Politico | How US agencies’ trust in untested software opened the door to hackers

This story is published in a content partnership with POLITICO. It was originally reported by Eric Geller on politico.com on December 19, 2020.

The massive months-long hack of agencies across the US government succeeded, in part, because no one was looking in the right place.

The federal government conducts only cursory security inspections of the software it buys from private companies for a wide range of activities, from managing databases to operating internal chat applications. That created the blind spot that suspected Russian hackers exploited to breach the Treasury Department, the Department of Homeland Security, the National Institutes of Health and other agencies. After embedding code in widely used network management software made by a Texas company called SolarWinds, all they had to do was wait for the agencies to download routine software updates from the trusted supplier.

As investigators race to assess the damage from the hacks, experts and lawmakers are calling for increased scrutiny of the third-party code that government agencies allow on their networks and demanding a fix for a long-known weakness.

“The government desperately needs to set minimum security requirements for software and services, and refuse to buy anything that doesn't meet those standards,” said Senator Ron Wyden. “It is incredibly self-defeating for federal agencies to spend billions on security and then give government contracts to companies with insecure products.”

Over the past week, agencies rushed to scrub the malicious code from their networks while senior officials huddled in emergency meetings – all amid reports of more victims in the federal government, state governments and private industry. As the extent of the attack became clearer, cyber experts warned that cleaning up the mess could take months or years.