In an interview I did with Kevin Mandia, he said this: “If your supply chain is compromised, so are you, since the networks so often get connected. Let's say small company C gets compromised. Does it lead to a compromise of big company A? It usually does.”
That interview was eight years ago. Mandia was CEO of Mandiant at the time, which had just released a report linking the Chinese military to a series of cyberattacks on U.S. and foreign corporations and entities.
And now here we are: U.S. companies and government agencies are scrambling to control the bleeding from a cyberattack that infiltrated the supply chain, first discovered by FireEye, with CEO Mandia sounding the alarm bells.
I would call the whole situation incredibly ironic, if it weren’t so devastating.
The SolarWinds hack exposed not only vulnerabilities within public and private sector networks, but also the dangers of arrogance. And make no mistake, the U.S. – public and private sector alike, across many sectors – has long suffered from a heavy dose of arrogance. I'm no exception. As a journalist I’ve spent years reporting about both our country’s strengths and weaknesses, mostly within the tech and government space. And yet, even in my own reporting and that of my peers, there is this precept that the U.S. is among the most advanced – superior even – in most every area of consequence.
The exchanges go something like this:
Is China giving us a run for our money as the second largest economy in the world? Certainly – but we’re still winning.
Does Russia’s investment in its military create concern about conflict, particularly among allies in Eastern Europe? Absolutely, but the U.S. with NATO has kept Moscow in check for decades.
Could we be hit by a devastating cyberattack that places at risk the country’s most critical assets? Nobody is immune – even the NSA and the Pentagon have said as much. But we’re better off than most.
One could argue that all of these claims are true enough. But they also ooze complacency, even as some of our greatest minds work to address our shortcomings. Our leaders in industry and government don't deny those shortcomings necessarily; but how seriously do they take them? Are they working fast enough to respond?
Click here to register for the SC Media Virtual Conference, Knowing your Adversary, which will examine the threat of APT tactics
In this latest attack, we’ve been caught flatfooted – with companies and agencies scrambling internally and externally, while acknowledging (to their credit mind you) that there is a lot we still don’t know. As quickly as news of this attack circulated, word of breaches has come slowly but continuously, like the excruciating toasts that roll out when someone decides to pass the microphone at a wedding reception.
Is this the best we can do? Wait for companies, government agencies, non-profit organizations to raise their hands? And what about the many, many smaller entities, or critical infrastructure companies that may not have the same resources in place to quickly or effectively identify whether they’ve been breached, or how to respond accordingly? Where’s the coordination there? In that same February 2013 interview, Mandia told me "the big guys are generally pretty locked down, while the sieve is in middle and smaller companies." And yet so far, all eyes are on the 800-pound gorillas like Microsoft, FireEye, and government agencies. What are we missing?
Chris Roberts, virtual CISO and adviser to a number of companies and agencies said this to me last week: “We’ve got to look in the mirror. We really have to go look in the mirror and ask, ‘Why didn’t we see it? We have multi-billion dollar systems in place that should detect this.'” I’d argue nobody saw this because the adversaries were just that good, and because, despite acknowledgment inside and outside of government that it could happen, too few thought it actually would.
Sometimes power comes from humility. And much like 9/11, which spurred shifts in how intelligence is gathered and shared, the SolarWinds hack just might instill a sense of urgency – not only to shore up security but to improve collaboration between the public and private sectors, to make sure we’re not just sharing intelligence, but working in coordination.
Because yes, America, we’ve been humbled. What matters most, however, is what we do now.