SolarWinds hack

Defining linchpins: An industry perspective on remediating Sunburst

The concept of linchpin software can be useful in assessing risk and focusing security efforts, but it comes with challenges.

The Sunburst campaign underscored the inherent risk of technology to the public and private organizations who use it. It is important to examine what happened, look for opportunities to improve, and move forward. The Atlantic Council’s latest report “Broken Trust: Lessons from Sunburst” introduces the concept of “linchpins,” which it defines as “widely used software with significant permissions ... on which every other security program or critical resource depends,” and which were a key factor in the Sunburst event. The report identifies challenges to identifying, securing, and triaging this linchpin software.  

This idea of linchpin systems is a potentially useful way to focus practitioner and policy analysis of critical shortfalls in cybersecurity. Like most private sector practitioners, we reviewed the linchpins concept and the report’s recommendations with an eye to practical implementation challenges. Philosophically, there is much consensus. Pragmatically, there are challenges which will need to be addressed in any recommended implementation plan. 

The report recommends securing linchpin technologies by identifying software with a significant “blast radius”—high impact to Federal objectives—and more closely securing and managing their use. Recommendations for public-private partnerships include sharing adversary trends, software deployment best practices, software bill of materials, improving open-source software management, and engaging industry CISOs to improve architecture.  These recommendations are to be led by at least five different agencies, leveraging activities already in progress—without one ring to rule them all. We believe more could be accomplished by fully embracing the welcome ideas of simplicity and flow through a simplified, centralized driving force to streamline the recommended actions. 

Applying federal risks to the private sector 

The report's recommendations would require major cloud vendors to incorporate federal government risk models as priority guideposts in their feature roadmaps. We believe, however, that policy recommendations for industry cannot start from a government-first perspective. The public and private sectors share a combined technology ecosystem, and the public good of policies must enable and work for both. 

To continue reading this article register now

21 best free security tools to make your job easier