DAVID Z. MORRIS
& ROBERT HACKETT
NEXT
In early December, the cybersecurity firm Fire-
Eye disclosed that it had been hacked, by miscreants who
had taken copies of powerful tools used by the company’s
security testing teams. As it investigated, the company
soon found that the attack was part of something much
larger. FireEye’s systems, it turned out, had been compro-
mised using spyware implanted via the IT management
and security platform Orion, a top-selling product of an
Austin-based IT software firm called SolarWinds.
Five days after the initial disclosure, FireEye alerted
the public to what it had discovered, triggering a broader
search that revealed a threat of staggering scale and terrify-
ing subtlety. The compromised Orion software had not only
reached thousands of SolarWinds’ corporate customers, but
it had also exposed systems at the U.S. Treasury, the State
Department, and the Department of Homeland Security.
The attack had apparently begun more than a year earlier,and its methodical, long-simmering information-gathering
approach suggested a nation-state was behind it. By early
January, U.S. intelligence agencies were blaming Russia,
and “SolarWinds” had become shorthand for a hacking
catastrophe. (See “Timeline of a Cybercrime.”)
“It’s certainly going to be the worst cyberattack in United
States history thus far, and I don’t believe people under-
stand its magnitude,” says Tom Bossert, a former homeland
security adviser for President Trump who is now president
of cybersecurity startup Trinity Cyber. “It’s primarily so
troubling because of its alarming scope—the scale of this is
breathtaking.”
That includes the scope of the potential damage to
business. While many high-profile hacks target customer
data, such as credit card numbers and addresses, the
SolarWinds attackers appear to have focused on much
higher-value internal information. Their objectives appearCYBERSECURITYAfter SolarWinds:UntanglingAmerica’sCybersecurity MessTHE SOLARWINDS HACK EXPOSED DOZENS—MAYBE
HUNDREDS—OF U.S. COMPANIES TO HACKERS’ SPYING EYES.
IT ALSO UNCOVERED DEEP-ROOTED FLAWS IN THE WAY THE
COUNTRY APPROACHES CYBERSECURITY. HERE’S WHAT WENT
WRONG, AND HOW BUSINESS AND GOVERNMENT CAN FIX IT.WHAT COMES NEXT