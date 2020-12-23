SolarWinds is a Texas company that makes Orion, a software to manage complex information technology systems for businesses and governments, including defense contractors and agencies. And all were potentially harmed by a devastating hack allegedly perpetrated by Russian cyber spies. Does this require a government cyber attack on Russia or more sanctions as a response?
A flaw in the software enabled hackers to gain access to virtually any information in each customer’s electronic databases. The damage is still being assessed, but government and commercial secrets were exposed, including at six Cabinet-level departments despite the tens of billions of dollars spent on U.S. cyber defenses.
An unnamed government official told the Associated Press, “This is looking like it’s the worst hacking case in the history of America.”
In pondering a response, federal officials should carefully consider their options. The U.S. government can retaliate against the hacker either by prosecuting individuals or taking action against a state-sponsored intrusion.
But let’s be clear-eyed about this: Hackers are going to hack. And all governments do it to some degree.
U.S. experts first must establish who — and, more likely, which government — is responsible and determine the damage. With much of the U.S. economy and electrical grid potentially vulnerable to disruptions, it would be dangerous to miscalculate any response to the attack.
The best long-term solution is the most obvious: Make the nation safer from intrusions by hardening our cyber defenses (and develop more robust cyber-offense programs). If you leave the door unlocked, the burglars can easily get into your house and your insurance may not cover the losses. It should be an obligation of all software users to install hacker-safe programs and prevent unauthorized access.
How could the government promote software safety? An analogy is the way it promoted automobile safety. Ralph Nader published “Unsafe at Any Speed,” a muckraking expose of how Detroit skimped on auto safety and passed the risk along to the customer. That led Congress to pass laws requiring auto safety devices and putting the burden for manufacturing flaws on the automakers. The National Highway Traffic Safety Administration was set up as a watchdog.
Decades of experience have shown that American software manufacturers too often sell products that can be exploited by hackers in a high-tech game of cat and mouse. Each hack leads to fixes, but as the SolarWinds debacle shows, flawed products are still being sold.
Congress should establish a primary federal agency for testing software safety and monitoring industry product safety.
Lawmakers also should examine what can be done to hold software developers responsible for issuing flawed, vulnerable software.
The use of unsafe procedures by software users is a separate issue that deserves congressional scrutiny.
This approach would raise the cost of developing and purchasing software. But compared to the damage done by hackable software, that cost likely would be modest. Then let the hackers hack. Their chances of success would be much lower.