The British government has denied being “complacent” over the Solarwinds hack as a fed-up peer of the realm urged a minister to “answer the question”.
Lord True, the government’s Cabinet Office spokesman in the House of Lords, described the attack as “a complex and global cyber incident” and said UK.gov was “working with international partners to fully understand its scale and any UK impact.”
The Conservative minister had been answering questions from the House of Lords over the SolarWinds hack, the largest supply chain security breach in recent years. Although the attack had been seemingly targeted at the US, parliamentarians are worried that the British government is simply brushing off suggestions that the UK was also affected, which it certainly is.
Lord Harris of Haringey remonstrated the government for its “complacence” yesterday afternoon, noting “a large number of systems in the national infrastructure use SolarWinds software and have been compromised” and that “the House has not been told how many.” He went on to ask: “Does not the reliance on these sorts of commercial software solutions [such as SolarWinds] create a single point of failure for our security and economy as multiple systems, otherwise unrelated, can be penetrated simultaneously, potentially leading to a catastrophic collapse?”
Lord True told peers: “I’ll say it again, the government’s response is not complacent and the NCSC is working to mitigate any potential risk, actionable guidance has been published to their website. And we urge organisations take immediate steps to protect their networks.”
Lord Browne of Ladyton, a Labour peer, went on to describe “21st century mercenaries” involved in some attacks – it was not immediately clear what he was referring to, though some Russian APT crews have previously shown signs of going (even more) rogue – and asked the minister: “Can we be assured that the government review will consider whether our cyber capability and our regulatory infrastructure is fit for purpose in the face of this emerging threat?”
Backdoored SolarWinds software, linked to US govt hacks, in wide use throughout the British public sector
Replying for Her Majesty’s Government, Lord True said: “The government is certainly giving attention to that, seeking to promote cyber skills and seeking to encourage a sustainable pipeline of homegrown cyber security talent.”
Evidently frustrated by the minister’s smooth denials, Baroness Hayter, another Lib Dem, quoted Microsoft security ‘n’ legal veep Brad Smith, echoing her Parliamentary colleague’s praise for Redmond’s comparatively “transparent” communications about the SolarWinds attack.
The SolarWinds hack was focused on compromising that company’s Orion system management platform. Hackers unknown infiltrated SolarWinds’ build environment to deploy an extremely carefully crafted set of exploits that let them include compromised code inside updates for Orion as the company itself compiled them. That code then gave the attackers a known route into any network running Orion.
SolarWinds’ customers, aside from a telephone directory-style list of American government agencies, also included Britain’s Cabinet Office, the NHS, the Ministry of Defence’ and other critical government institutions and ministries. ®