January 12, 2021

Lessons from the SolarWinds Hack: Robust Cybersecurity Requires Leadership

It’s difficult to overstate the severity of the recent SolarWinds hack. It was a mega-breach, and unless we take immediate action, it will not be the last of its kind. The incident revealed both technical vulnerabilities that must be immediately addressed and strategic vulnerabilities that must be monitored over time.

The hack of SolarWinds is now known to be the work of an Advanced Persistent Threat Group, likely Russian in origin. By infiltrating the SolarWinds software, the hackers were able to then access tens of thousands of organizations such as Microsoft and FireEye as well as several U.S. governmental agencies, like the State Department and Treasury, as these organizations would routinely update the SolarWinds software.

Toka - Lessons from the SolarWinds Hack: Robust Cybersecurity Requires Leadership

As many have pointed out, the hackers exploited a supply chain risk. It boggles the mind tothink why so many governmental agencies were using the same software.

Clearly, a new approach has to be taken regarding the software supply chain and unifying the many different U.S. government vendor guidelines. But this is not just a procurement failure; it’s a serious strategic one, too, in allowing so many critical national agencies to depend on a single vendor for any type of service. Such dependency significantly increases overall risk in case of a breach to unacceptable levels.

Historically, this type of strategic misstep tends to occur when there is no one individualaccountable for the whole of cyberdefense—including “defending forward” against attacks. I know this from my own experience as well as the work that Toka has done with othergovernments. A clear chain-of-command and of accountability is critical to any cyberdefense.

Indeed, an effective national campaign against cyberthreats requires a national campaignleader. Fortunately, the U.S. Congress recently passed into law (over presidential veto) theFY2021 National Defense Authorization Act (NDAA), which includes provisions to establish a National Cyber Director position. This person will lead national-level coordination on cyber strategy, policy, and deterrence and coordinate closely with cabinet-level national security advisors. They will also serve as the President’s principal advisor on these issues and represent the US internationally.

U.S. Sen. Angus King and U.S. Rep. Mike Gallagher, co-chairs of the Cyberspace SolariumCommission (CSC), recently called the creation of the National Cyber Director position “a real game-changer,” and they are right. It also is an example for countries around the globe that there is no one technology that can protect you in the cyber-realm. It will take the right processes, personnel, and leadership that can look across bureaucratic silos, direct coordinated offensive and defensive efforts, and be held accountable for them all.