Why the SolarWinds hack is even worse than you thought
The Russian attack stole source code, corporate emails, and other high-value information.
This is the web version of Data Sheet, a daily newsletter on the business of tech. Sign up to get it delivered free to your inbox.
Most of the time when we hear about cybersecurity crimes, we hear from the leading players, companies like Crowdstrike that nailed the Russians for stealing DNC emails in 2016. Or Microsoft warning that the Russians were trying to hack 2018 election campaigns. Or FireEye disclosing last month that it was itself penetrated by nation-state hackers (who turned out to be Russians).
But, as we are learning from that last incident, we can’t ensure cybersecurity just by relying on the big names.
FireEye had uncovered the tip of what is now considered the largest and most damaging hack in the history of cybersecurity, one that breached the computer networks of hundreds of major companies and government agencies including the U.S. Treasury, the State Department, and the Department of Homeland Security. The attack is named SolarWinds after an obscure software developer in Austin, Texas, that was the starting point for the whole disaster.
As Data Sheet’s own Robert Hackett and our tech colleague David Z. Morris explain in their new feature story about the SolarWinds attack, Russian hackers were able get into so many networks just by inserting a backdoor into security software that the company produced and distributed to its many clients around the country.
Their deep dive explains not only how it happened but why. In particular, David and Robert note, the SolarWinds hackers didn’t go for the usual credit card numbers and email addresses that most cyberthieves seek. Instead, the hackers went for much higher-value internal information: emails with corporate and government secrets, the source code underlying Microsoft software, and the like.
The attack also undermines not just the reliance on one firm, SolarWinds, but perhaps the entire structure of cybersecurity in the United States, with its patchwork of government agencies, big-name security firms, thousands of smaller outside vendors, and internal IT department security efforts.
“Most experts in the industry view the decentralized, market-driven structure of U.S. cybersecurity as a source of agility and innovation,” David and Robert write. “But in the SolarWinds debacle, they also see the system’s weaknesses on full display. In this mega-breach, the industry’s flawed financial incentives, a lack of transparency, underinvestment in training, and old-fashioned cost-cutting each played a role.”
Aaron Pressman
@ampressman
aaron.pressman@fortune.com
***
We’re all familiar with the science-fiction trope of a computer getting so smart it takes on a mind of its own. That fantasy nowadays feels all-too-realistic, thanks to advances in Natural Language Processing (NLP). On this week’s Brainstorm podcast, hosts Michal Lev-Ram and Brian O’Keefe examine what it means to teach a computer to understand and even “think” like a human. What are the innovative possibilities this unlocks? What are the dangers? Listen to the episode here.
