In 1983, much of the world was introduced to the idea of computer hacking via the film War Games. I clearly recall being enthralled with the tale of high school kid David Lightman (played by a very young Matthew Broderick), who almost starts a nuclear war with his computer hacking skills. At the time, the story felt like science fiction – there’s no way that could actually happen. But with a world now connected by computer networks, the potential nightmares depicted in War Games are indeed possible.
That’s certainly the case with the recent hack that targeted U.S government agencies. The hack began in March of this year, when someone (or an organization, or a country, or who really knows?) injected malicious code into software updates that monitor networks large corporations and key governmental departments. Specifically, this was malware that corrupted a product made SolarWinds. The malware provided hackers with access to networks, allowing them to analyze, copy, and potentially steal sensitive and top-secret data. No one had a clue about the hack. Then FireEye, a cybersecurity firm, discovered the digital crime.
The hack is alarming for a number of reasons. Obviously, the fact that these cyber-bandits could get into the bones of U.S government networks shows the fragility of any network. And the fact that it happened with such a trusted company says even more about how much we can really trust a leading technology brand. SolarWinds provides their services to thousands of entities, from Fortune 100 organizations to governments in the Middle East and just about everyone in between. Due to the hack, the company’s stock price dropped by almost 20% as of this writing.
Now governments and corporations around the globe are frantically searching their networks for evidence if they were hacked as well. After all, thousands of organizations use SolarWinds. According to cybersecurity experts, the hack wasn’t limited to agencies on U.S soil – the thieves entered the networks of many other global governments, as well as those of private organizations. Interestingly, these experts point out that, based on the evidence thus far, the hackers didn’t intend to do any damage. Instead, they want the information to use for nefarious purposes.
How can a company know if their network was breached? For now, it’s difficult to fully assess. SolarWinds won’t reveal any information to the public. Neither will official U.S. cybersecurity agencies. And even though an organization may be a SolarWinds customer, it doesn’t automatically mean they were victims. That’s because the malware was snuck into SolarWinds’ updates from March and June, yet some customers never bothered to install them. Plus, hackers of this caliber carefully choose their targets – they would need a genuine motive for infiltrating a specific network.
For now the investigation continues. And for now, SolarWinds only knows that an “outside nation state” was responsible for the attacks. Many suspect Russia as the culprit, yet as these games of cat and mouse go, Russia claims complete innocence.
But whoever did the job knew what they were doing. They were brilliant. They are experts at first locating a fundamental weakness in the system, and then finding the best way to exploit it – all without being noticed until it’s too late
With the damage done – and the type of damage unknown – organizations must grapple with the question: How do we prevent such insidious hacks? Over the long-term, companies must better scrutinize third-party software. There must be more in-depth assessments of vendors, especially for products critical to infrastructure. IT leaders need to instill a trust-but-validate philosophy for any technology that gets installed in the network.
Overall, organizations must hold software providers more accountable for their security. Organizations have to make security standards priority #1 when assessing new partners and vendors. This isn’t a movie. The survival of your company depends on it.