While the full scope of the hack could take months to determine, the biggest successful attack so far involved third-party software provider SolarWinds, and companies that resell Microsoft’s cloud services may also have been breached. Early assessments indicated the intrusions were the work of Russia’s SVR, the spying agency that took over from the Soviet-era KGB.
The seriousness of the attack and the wide range of victims has led to deep self-examination among cybersecurity professionals. “The main implication for me is to underline the weakness of much of the West’s cyber defences and in that respect it’s a bit discouraging, morale-sapping, it’s frankly a bit embarrassing," Ciaran Martin, who resigned in 2020 as chief of the UK’s National Cyber Security Centre, told The Financial Times.
Some cybersecurity experts said the hack shows that most Western institutions simply don’t have strong enough cyber defenses, particularly when it comes to securing supply chains. Martin said that “if this doesn’t prompt us to [fix the supply chain problem], I don’t know what will.” Many experts, including Google CEO Sundar Pichai, called for international agreements as a way of preventing global cyber attacks.
Robert Hannigan, European chairman of cybersecurity firm BlueVoyant, writes in an op-ed for The Financial Times that Joe Biden’s incoming administration can help by making cybersecurity “a much higher priority.” That would include implementing the recommendations of the Solarium Commission, such as introducing some liability for shoddy security engineering.
Bruce Schneier, CTO of IBM Resilient, argues in a Guardian op-ed that U.S. institutions ought to turn toward a “defense-dominant” approach, noting that U.S. agencies conduct cyber espionage in their own right. “We need to dampen this offensive arms race rather than exacerbate it, and work towards cyber peace,” Schneier writes.
Cybersecurity experts told Compliance Week that the hacking also underscores the need for private and publicly organizations to share information about cyber threats. “Perhaps greater visibility into what companies actually do to maintain security might be something that we insist on after this kind of event," said Dan Petro, lead researcher at cybersecurity consultancy Bishop Fox.