Some more updates on the SolarWinds breach – the US government via the FBI and CISA have officially confirmed the hacks.
Additionally, Microsoft, FireEye, and GoDaddy have now created a kill switch for the backdoor. Using the seized command and control domain, when an infected machine tries to connect, it will be sent do the kill switch, and it will cause the malware to terminate and prevent itself from executing again.
As we approach the weekend, I’m also going to direct you to a longer think piece: An article from Microsoft Research about the need for a VP of Engineering, versus a CTO, for the US Federal government. Two statements are my highlight:
“In their ideal incarnation, a CTO is a visionary, a thought leader, a big picture thinker. The right CTO sees how tech can fit into the big picture of a complex organization, sits in the C-suite to integrate tech into the strategy.“
“Finding the right VP of Engineering is more essential than getting a high profile CTO when a system is broken. A VP-Eng is a fixer, someone who looks at broken infrastructure with a debugger’s eye and recognizes that the key to success is ensuring that the organizational and technical systems function hand-in-hand.“
And one from FCW, which advocates minimum standards for software and likens the approach to that of the NTSB for transportation. “In the wake of the Enron debacle, Congress passed Sarbanes-Oxley which among other things, required the CEO’s of companies to ensure that when they signed their annual financial statements, they promised they were accurate, under penalty of law. This is the kind of regulation that should be required of software developers – mandated basic best practices around security, followed by guarantees, with penalties for fraud. “
Why do we care?
There’s the big picture that I’m thinking about today, as my perspective on this incident is that we should be mining it for knowledge and education. First, that distinction between CTO and VP Of Engineering really struck me as it applies to service providers. Often times we lay out the value of “the virtual CIO” or virtual CTO for a small company… but the VP Of Engineering role is as important. In small companies, this is likely played by one person… but there is likely some real value in being more distinct about it. Think about the traditional service manager role being expanded to VP of Engineering for customers, and the larger strategy pieces remain with a CTO. Having BOTH as well defined, strong offerings actually changes the value delivered considerably, and upward.
Next, think about the basic safety standards we are now going ot be talking about for software.. and for IT. This is a macro version of the regulation trend that runs through this entire conversation (and podcast).
Here you get a basic structure of how it will be implemented – basic best practice requirements, then guarantees, then penalties. Both of these are good reads.