SolarWinds CEO Sudhakar Ramakrishna has revealed he is talking with his peers in the industry to form a consortium of like-minded, midmarket firms that could take collective action to defend themselves against nation state-backed malicious actors, such as Russia’s APT29, or Cozy Bear, the group that broke into SolarWinds’ network management platform to attack US government agencies and other organisations.
In conversation with the National Cyber Security Centre’s (NCSC’s) operations director, Paul Chichester, at the CyberUK 2021 conference – returning this year as a virtual event after going on hiatus in 2020 due to the pandemic – Ramakrishna discussed the ongoing SolarWinds investigation into the wide-ranging Cozy Bear attack, which was the result of a compromise of the company’s Orion network management platform with a tainted software upgrade, that was then delivered to victims.
Ramakrishna called for the industry to adopt a model of mutual responsibility and mutual accountability among smaller firms, noting that size alone is not an indicator of a company’s ability to protect itself from cyber attacks.
“I’m speaking actively with some industry leaders to potentially form a consortium of mid-sized companies,” said Ramakrishna, “which, if you add up all the mid-sized companies could be one very large entity that could take on even potentially a nation state.”
Ramakrishna said he believed such a group would maximise cyber information sharing and collaboration to build collective protection. He said this could ultimately benefit everybody.
“If all of us commit to sharing that information with the public sector and the public sector, in turn, it provides specific recommendations and continues to improve those recommendations and finds a way of not only building accountability, but providing regulation to help enforce it. Then we can all get to a level of standardisation that hitherto has been very ad hoc,” he said.
Ramakrishna told the CyberUK online audience that there was no need to accept that just because a nation state actor attacks a midsize company that the victim doesn’t stand a chance of fighting back.
The SolarWinds CEO – who joined the company shortly after news of the attack broke at the end of 2020 – also revealed he had faced numerous questions about why SolarWinds, as a victim, had adopted a policy of increased transparency about the attack since he joined.
“Therein lies part of the challenge that I think many vendors [and] many developers face because when they have issues, there is almost a disincentive to project them,” he said. “There is a notion of victim shaming, implicitly or explicitly, that happens, that we should try to root out.
“This is where I think public-private partnerships are very important, because ultimately if we all care about the collective safety of all of us, then we must practice a collective vigil system where there is an opportunity and an incentive to come out quickly, to reduce threat surfaces,” he added.
Ramakrishna said that given time, a determined nation state actor could easily attack any technology vendor, and that while everybody in the industry likes to believe they won’t be next, there were no guarantees around that, which in his view was all the more reason to encourage the notion of community vigilance and information sharing.
Ramakrishna added that since the attack, he had been highly encouraged by the support SolarWinds has received from government bodies, including the NCSC and its US counterpart, the Cybersecurity and Infrastructure Security Agency, and also spoke positively of the Biden administration’s new emphasis on cyber security, and the appointment of Anne Neuberger as a dedicated national cyber advisor.
“I’m seeing a lot more consistency of behaviour and approach across the public sector, and it warms my heart that there is a greater propensity to understand and accept that this is not a one company situation, and instead it should be taken a lot more seriously,” he said.