WHAT COMES NEXT : CYBERSECURITYto have included penetrating email systems and accessing
corporate secrets—among them, the source code underly-
ing Microsoft’s software. Cisco, Intel, Nvidia, and Deloitte
are among the other giants who say they were exposed
to the Orion patch. No company has admitted to being
seriously impacted yet, but IT departments are bracing for
the worst: theft of assets and intellectual property, leaks
of internal data and deliberations, and the vast expense of
scrubbing or even rebuilding their compromised systems.
Just as frightening as the scope is how smoothly the at-
tack circumvented government and private-sector cyberde-
fenses. Some see the attack not as a failure by one software
vendor, but as an indictment of U.S. cybersecurity itself.
“The United States created the Internet,” says Katie Mous-
souris, founder of Luta Security and a pioneering cyberde-
fense pro at Microsoft and Symantec. But in cybersecurity,
“we are losing our lead.” Whatever its consequences turn
out to be, the SolarWinds hack has exposed major flaws in
the patchwork public-private partnership we’ve relied on to
keep our information technology safe, drawing attention to
just how ill-coordinated and permeable it can be.
In the traditional defense supply chain—think the mak-
ers of fighter jets or Coast Guard cutters—private contrac-
tors submit to strict oversight and rigorous standards in ex-
change for long-term, high-value government contracts. In
cybersecurity, in contrast, a handful of midsize government
agencies work with a vastly larger constellation of private
software developers, cybersecurity contractors, and their
customers, offering relatively few guidelines and imposing
only loose oversight.
Most experts in the industry view the decentralized,
market-driven structure of U.S. cybersecurity as a source
of agility and innovation. But in the SolarWinds debacle,
they also see the system’s weaknesses on full display. In this
mega-breach, the industry’s flawed financial incentives, a
lack of transparency, underinvestment in training, and old-
fashioned cost-cutting each played a role.
These failures encapsulate the challenge of fixing Amer-
ica’s cybersecurity structure. The encouraging news is that
corporate and public-sector reformers are already respond-
ing with repairs and countermeasures; the less good news
is that many of those repair efforts are in their earliest days.
(For more about those efforts, see the accompanying story.)
When FireEye went public with its SolarWinds
news, neither the National Security Agency, the Penta-
gon’s Cyber Command, nor any other U.S. intelligence or
cyber agency had detected the attack, even though it had
likely been underway for months. That notion is troubling
enough: Even more stunning is the fact that FireEye
wasn’t legally obligated to inform anyone—publicly or
privately—about its discovery.
There are a growing number of legal requirements for
firms such as retailers or banks to report hacks involving
NOW THAT JOE BIDEN has taken office, he’s got to figure
out how to dig the country out of a spectacular, smoldering
crater.
For about as long as the coronavirus pandemic ravaged
the United States, another sinister invasion was taking
place—except in secret. This incursion was an audacious,
silent cyberattack that infiltrated, ransacked, and subverted
at least 10 government agencies and potentially hundreds
of corporations.
The President is inheriting a mess, to put it mildly. “It’s
not Pearl Harbor. It’s not an act of war,” stresses Mark Mont-
gomery, head of the Cyberspace Solarium Commission, a
federal cybersecurity task force. “But it was a brutal act of
espionage that is going to cost us a lot of money”—many,
many billions, he says—”to recover from.”
Biden is entering the fray with no illusions, if little clarity,
about the magnitude of the challenge he faces. “There’s
still so much we don’t know, including the full scope of the
breach or the extent of the damage it has caused. But we
know this much; this attack constitutes a grave risk to our
national security,” the then President-elect said in Decem-
ber after the hack’s discovery. Echoing Biden’s avowal, a
National Security Council spokesperson tells Fortune the
administration will be “elevating [cybersecurity] as an
imperative across the government from day one” and will
“hold accountable those responsible for attacks.”
Toward that end, Biden’s team has earmarked $10 bil-
lion of pandemic relief for additional IT spending. Assum-
ing Congress approves it, more than two-thirds will go to
the Homeland Security Department’s top cyber outfit to
improve incident response and network monitoring across
government. Biden has already made a number of calcu-
lated appointments to deal with the situation, including
plucking Anne Neuberger, an NSA honcho, for a new cyber
advisory role on his National Security Council, and the lat-
est defense legislation gives him some powerful new tools.
If America is going to pull out of the ever-widening gyre
that is the SolarWinds hack, the new Commander-in-Chief
has to stay focused. On the following pages, you’ll find four
policy recommendations, sourced from public- and private-
sector cybersecurity experts, that should top his list.THE EPIC HACK HAS UNDERSCORED THE
DISORGANIZATION THAT UNDERLIES
AMERICA’S CYBERSECURITY POLICY.
HERE ARE FO U R WAYS THE NEW
ADMINISTRATION CAN CHANGE THE
SYSTEM FOR THE BETTER.STRIKING BACKHOW THE BIDENWHITE HOUSESHOULD RESPONDTO SOLARWINDS