CEO DailyCFO DailyBroadsheetData SheetTerm Sheet

Why the SolarWinds hack is even worse than you thought

January 29, 2021, 2:03 PM UTC

Most of the time when we hear about cybersecurity crimes, we hear from the leading players, companies like Crowdstrike that nailed the Russians for stealing DNC emails in 2016. Or Microsoft warning that the Russians were trying to hack 2018 election campaigns. Or FireEye disclosing last month that it was itself penetrated by nation-state hackers (who turned out to be Russians).

But, as we are learning from that last incident, we can’t ensure cybersecurity just by relying on the big names.

FireEye had uncovered the tip of what is now considered the largest and most damaging hack in the history of cybersecurity, one that breached the computer networks of hundreds of major companies and government agencies including the U.S. Treasury, the State Department, and the Department of Homeland Security. The attack is named SolarWinds after an obscure software developer in Austin, Texas, that was the starting point for the whole disaster.

As Data Sheet’s own Robert Hackett and our tech colleague David Z. Morris explain in their new feature story about the SolarWinds attack, Russian hackers were able get into so many networks just by inserting a backdoor into security software that the company produced and distributed to its many clients around the country.

Their deep dive explains not only how it happened but why. In particular, David and Robert note, the SolarWinds hackers didn’t go for the usual credit card numbers and email addresses that most cyberthieves seek. Instead, the hackers went for much higher-value internal information: emails with corporate and government secrets, the source code underlying Microsoft software, and the like.

The attack also undermines not just the reliance on one firm, SolarWinds, but perhaps the entire structure of cybersecurity in the United States, with its patchwork of government agencies, big-name security firms, thousands of smaller outside vendors, and internal IT department security efforts.

“Most experts in the industry view the decentralized, market-driven structure of U.S. cybersecurity as a source of agility and innovation,” David and Robert write. “But in the SolarWinds debacle, they also see the system’s weaknesses on full display. In this mega-breach, the industry’s flawed financial incentives, a lack of transparency, underinvestment in training, and old-fashioned cost-cutting each played a role.”

Aaron Pressman
@ampressman
aaron.pressman@fortune.com

***

We’re all familiar with the science-fiction trope of a computer getting so smart it takes on a mind of its own. That fantasy nowadays feels all-too-realistic, thanks to advances in Natural Language Processing (NLP). On this week’s Brainstorm podcast, hosts Michal Lev-Ram and Brian O’Keefe examine what it means to teach a computer to understand and even “think” like a human. What are the innovative possibilities this unlocks? What are the dangers? Listen to the episode here.

NEWSWORTHY

It's all STONKS all the time. Here's what you need to know about the quickly moving GameStop-WallStreetBets situation:

  • After a few days of mayhem started to alarm the powers that be, including the stock exchanges and regulators at the Securities and Exchange Commission, free trading app Robinhood on Thursday decided to shut down buying (but not selling) of GameStop and other stocks targeted by the Reddit crowd. That led to a quick price crash and lawsuits. Somehow the MemeSTONKS are recovering in premarket trading on Friday. Facebook also canned a related chat group called Robinhood Stock Traders for violating its community standards.

  • But what should be done? Former SEC chairman Arthur Levitt, who dealt with an earlier bout of day-trading mania in the 1990s, called for a regulatory crackdown on "rumormongers." At the other end of the spectrum, journalist Matt Taibbi's take started with "Suck it, Wall Street" and concluded: "The only thing 'dangerous' about a gang of Reddit investors blowing up hedge funds is that some of us reading about it might die of laughter."

 

  • It's also worth reading the Wall Street Journal's profile of Jaime Rogozinski, a 39-year-old doctor in Mexico City who was bored with his investments so he started a new Reddit group in 2012. You guessed it: WallStreetBets.

 

  • You won't be finding a link here to the New York Post's story about 22-year-old Jack West taking out a second mortgage on his parents' house to bet on GameStop, though. That's because the 22-year-old in question was lying to punk the newspaper. Oops.

 

  • As a history buff, I loved all the parallels. The Verge's Nilay Patel reminded us that the genesis of the controversial online speech law known as Section 230 was a lawsuit filed by a crooked investment firm, Stratton Oakmont, against Prodigy over what some users were writing about stocks on message boards.

 

 

  • I'll give the last word to Levine, who in his astute judgment considered a possible "endgame" to all of this: "We all get so tired of talking about GameStop that we stop. Perhaps the stock goes up, perhaps it goes down, but we stop checking. If I were king I might be a little tempted to impose that ending by law."

So think about all that for the weekend and, with all these words spilled, we will skip the Food For Thought section today.

FOR YOUR WEEKEND READING PLEASURE

A few great long reads I came across this week:

Buying Beats for Viral Songs Is Becoming a Popular (and Messy) Business (Rolling Stone)
Execs are scooping up the beats behind hits — sometimes without singers’ knowledge. Some see the practice as shrewd business, but others say the murky ethics can turn a breakthrough into “a nightmare”

2021 Will be the Year Design Becomes Fun Again (Hypebeast)
After a year of working from home, we’ve learnt to take new pleasure from playful spaces.

The Happiness Project: Finding Joy in Tough Times (GQ)
In a time like this, what does happiness look like? A dozen culture-shapers offer their very personal perspectives on searching for joy and finding meaning in life.

A viral video forced a wealthy Texas suburb to confront racism. A 'silent majority' fought back. (NBC News)
Southlake is known for its top-ranked public schools. But a heated fight over a diversity plan has some parents questioning their future in the city.

IN CASE YOU MISSED IT

Sheryl Sandberg on banning Trump and why we shouldn’t take the open internet for granted By Beth Kowitt

Apple CEO defends privacy push after Facebook CEO’s complaints By Aaron Pressman

Short selling? Short squeeze? GameStop? What? A beginner’s guide to the most chaotic business news story of 2021 By Rey Mashayekhi

Coinbase opts to go public with direct listing and a rumored share target of $200 By Jeff John Roberts

GGV raises a record $2.5 billion across its newest funds By Lucinda Shen

Behind Tesla’s 2020 profit is its love affair with China By Eamon Barrett

(Some of these stories require a subscription to access. Thank you for supporting our journalism.)

BEFORE YOU GO

The Great British Baking Show has been a beacon of kindness and creativity during dark times the past few years. Not sure if we will still need that kind of diversion come spring, but the series is returning for a five-episode run with celebrity bakers including Star Wars star Daisy Ridley, X-Men star James McAvoy, and Little Mix singer Jade Thirlwall. Ready and bake!