The government doesn’t do much to verify the security of software from private contractors. And that’s how suspected Russian hackers got in.
The massive monthslong hack of agencies across the U.S. government succeeded, in part, because no one was looking in the right place.
The federal government conducts only cursory security inspections of the software it buys from private companies for a wide range of activities, from managing databases to operating internal chat applications. That created the blind spot that suspected Russian hackers exploited to breach the Treasury Department, the Department of Homeland Security, the National Institutes of Health and other agencies. After embedding code in widely used network management software made by a Texas company called SolarWinds, all they had to do was wait for the agencies to download routine software updates from the trusted supplier.
As investigators race to assess the damage from the hacks, experts and lawmakers are calling for increased scrutiny of the third-party code that government agencies allow on their networks and demanding a fix for a long-known weakness.
“The government desperately needs to set minimum security requirements for software and services, and refuse to buy anything that doesn’t meet those standards,” said Sen. Ron Wyden (D-Ore.). “It is incredibly self-defeating for federal agencies to spend billions on security and then give government contracts to companies with insecure products.”
Over the past week, agencies rushed to scrub the malicious code from their networks while senior officials huddled in emergency meetings — all amid reports of more victims in the federal government, state governments and private industry. As the extent of the attack became clearer, cyber experts warned that cleaning up the mess could take months or years.
SolarWinds, whose 330,000 customers include key federal agencies, major telecommunications firms, every branch of the military and four-fifths of the Fortune 500, is one of the most extreme examples of the dysfunction that made this hack possible, but it is far from the only poorly guarded vendor with hooks into the most important computer networks in the world.
The U.S. government relies on private vendors of all sizes to supply its agencies with software. Some have expert security teams, such as Amazon, [ … ]