January 5, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

Naturally, and appropriately Congress is beginning its review of the attack on SolarWinds software which will possibly be the broadest and most damaging in history. We won’t know the details of the harms for months or years.

As Congress begins its review the most important thing for them to understand is this:

Cybersecurity is not simple or easy.

We are already seeing finger pointing at the SolarWinds executives for being and hearing examples of shoddy security practices (apparently a key password was SolarWinds1234). 

If there was corporate mismanagement and disingenuous filings to the SEC or other agencies of jurisdiction, obviously these ought to be prosecuted. 

However, it is equally malfeasant for Congress to rely on these simplistic explanations. Of the SolarWinds attack – implying that simple basic security procedures and normal corporate responsivity are at the heart of these attacks and all we need is to impose significant penalties on corporations to assure cybersecurity.

It would be great if this was all that simple – it’s not.

The attack on SolarWinds was an attack by Russia.  The notion that private companies can protect themselves against aggressive cyber-attacks is totally unrealistic.

Moreover, as we detailed in our post yesterday, the SolarWinds attack was different in kind from most previous high-profile attacks like Target, Sony or Equifax.  Solar Winds was a systemic attack, meaning the goal wasn’t to breach a specific organization, it was to compromise the system – the SolarWinds software – that served multiple entities, both government and industry.

To defend against these attacks, we need to do far more than focus on the individual locations of the compromise or the specific individual who was in charge of the entity.

If Congress is going to, as it should,  seriously analyze and re-think our nation’s cybersecurity it needs to start by appreciating that cybersecurity is about more than technical operational standards and information sharing.

Our cyber systems are a complex web of intermingled and interdependent networks – some of them government operated some of them operated by private companies.  Also, fundamental to understanding this web is to appreciate that the basis for their creation and operation is different.  Private sector systems – which the government depends on – are motivated by market economies.  Government systems are not.  In order to sustainably secure the system as a whole we need to get into the economic basis for these complimentary systems and adjust them so as to create a sustainable system of security.  Our current public policies do not do this which is a major reason why they are consistently failing.

Einstein supposedly said doing the same thing over and over and expecting different results is the definition of insanity.

Hopefully as Congress begins to review, they SolarWinds attack they will do it in a sane and productive fashion.

Join the Rethink Cybersecurity Community click here