An article published by ProPublica.org strongly suggests that the devastating SolarWinds data breach that released sensitive information from a number of government agencies could have been prevented if only a defense strategy built under a government grant had been put in place. The in-toto framework, which was developed under a $2.2 million grant from the US National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), and the Air Force Research Laboratory (AFRL) , was designed to provide transparency throughout the software development supply chain. Such a system would have made it extremely difficult to insert malware into a routine software update, which was the source of the SolarWinds breach.
Yet, according to Dr. Justin Cappos, an associate professor at NYU Tandon School of Engineering, and leader of the team of academics who developed the system, the federal government has taken no steps to require its software vendors, such as SolarWinds, to adopt it. Indeed, he points out, no government agency has even inquired about it.
“In security, you almost never go from making something possible to impossible,” Cappos told reporters from ProPublica. “You go from making it easy to making it hard. We would have made it much harder for the [SolarWinds] attackers, and most likely would have stopped the attack.” Robert Beverly, who oversees in-toto’s federal grant as a program director at the National Science Foundation, concurs with Cappos’ opinion, observing that “there seems to be some strong evidence that had some or all of the in-toto technologies been in place, this would have been mitigated to some extent.”