The SolarWinds hack, it seems, was worse than initially feared — and initial fears were already alarming enough. The manner in which the U.S. government left itself vulnerable to the attack demands a reckoning that runs the policy gamut. But the best place to start may be the least flashy: security of the software supply chain.
Russia has perpetrated attacks through the supply chain before, and no wonder. By targeting a single weak link, especially a firm with widely used products, adversaries can reach thousands more — including those of high value. That also explains the hackers’ apparent interest in breaching Microsoft, CrowdStrike and FireEye. U.S. officials have been aware of this threat for years, yet multiple fatal flaws in the government’s approach to its technological infrastructure enabled Kremlin access to sensitive systems at the Department of Homeland Security, the Treasury Department, the National Institutes of Health and more. Government agencies don’t require suppliers to meet minimum security standards, they don’t test the software they provide to ensure it is secure, and they don’t have technology in place to monitor whether that software is “calling home,” to places it shouldn’t. All that needs to change.
SolarWinds reportedly had a poor track record when it came to protecting its products. Only when Europe’s Global Data Protection Regulation forced it to do so in 2017 did the firm hire a chief information officer. An update-server password, unrelated to the backdoor exploited in this instance but unlikely to inspire confidence in the company more generally, was “solarwinds123.” Yet the myriad agencies dependent on its services didn’t know any of that, because they never bothered to check. Merely requiring that firms responsible for critical functions certify to undertake certain cybersecurity practices before supplying to the government could prove transformative: Code audits by independent parties are a clever route to verification, and authorities could influence private-sector risk management, too, by making the publication of those audits a prerequisite for procurement.
All this would help rescue government cybersecurity from its present shambles. Perfection, however, is impossible to achieve — which is why the next frontier is figuring out how to root out those attackers officials should assume have found a way in. Agencies ignored a Government Accountability Office report advising them to update a malware catching tool called “Einstein” that proved significantly less smart than its namesake. Einstein could nab only known assailants, not identify new ones; an improvement is in immediate order. So is a strategy for speedy recovery from infiltration. This has to be an urgent priority for the Biden administration.
The Washington Post