CybersecurityThe SolarWinds Hack Was All but Inevitable – Why National Cyber Defense Is a “Wicked” Problem and What Can Be Done about It
Software supply chains are vulnerable to hackers: Many U.S. companies outsource software development because of a talent shortage, and some of that outsourcing goes to companies in Eastern Europe that are vulnerable to Russian operatives. One problem is that U.S. national cyber defense is split between the Department of Defense and the Department of Homeland Security, which leaves gaps in authority. There are no easy solutions to shoring up U.S. national cyber defenses.
The SolarWinds hack was more than just one of the most devastating cyberattacks in history. It was a major breach of national security that revealed gaps in U.S. cyber defenses.
These gaps include inadequate security by a major software producer, fragmented authority for government support to the private sector, and a national shortfall in software and cybersecurity skills. None of these gaps is easily bridged, but the scope and impact of the SolarWinds attack show how critical they are to U.S. national security.
The SolarWinds breach, likely carried out by a group affiliated with Russia’s FSB security service, compromised the software development supply chain used by SolarWinds to update 18,000 users of its Orion network management product. The hack, which allegedly began in early 2020, was discovered only in December when cybersecurity company FireEye revealed that it had been hit by the malware. More worrisome, this may have been part of a broader attack on government and commercial targets in the U.S.
Supply Chains, Sloppy Security and a Talent Shortage
The vulnerability of the software supply chain – the collections of software components and software development services companies use to build software products – is a well-known problem in the security field. In response to a 2017 executive order, a report by a Department of Defense-led interagency task force identified “a surprising level of foreign dependence,” workforce challenges and critical capabilities such as printed circuit board manufacturing that companies are moving offshore in pursuit of competitive pricing. All these factors came into play in the SolarWinds attack.
SolarWinds, driven by its growth strategy and plans to spin off its managed service provider business in 2021, bears much of the responsibility for the damage, according to cybersecurity experts. I believe that the company put itself at risk by outsourcing its software development to Eastern Europe, including a company in Belarus. Russian operatives have been known to use companies in former Soviet satellite countries to insert malware into software supply chains. Russia used this technique in the 2017 NotPetya attack that cost global companies more than US$10 billion.
SolarWinds also failed to practice basic cybersecurity hygiene, according to a cybersecurity researcher. Vinoth Kumar reported that the password for the software company’s development server was allegedly “solarwinds123,” an egregious violation of fundamental standards of cybersecurity. SolarWinds’ sloppy password management is ironic in light of the Password Management Solution of the Year award the company received in 2019 for its Passportal product.
