Skip to content

Changes in Cybersecurity Policy Post-SolarWinds Attack

5 Important Takeaways from the SolarWinds Supply Chain Attack

Since 2019, significant cyberattacks have prompted the U.S. government and software industry to take action. In the years that followed, there were two summits, increased funds, executive orders, and a renewed resolve. The federal government wants to eliminate the threat posed by open-source software security as a result of such attacks. What, though, has resulted from these Cybersecurity Policy efforts over the past few years?

Cybersecurity Policy: The Wake-Up Call

Two executive orders on cybersecurity were issued by President Joe Biden last year, one titled “Improving the Nation’s Cybersecurity” and the other “Supply Chain Security.”

The Colonial Pipeline ransomware attack, a Microsoft Exchange Server attack, and the SolarWinds attack were all discovered six months before the executive order.

Using the SolarWinds Orion network management system, a nation-state launched a large and highly sophisticated supply chain cyber attack in December 2020, according to cybersecurity policy group FireEye (now Mandiant) (NMS). The most popular NMS in both business and government was SolarWinds. The disclosure from FireEye stood out. Instead of learning about the breach objectively, they had been harmed by it. The list of victims that followed was lengthy.

The SolarWinds software build environment was infected with malware by APT 29 (also known as Cozy Bear, UNC2452, and Nobelium), an attack group funded by the Russian government. As a result, hackers were able to access the systems, networks, and data of thousands of SolarWinds customers. It has since been referred to as the largest attack in history. The software is used by thousands of companies. To put it simply, in September of 2019 hackers gained access to SolarWinds’ networks. The following month, they infected Orion, a SolarWinds IT performance monitoring system, with malware dubbed Sunburst. The malware was then distributed by SolarWinds itself in Orion updates in March 2020.

Another incident that sparked action was the Log4j vulnerability, which served as a symbol of the danger posed by tainted supply chains and open-source vulnerabilities. Popular Java library Log4j is used for application logging. In addition to other vulnerabilities, the attackers found a remote code execution vulnerability. This enables them to access devices and software remotely to steal data or use ransomware.

Cybersecurity Policy: The Summits

As a result, the White House summits in January and May were organized by the National Security Council. More than 90 executives from 37 businesses and top government officials participated in the initiative on May 12 at the Open Source Software Security Summit II. Atlassian, Cisco, Dell, Ericsson, GitHub, Google, IBM, Intel, Microsoft, SAP, and more businesses participated.

The purpose of the meeting, in brief, was threefold:

  • To decrease open-source software’s security flaws
  • Increased use of security measures in open-source software development tools
  • To hasten fixes.

Their specific objectives included a thorough upgrade of open-source security output and patches.

During the meeting, Google Cloud promised to start an Open Source Maintenance Crew. To increase security, this engineering team will work with open-source programmers. They also released a new dataset on the software supply chain that is accessible to open-source programmers.

The $150 million 10-point strategy to enhance open-source and supply chain security over the following two years was revealed at the May meeting by the Linux Foundation and Open Source Security Foundation. Additionally, some businesses revealed their programs.

Unfinished Business

Although there has been significant industry improvement, there is still much to be done. Some opponents bemoan the lack of employees, resources, and time.

The solution proposed at the Open Source Software Security Summit II is by its very nature multidimensional, complex, long-term, and involves a sizable number of parties. After all, it takes time to alter the way individuals create open-source software. Timelines differ between organizations, and the majority of them are ongoing projects.

SolarWinds is constantly working with its clients to assist them to improve security while also modernizing all of its security-related processes.

82% of 1,000 chief information officers around the world who participated in a new survey said their companies are still vulnerable to supply chain assaults. However, a sizable majority is increasing security controls, modernizing review procedures, and increasing code signing usage. Today, open-source components are used in more than 90% of software systems with a focus on the supply chain.

Ongoing Outcomes for an Open-Source World

The American government and private sector are generally making some progress. To seriously address open-source and supply chain risks, however, is yet too early. The bad actors adapt in reaction to changes made by the government, the industry, and those working to strengthen Cybersecurity Policy open-source security.

Want to know more about Cybersecurity? Visit our course now.

But there is still reason to be positive. Recent high-profile cyberattacks, two executive orders from the Biden Administration, and two security summits are really lighting a fire under both public and private companies.

To counter future attacks, it is now necessary to redouble our efforts. We also need increased resources and, maybe, regulatory or industry intervention. Organizations must also understand the issues that could make them vulnerable. Quick action could stop the upcoming SolarWinds attack.

Explore more about the Cybersecurity Policy, just click here.


Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com