Thwarting Cybercrime With Will Loomis and Stewart Scott

It's a risky cyber-world out there. A good recent example occurred in late 2019 when cybercriminals—later attributed to Russian intelligence—attacked SolarWinds, a major software company based in Austin, Texas that hosts thousands of customers on its Orion network. 

That attack, dubbed Sunburst, has been characterized by Microsoft CEO President Brad Smith as "the largest and most sophisticated attack the world has ever seen," and its impact spread like wildfire across the world’s cybersecurity and business communities. 

Sunburst and other cyberattacks have caught the attention of two top researchers working for the Atlantic Council, a nonpartisan think tank based in D.C. focusing on the world’s thorniest geopolitical questions. “Sunburst was a concrete example of how a sophisticated actor can not only hit a wide variety of actors, but do so in a very quiet and sneaky way to remain undetected,” says Will Loomis, assistant director with the Council’s Cyber Statecraft Initiative.

Will and his colleague Stewart Smith, assistant director with the Council’s GeoTech Center, were instrumental in producing two key reports sponsored by the Initiative. The first one, Breaking Trust, catalogs key software supply chain intrusions and identifies major trends and implications from their execution. The second one, Broken Trust, delves into the lessons learned from Sunburst and other attacks. “It puts the Sunburst campaign in context and pulls together some lessons for policymakers and cybersecurity practitioners on how we can better secure our systems going forward,” Will says. 

So far, the response to Will and Stewart’s report has been reassuring. “We’ve heard of a lot of good sentiment from key stakeholders who tell us they’re aware this is an issue and they’re starting to think about their organizational cybersecurity in a better and more focused technology mindset,” Will says. Given the limited resources that many organizations have available for cybersecurity, he says, it’s important that they spend those resources intelligently on “mitigation strategies” that will make a real difference.

At the Atlantic Council, Will and Stewart work to solve urgent societal issues at the intersection of technology and geopolitics. Will is particularly focused on exposing hidden risks posed by the software that permeates modern infrastructure. “It was really clear that society has a software problem,” Will says. “Software is no longer confined to computers. It now controls power generators, controls medical hardware and influences planetary-scale datasets. So, we need to shine a light on the problem of software supply chain security and put forward paths and recommendations to try and help solve this issue on a systemic basis.”

The team has explored how American and western nations can effectively confront the threat of cyberattacks by global adversaries and to contain their damage when breaches can’t be avoided. “We call it minding the blast radius,” Stewart says. If you are faced with 1,000 hackers committed to breaking down your defenses, he explains, "you can only do so much to prevent initial incursion. The rest of your job has to be figuring out how to bound that.”

Among other issues, Will wants to see the private sector and governments pay greater attention to protecting open source software and code. “It’s a critically important part of the software supply chain ecosystem and the backbone of huge swaths of the Internet,” Will says. “But it’s a critically underfunded attack area and has a really wide potential for blast radius. So, we need to put more support, more time and more funding into protecting open source.”

One of the keys to stopping attacks, the duo says, is “upping education” and instilling “basic cyber hygiene principles” into the U.S. education system at an early level. He notes that some of the biggest cyberattacks in recent history—such as the May 2021 shutdown of the Colonial Pipeline by ransomware criminals—could have largely been prevented by setting and following simple security policies, like two-factor authentication and differentiated passwords. “101 Cybersecurity is a key first step that organizations need to be taking,” he says. 

Stewart offers one simple step everyone can take to help guard themselves and their organizations against cybercrime: “Just don’t download random apps that aren’t purveyed by the actual vendor,” he says.

1. State actors are among the most common originators of attacks against software supply chains.

2. Exploitation of digital signatures using public key cryptography technology is the source of a growing number of attacks by malicious actors.

3. A large number of attacks with “wide blast radiuses” have been perpetuated by bad actors exploiting open source code—even “just one or two small open source pieces of code in a library.”

4. Software updates are a big source of cyberattacks, with criminals “sneaking malicious code within a software update.”

5. More than a quarter of the total incidents identified by the researchers involved criminals that compromise apps and app-development tools for venues like Apple Store, Google Play Store and others, sometimes creating a “look-alike” app.

Learn more about Will Loomis and Stewart Scott and their work on the Atlantic Council’s Cyber Statecraft Initiative by tuning into Episode 105 of DevOps Radio. Visit the Atlantic Council’s website at www.atlanticcouncil.org.