One year ago, Russian hackers burrowed their way deep inside a network monitoring tool made by a company called SolarWinds. How much has changed in U.S. cybersecurity since then?
RACHEL MARTIN, HOST:
This time last year, Russian hackers burrowed deep inside a network monitoring tool made by a company called SolarWinds. That enabled them to launch a cyberattack against U.S. government agencies and corporations. NPR’s cybersecurity correspondent Jenna McLaughlin has been looking into how much has changed in cybersecurity one year later.
JENNA MCLAUGHLIN, BYLINE: Karen Evans was the chief information officer at the Department of Homeland Security this time last year.
KAREN EVANS: So I was thinking, oh, I’m going to go off into the holidays. And then you get this phone call, and then you find out you’re handling a major incident all the way up until Inauguration Day.
MCLAUGHLIN: Hackers had burrowed their way deep inside a network monitoring tool made by a company called SolarWinds, a tool that her agency used. The government was quick to call out Russia for the breach.
EVANS: There were a certain set of email accounts that were being looked at, and one of them was mine.
CHARLES CARMAKAL: I’ll tell you, you know, the days leading up to our public announcement, I had a very weird feeling in my stomach.
MCLAUGHLIN: That’s Charles Carmakal, chief technology officer at Mandiant. His cybersecurity firm was the first to uncover the spying because they were victims, too.
CARMAKAL: In the early days, it was a very lonely time for us, and it was a very humbling time.
MCLAUGHLIN: Things were tense. But a year later, Carmakal thinks the U.S. caught the hackers off guard by exposing them. And the community of digital defenders learned a lot.
CARMAKAL: And I think it surprised them, and I think had it not been blown in December, there’s a very good chance that they would have gotten significant enough access to a number of other technology companies.
MCLAUGHLIN: In other words, it could have been worse if the spies weren’t caught or if they decided to wreak havoc on federal and private networks. It was a wake-up call that really motivated people to ramp up on defense.
Karen Evans, the former Homeland Security official, went on to become the head of the Cyber Readiness Institute. She says her focus is on protecting small- and medium-sized businesses who could be targets.
EVANS: Those are, like, the soft underbelly – right? – the Achilles’ heel.
MCLAUGHLIN: Lawmakers – at least the ones focused on cybersecurity – weren’t surprised by SolarWinds, but it was striking to Senator Angus King of Maine.
ANGUS KING: We’re really in a new area of conflict.
MCLAUGHLIN: He says people should care about SolarWinds because the hackers could have used their access to government networks to do something destructive.
KING: They spent so much time, money and effort to penetrate these networks that it strikes me as hard to believe that they didn’t have more nefarious purposes in mind.
MCLAUGHLIN: King, an independent, says he’s pleased with the progress the White House has made. Since entering office, the administration has sanctioned Russia, put out a cybersecurity executive order and worked to secure federal agencies from hackers. But King says the U.S. needs to keep up the pressure.
KING: We need to be clear that if they attack us in cyberspace, they will pay a cost.
MCLAUGHLIN: Because unfortunately, the hackers behind SolarWinds are back at it. Carmakal’s company, Mandiant, just came out with a new report about their activity.
CARMAKAL: The attacks didn’t stop in December 2020. You know, they continued throughout 2021. We really want to help organizations better defend their networks and learn about the intrusions.
MCLAUGHLIN: His takeaway – spies are going to keep spying, and they’ll keep finding new and increasingly sophisticated ways to breach defenses.
Jenna McLaughlin, NPR News, Washington.
(SOUNDBITE OF SUBLAB AND AZALEH’S “ARCANUM”)
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.