The Sunburst campaign underscored the inherent risk of technology to the public and private organizations who use it. It is important to examine what happened, look for opportunities to improve, and move forward. The Atlantic Council’s latest report “Broken Trust: Lessons from Sunburst” introduces the concept of “linchpins,” which it defines as “widely used software with significant permissions … on which every other security program or critical resource depends,” and which were a key factor in the Sunburst event. The report identifies challenges to identifying, securing, and triaging this linchpin software.
This idea of linchpin systems is a potentially useful way to focus practitioner and policy analysis of critical shortfalls in cybersecurity. Like most private sector practitioners, we reviewed the linchpins concept and the report’s recommendations with an eye to practical implementation challenges. Philosophically, there is much consensus. Pragmatically, there are challenges which will need to be addressed in any recommended implementation plan.