Local coverage of the SolarWinds hack has started as journalists indicate if the bigger story impacts their regions. Two examples: Michigan has reporting indicating that investigations show no sign of breach, while the City of Atlanta has refused to answer if it was impacted.
In vendor news, Qualys is offering a free vulnerability management service following the breach for 60-days.
Bloomberg is reporting two former employees of SolarWinds, one anonymously and one on record, as having said they warned the company several years ago about security concerns.
Meanwhile, the Government Accounting office is indicating that of the 23 federal agencies they have audited for a new report, only a handful have implemented seven “foundational” practices for managing security risks in their supply chain.
For those interested in technical updates, Dark Reading has some additional details, noting that it does appear other attack vectors were used, and that the SolarWinds hack may have been present for longer than initially reported.
Finally on the topic, a counter point which is a very good read is in SC Magazine in a piece called “The SolarWinds hack, and the danger of arrogance.”, which I will encourage listeners to read.
Why do we care?
Today’s lesson is how to look bad during a crisis.
I think denial is a really bad look – refusing to answer is never good, and just screams “it happened to us and we’re not courageous enough to own it.” I’d also question “here’s a longer trial of our competitive product” positioning too as just exploitative of a situation rather than helping. Other vendors have offered tools with no strings, which is a much more collaborative approach. Those CEOs who are taking pot shots are just putting a target on their back, and in the inevitable time they are hacked, they just look worse.
On former employees, I’m reasonably confident I could find just a former employee at any company that will say something about their former leadership to paint them in a bad light.
I question the value of pulling out information from three years ago to try and do a victory lap of “I told you so.”, particularly when you leak to the press work you did as an employee, and thus is the intellectual property of that company. That just leads to more open questions about ethics and handling of confidential information, particularly when you’re the security expert. Add to that the fact that all the federal agencies were not in a good defensive posture.
It’s a really bad look for those exploiting this, and that kind of stink stays with you. People remember grace too.
Which leads to the SC perspective – and the power that comes from humility. This is a moment to define both yours, and the industry’s, approach. One path seems obvious to me, and the other fraught with opportunism, which is never a long-term sustainable answer.