March 5, 2021

SolarWinds: Lessons for the Future

by Jack Dunn, Esq.

The SolarWinds hack would have dominated news cycles not too long ago. Yet in early January, reports of a state-sponsored, supply chain cyberattack quietly rippled across a media landscape already enveloped in the tides of an omnipresent pandemic and a flavor of civil discord once thought inconceivable. Similar to the events responsible for its muted reception, the SolarWinds hack will test the resilience of basic assumptions underpinning laws, regulatory policies and the standard course of businesses.

It will be years before the dust fully settles, but there are encouraging signs that a number of cybersecurity principles are standing up well to the stress test. For instance, the fallout from the attack is reaffirming that that the true measure of an organization’s incident responsiveness is its ability to implement effective communication strategies designed to promote network visibility when technology inevitably fails. Although the attack reportedly claimed 18,000 SolarWinds customers as victims, not a single organizations’ intrusion detection system caught the intrusion until it was too late.

A New York Times report noted that circumvention of these alarm systems allowed hackers to build backdoors into the affected networks.i As a result, organizations are in the unenviable position of deciding whether to rebuild their networks from scratch or spend valuable resources removing potential backdoors that could otherwise be exploited in the future. Without reasonable alternatives, organizations that previously implemented communication strategies that prioritize network visibility are better situated to cauterize the flow of associated costs because relevant stakeholders will know where to direct their focus along the organization’s network.

Nevertheless, the sheer scale of the intrusion is among the few silver linings for many organizations seeking to strengthen their cyber resiliency. Specifically, the scope of the attack will inform which practices strengthen the communicational health necessary for achieving greater network visibility. For example, a 2016 survey from the Ponemon Institute found that “less than 50% of companies had a vendor risk management committee, and even fewer stated they had established and tracked metrics on the effectiveness of their vendor risk management program.”ii With such a large sample size, organizations will gain valuable insight into which metrics and committee compositions deliver effective oversight by lowering technical language barriers and promoting fluency across the various departments within an organization. Further down the road, the total cost of rectifying the damage may reorient the way organizations and insurers minimize exposure to cyber liability. For instance, just months before the SolarWinds hack became public, news of a shareholder derivative lawsuit against LabCorp similarly struggled to make headlines. But the lawsuit will receive heightened attention in light of the present reckoning with SolarWinds. Namely, it is the first of its kind to charge executives with breaching their duties of care, loyalty and good faith for, “failing to ensure that its [ . . . ] business associates utilized proper cybersecurity safeguards.”iii With current estimates placing the total cost of the attack at $100 billion, organizations should track how courts and D&O insurers approach the future compensation structure of cyber incidents.

i. David E. Sanger, Nicole Perlroth, et. al., As Understanding of Attack Grows, So Does Alarm, N.Y. TIMES (Jan. 2, 2021). https://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html.
ii. PONEMON INSTITUTE, DATA RISK IN THE THIRD PARTY ECOSYSTEM, (APRIL 2016). https://tinyurl.com/yanczx3z
iii. Barrie Brejcha, Harry Valetk, D&O Liability for Data Breaches by Third Party Service Providers, CONNECT ON TECH, (May 11, 2020) https://www.connectontech.com/2020/05/11/do-liability-for-data-breaches-by-third-party-service-providers/.



Dubn
It will be years before the dust fully settles, but there are encouraging signs that a number of cybersecurity principles are standing up well to the stress test.