When SolarWinds was compromised it set the stage for the infiltration by Russian-backed hackers of Fortune 500 companies and several branches of the U.S. government. It gave Russia a bird’s eye view of sensitive information, and signaled the failure of cybersecurity not as an industry, but as a concept as it is currently imagined.
If you’re lumping the recent SolarWinds hack in with everything else that happened make 2020 synonymous with Friday the 13th, don’t. It’s an entirely different level of failure.
The Covid-19 pandemic, the wildfires around the world and the resulting political turmoil, job losses, and economic downturn were predictable even if they were outlier scenarios. The SolarWinds hack was totally foreseeable. And yet it happened. The damage caused by the growing list of agencies and companies infiltrated is unknowable.
How Bad Is It?
This is “Wyle E. Coyote hit on the head by an anvil”-level bad. The U.S. Departments of Treasury, Commerce, Homeland Security, and Energy, as well as the Pentagon, Postal Service, and the National Nuclear Security Administration were compromised by threat actors acting on behalf of an adversarial nation state, or states.
Sensitive data belonging to private and non-profit sectors are also dangling in the wind. As many as 18,000 companies and organizations, including several Fortune 500 companies, were victims of the same software backdoor that compromised U.S. government agencies. In short: what we know now is bad, and it’s almost guaranteed to get much worse.
Whose Fault Is It?
The most accurate answer is that we’re all to blame for this hack. The incident was traced back to SolarWinds Orion IT monitoring software that had been compromised by a Trojan malware program, which was in turn leveraged to compromise client networks. But what allowed the hack to happen is cultural: As a society that is dependent on the secure transfer, storage and deployment of digital media we do an abysmal job of keeping the processes underlying daily life safe.
While the proverbial finger has been pointed at SolarWinds as being the weakest link that caused the current disaster, there are three fingers pointed back at all of us.
This doesn’t give SolarWinds a pass. A security researcher warned the company in 2019 about a hard-coded password protecting the now-breached server. The password? It was the stuff of cybersecurity breakroom jokes: “solarwinds123”. But to focus on this or that failure is to oversimplify at the expense of a teachable moment.
Consider the Challenger Space Shuttle crash, which was widely blamed on a single malfunctioning part. Further investigation found several factors caused that tragedy. The bottom line here is a failure of leadership in the way our organizations and workplaces treat cyber security issues. As with the Challenger tragedy, where violations of safety rules on the part of NASA were as much to blame as a faulty tile, the SolarWinds breach represents a systemic failure.
E Pluribus Unum: There Will Be More Hacks Like This
SolarWinds definitely should have paid more attention to their cybersecurity; that said, nations around the world have been warned for years that it was only a matter of time before a massive cyberattack hit sensitive government targets. In the US, a recent GAO report found that most Federal agencies hadn’t adequately protected themselves from supply chain vulnerabilities like the one that caused the SolarWinds debacle.
Funds for the U.S. Cybersecurity and Infrastructure Security Agency were famously diverted to build President Trump’s wall at the Mexican border. But CISA is no more to blame than the SolarWinds customers who failed to recognize the potential risks posed by third-party IT vendors, and to properly vet them.
The sloppy practices, misplaced priorities, and poor leadership up and down the supply chain are not unique to SolarWinds. The SolarWinds hack was the result of our collective approach to cyber security, which is in dire need of an upgrade.
Peter Drucker is often credited with saying culture eats strategy for breakfast. The SolarWinds hack is a manifestation of a crisis in the way we treat our sensitive data. The culture of make-believe has to give way to a culture of stopgaps, failsafes and vigilance as relentless as the bad actors that target us.