There are about 1,000 players in Major League Baseball. There were roughly the same number of hackers tasked with the SolarWinds hack, according to Microsoft President Brad Smith.
In a recent 60 Minutes segment, Smith said was “the largest and most sophisticated attack the world has ever seen.” So far, we know that the SolarWinds hack compromised email accounts in the U.S. Treasury, Justice Department, Commerce Department, and many others targets.
The implications are frightening. It seems reasonable to assume that with such a mobilization, there may be a larger organization tasked with similar exploits. While 1,000 people would be the size of a small village, the worry is that the team that accomplished the SolarWinds exploit may just be a neighborhood-sized group in a city-size digital army dedicated to such activity–a Manhattan Project scope focused on cyberwarfare.
Are Other Countries Better than the U.S. at Hacking?
Short answer: It’s possible. There is a significant gap in available talent both in the areas of cyber and software engineering. It’s an open secret that American companies, organizations, and government agencies have struggled for years to fill positions with qualified cyber professionals.
The reasons are myriad, but education seems to be key. Russia generated more than twice the number of American high school students concentrated on computer science between 2005 and 2016 despite having less than half of the population. China and Iran likewise have placed a premium on computer science training.
Technology markets in the U.S. are concentrated in specific geographic areas, most notably Silicon Valley, which leaves other regions with a talent problem.
Finally, the Federal government’s shutdown theater has led to an exodus of trained cybersecurity professionals. (Many, myself included, predicted that the exodus following the 2019 shutdown would lead to greater vulnerabilities in the nation’s cybersecurity posture.)
Need More Reasons to Worry?
In the realm of cybersecurity, skilled technicians often work the digital gold mines known as bug bounty programs. The job: Find potentially lucrative vulnerabilities is a big business. Every day, a ragtag army of lone wolf hackers and small groups participate in bug bounty competitions in the hope of finding a major problem–and with that a big payday.
Google shelled out more than $6.7 million in 2020 alone for the discovery of vulnerabilities. That sum went to six hundred and sixty-two security researchers.
For perspective, that’s two-thirds the number of security researchers involved in the SolarWinds hack, all of them focused on a single security exploit dating back at least to 2019. That’s some bug hunt.
Perhaps more concerning than the evidence of the SolarWinds hack being a coordinated campaign of 1,000+ professionals is exactly how many more battalions of cyber warriors are currently working on similar projects.
Takeaways
- We do not know the scope of the SolarWinds hack, and if there are similar projects underway.
- The number of people involved in the attack suggests a government operation.
- Several of the best known hacks and data compromises have required a relatively small number of hackers to do a massive amount of damage.
- Approximately 18,000 companies and organizations may have been affected by the SolarWinds hack.