The SolarWinds Wake-Up Call
The recently discovered SolarWinds hack holds obvious lessons for governments around the world, particularly after a year in which cyber attacks on critical infrastructure have surged. International action is urgently needed, not to write new treaties or codes of conduct, but to enforce existing norms.
WASHINGTON, DC – The recent discovery of the devastating Sunburst hacking campaign against US and global targets is once again challenging the international community to respond to an increase in cyber attacks. Over the past year, cybersecurity personnel worldwide have faced a surge of hacks against critical infrastructure, including institutions fighting the COVID-19 pandemic. While governments have openly condemned some of this behavior, more collective action is clearly needed.
There is no international treaty for cyber matters, and the 11 non-binding norms of responsible state cyber behavior endorsed by the United Nations General Assembly are somewhat ambiguous. Additional norms are being put forward all the time, which is a good thing. But norms are not treaties and should not be treated that way. The better option is to concentrate on the spirit – not just the letter – of what the norms convey. Indeed, the latest hacking revelation shows precisely why an international cybersecurity treaty would likely fail.
SolarWinds, a leading US network-management company, produces a monitoring platform that grants IT support staff remote access to devices that have it installed. The recent supply-chain attack hijacked the software’s update function to install the so-called Sunburst malware. As the tech publication The Register reports, SolarWinds is deployed in more than 425 US Fortune 500 corporations, all major US telecoms companies, and most branches of the US government (with a similar presence in many other developed economies). And the cybersecurity company FireEye, whose reported breach early last week was instrumental in uncovering the campaign, said that institutions worldwide may have been compromised, even if the US government was the likely focus.