The breach of U.S. government email accounts by Chinese hackers, which Microsoft reported this week, will no doubt become one of the leading cybersecurity stories of 2023. It will join the likes of the SolarWinds hack and the Log4J fiasco as a major cybersecurity breach. Analysts will cite this breach for years to come to underscore why investment in cybersecurity is so critical.
But the government email breach isn’t just another example of what can go wrong when the bad guys find holes in cyberdefenses. It exemplifies novel cybersecurity challenges that forward-thinking businesses should be preparing for today. Doing more of the same on the cybersecurity front won’t protect organizations against attacks like this one.
To prove the point, let’s unpack three key takeaways from the Microsoft government hack and what they mean for the future of cybersecurity at organizations everywhere.
Perhaps the most important lesson from this incident is that the most serious threats facing organizations today are highly sophisticated ones. Gone are the days when ransomware or phishing attacks targeting low-hanging fruit – meaning businesses that were underprepared because they failed to meet standard baselines of cybersecurity preparedness – were the main challenge that CISOs had to worry about.
In the case of this hack, sophisticated, government-sponsored threat actors who presumably had extensive resources at their disposal carried out a complex attack. They didn’t exploit a known vulnerability in a server that someone had forgotten to patch, or email unsuspecting employees hoping to trick them into handing over passwords. They apparently discovered and exploited a zero-day flaw within a complex system managed by one of the world’s most sophisticated and successful tech companies – Microsoft.
The takeaway here is that erecting defenses that make your organization harder-than-average to breach will no longer suffice because the bad guys might not simply be searching for low-hanging fruit. Protecting against more mundane risks, like those that traditional ransomware attackers exploit, remains important, of course. But understanding which threat actors might be seeking to carry out more sophisticated and targeted attacks against your organization will be critical, too.
The government hack is also notable because it highlights how sophisticated threat actors are targeting software supply chains in novel ways.
Traditionally, when cybersecurity analysts talked about software supply chain security, they referred to ensuring that any third-party software components that businesses imported into their applications – such as open source libraries or modules – were secure. Hence why the U.S. government instructed developers to compile Software Bills of Materials (SBOMs). SMOBs provide visibility into the third-party software resources that businesses depend on.
SBOMs are important for determining whether a known vulnerability impacts a business’s apps. But in the case of the government hack, an SBOM would not have helped protect victims because this was not a conventional software supply chain attack. The Chinese hackers did breach the software supply chain of government agencies, but they did so by targeting a third-party SaaS platform – Microsoft Exchange Online – rather than targeting code that victims incorporated directly into their own software applications.
This type of supply chain breach isn’t entirely novel. The SolarWinds attack similarly gave attackers a backdoor into the IT environments of companies that used a third-party application. Although in that case the attackers planted malicious code into the product, which made the incident resemble a traditional supply chain breach in many ways. With this latest government hack, threat actors didn’t plant malicious code into anyone’s software supply chain; they just found a way to exfiltrate user data from third-party software that government agencies depend on.
Plus, to remediate the attack, victims had to rely on their software vendor. That also makes this incident different from conventional software supply chain attacks, which developers can remediate themselves by removing vulnerable components from their applications. In this case, only Microsoft could supply the remediation.
The key lesson here is that CISOs must think more broadly about software supply chain security. Securing your supply chain must involve more than just ensuring the securing of third-party code that your business depends on. Engaging with software vendors to manage supply chain security in SaaS apps is equally critical.
Finally, this incident is a reminder that geopolitics is poised to play an increasingly important role in cybersecurity. Although it’s not clear exactly why Chinese hackers targeted government agencies, it’s a reasonable assumption that Chinese government competition with the United States was a factor.
A similar story has already been playing out in the context of the Ukraine conflict, which bore important implications for global cybersecurity. This latest attack highlights how tension between two other nations – the United States and China – may also lead to increased cyber attacks and cyberespionage, and perhaps not only against government agencies.
A deep dive on what all of the above means for CISOs and the future of cybersecurity is beyond the scope of this post. But in short, businesses must adapt to a changing cybersecurity environment by:
- Steeling themselves against highly sophisticated threat actors.
- Taking a broader and more dynamic approach to software supply chain security by extending it to include partnerships with third-party SaaS vendors.
- Anticipating and preparing to respond to cybersecurity threats linked to global conflicts or tensions.
That, at least, is what we’re thinking about the future of cybersecurity based on the information released so far about the Chinese hack. We look forward to sharpening our thoughts and guidance as more details emerge about the nature and scope of the incident.
To access more insights and would like to learn more about the benefits of IDC and how our IT Executive Programs can help you with your IT strategy, implementation, and digital transformation, click the button below.