate environments, but also within the public sector. However, the problem with zero trust is that it would not have completely mitigated the SolarWinds scenario, given the fact that the hacker group, APT29, also known as Cozy Bear, inserted source code into the company’s software build process, which was then used to distribute out compromised malware at countless agencies.[8]

For Canadian institutions, the discussion around detection and response also raises important considerations surrounding recovery approaches. As with any data breach, government organizations need to establish and put into place a proper after attack review (AAR) to determine the key takeaways, lessons learned and develop the necessary mechanisms to ensure a repeat scenario does not take place.

The nature of the SolarWinds attack was focused on the supply chain. Given these circumstances, government entities need to ensure they have the protection measures in place to monitor and detect potential threats, not just internally, but also amongst their interactions with third-party vendors and partners. This involves ensuring that vulnerabilities are limited within the supply chain link.[9] As with SolarWinds, hackers did not directly attack the network itself to gain access, but rather the products running on company information infrastructures.

As the year progresses, government bodies at various levels will likely need to ramp up their usage of enterprise Identity and Access Management (IAM) platforms to build zero trust capabilities. However, these solutions must be able to encompass the interactions and connections with partners and contractors to protect against attacks at every level within the government ecosystem. As a long-term strategy, government bodies and agencies will need to maintain and properly establish secure and strong links within their supply chain management solutions. This could take many forms – including requiring external, third-party vendors to validate or authenticate through code signing on all actively running software on government networks.[10]

Government work is evolving in scale and sophistication

The future of government work, which involves the necessitation of technology to drive its continued value also speaks to the complex ecosystem that government bodies are now part of. Government work is no longer carried out solely in a cubical, with colleagues interacting with one another. Completion of projects and daily tasks involves working collectively with outside actors. Work is now approached and completed through collaboration with outside partners, vendors, and third-party governments. Working within a much more complex ecosystem than in the past, the technology that enables government work needs to be secured, since there is an inherent risk to exposure of both public, private, and national security data.

In my recent podcast interview with the City of Toronto’s Chief Technology Officer, Lawrence Eta, he emphasized the importance of closing the digital divide through a digital canopy with a robust city-wide digital infrastructure to support it. This infrastructure would ensure that all new services and devices were stable, scalable, and encourage collaboration workflows to avoid siloed work.

The onset of digital resources and transmission of sensitive information in the online and cloud domains at the municipal level, showcases how facilitating these digital interactions is key to meeting the needs of the city-level population, but also demonstrates another area of consideration for developing appropriate responses to potential risks and data breaches that directly affect the vital services delivered to city constituents.

Omnichannel approach to enable an enriching public sector data privacy landscape

Developing a multi-layered approach to security threats at all levels of government involves three key elements:

• A well-designed legislative and policy response that has the added capability to be changed and revised as new threat actors arise.
• Ensure government agencies and bodies hire qualified and experienced talent that can help prevent and respond to security threats.
• Reinforce the importance of maintaining proper digital etiquette and provide the knowledge to help government workers spot threats and escalate accordingly.

Each layer of this approach builds upon one another and serves as a reinforced feedback loop. However, should there be a new emerging threat that stands to evade current practices, newly revised legislation would need to take shape and reinforced again right down to how employees maintain operations and business continuity.

Legislative overhaul

Privacy legislation established at the turn of the twenty-first century is no longer in line with the cybersecurity threats that stand to wreak havoc on government institutions and their data. Legislative reform needs to take into consideration these on-going and emerging issues to adapt quickly and appropriately to the changing landscape.

How are Canadian laws going to be updated and continuously revised to respond and evolve as these shifts occur in real-time? Can there be a readily available mechanism in place to ensure an appropriate legal response that will protect the rate of innovation, but not compromise online data security?

The conceptual framework of Development Legislation Opportunities (DevLegisOps) provides a response to the current and impending security threats that stand to cause immense damage to civilian information. DevLegisOps would entail a more agile and responsive approach, one that considers all avenues, has a designated path for redevelopment and advisement, but also continuously looks for improvement. A special task force or series of committees may need to be established to constantly reinforce this initiative.

War for talent becomes heightened

The Canadian public sector employs millions of people from coast to coast. As it currently stands, there are millions of cybersecurity roles vacant within government bodies around the world. This vacancy rate poses a huge global threat. At the domestic level in Canada, the global pandemic presents a unique opportunity to hire for these numerous gaps in cybersecurity roles, given the non-necessity to work in the nation’s capital and utilize the remote work functionality. The faster new talent is hired, on-boarded, and trained, the better-equipped governments will be to prepare and respond in the event of a breach.

Is your cyber hygiene up to code?

More than ever, ensuring government sector employees have a thorough understanding of the foundational principles of cyber protection is paramount. Cyber hygiene refers to a series of best practices for users that help maintain the health of the entire system and protect their identity and the identity of others from being compromised. For instance, when employees are not working in front of their government-issued devices – tablets, phones, or laptops, they should make sure these devices are locked and password-protected to ensure illegitimate access to the intuition’s VPN does not take place. This is ever-more important given the remote access by employees under lockdown conditions caused by the global pandemic.

Another means to prevent unwanted access is to ensure all software is up-to-date, ensuring the latest, legitimate patches are installed regularly.[11] IT departments can ensure these habits are adhered to by properly documenting all active enterprise equipment and programs and take the necessary steps to close-off accounts and access to employees that leave the organization. Employees should also be prompted to change passwords frequently. These seemingly small steps can reduce the likelihood that a government agency’s network is not breached.

What’s next for Canadian government institutions

The SolarWinds breach, like countless others, highlights the implications of our collective inaction – a compromised system that is far too accessible for hackers looking to take advantage. But more importantly, SolarWinds should kick start a wide-sweeping response across all three government jurisdictions to proactively lobby for more comprehensive and evolving measures to address a cyber threat landscape that shows no signs of slowing down. With the right talent, policy approach, and know-how, the Canadian public sector can take the country in a forward-thinking direction, one that is equipped and empowered to further develop a citizen trust model in the twenty-first century.

[1] https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12#:~:text=The%20victims,left%20them%20vulnerable%20to%20hackers.&text=And%20since%20the%20hack%20was,the%20Wall%20Street%20Journal%20reported.

[2] Ibid.

[3] https://www.priv.gc.ca/en/opc-news/news-and-announcements/2017/equifax-breach-171019/

[4] https://www.bnnbloomberg.ca/desjardins-says-employee-who-stole-personal-data-also-accessed-credit-card-info-1.1360652

[5] https://www.itworldcanada.com/article/data-privacy-day-warning-organizations-that-succeed-take-privacy-seriously/426506

[6] https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture

[7] Ibid.

[8] https://www.fedscoop.com/agencies-zero-trust-solarwinds/

[9] https://gcn.com/articles/2021/01/04/solarwinds-prevention-remediation.aspx

[10] Ibid.

[11] https://digitalguardian.com/blog/what-cyber-hygiene-definition-cyber-hygiene-benefits-best-practices-and-more