Why the SolarWinds hack is even worse than you thought

Bank review, current USBR score and consumer report

This is the web version of Data Sheet, a daily newsletter on the business of tech. Sign up to get it delivered free to your inbox. 

Most of the time when we hear about cybersecurity crimes, we hear from the leading players, companies like Crowdstrike that nailed the Russians for stealing DNC emails in 2016. Or Microsoft warning that the Russians were trying to hack 2018 election campaigns. Or FireEye disclosing last month that it was itself penetrated by nation-state hackers (who turned out to be Russians).

But, as we are learning from that last incident, we can’t ensure cybersecurity just by relying on the big names.

FireEye had uncovered the tip of what is now considered the largest and most damaging hack in the history of cybersecurity, one that breached the computer networks of hundreds of major companies and government agencies including the U.S. Treasury, the State Department, and the Department of Homeland Security. The attack is named SolarWinds after an obscure software developer in Austin, Texas, that was the starting point for the whole disaster.

As Data Sheet’s own Robert Hackett and our tech colleague David Z. Morris explain in their new feature story about the SolarWinds attack, Russian hackers were able get into so many networks just by inserting a backdoor into security software that the company produced and distributed to its many clients around the country.

Their deep dive explains not only how it happened but why. In particular, David and Robert note, the SolarWinds hackers didn’t go for the usual credit card numbers and email addresses that most cyberthieves seek. Instead, the hackers went for much higher-value internal information: emails with corporate and government secrets, the source code underlying Microsoft software, and the like.

The attack also undermines not just the reliance on one firm, SolarWinds, but perhaps the entire structure of cybersecurity in the United States, with its patchwork of government agencies, big-name security firms, thousands of smaller outside vendors, and internal IT department security efforts.

“Most experts in the industry view the decentralized, market-driven structure of U.S. cybersecurity as a source of agility and innovation,” David and Robert write. “But in the SolarWinds debacle, they also see the system’s weaknesses on full display. In this mega-breach, the industry’s flawed financial incentives, a lack of transparency, underinvestment in training, and old-fashioned cost-cutting each played a role.”

Aaron Pressman
@ampressman
aaron.pressman@fortune.com

***

We’re all familiar with the science-fiction trope of a computer getting so smart it takes on a mind of its own. That fantasy nowadays feels all-too-realistic, thanks to advances in Natural Language Processing (NLP). On this week’s Brainstorm podcast, hosts Michal Lev-Ram and Brian O’Keefe examine what it means to teach a computer to understand and even “think” like a human. What are the innovative possibilities this unlocks? What are the dangers? Listen to the episode here.

11 Things You Should Know Before You Get Your First Credit Card

A credit card may seem like just another tool to help you make purchases, but it can be much more. When used responsibly, a credit card can help you build

What Is a Balance Transfer, and Should I Consider Doing One?

In a perfect world, no one would carry a balance on their credit card. We would all pay our bills in full each month and never have to worry about

How Is Credit Card Interest Calculated?

So your bank tells you that your credit card has a 15% APR. What does that actually mean? How does your bank calculate your interest rate, and how does that translate into how much you actually pay? …

What Is a Balance Transfer, and Should I Consider Doing One?

In a perfect world, no one would carry a balance on their credit card. We would all pay our bills in full each month and never have to worry about

Subscribe to our e-mail list and stay up-to-date with all our news.

The US Bank Review is an independent authority and bank watchdog group monitoring financial institutions operating the in United States. We have no affiliation with any banks featured, reviewed or profiled. All rights reserved. Terms of use and Privacy Policy