The SolarWinds hack, it seems, was worse than initially feared—and initial fears were already alarming enough. The manner in which the U.S. government left itself vulnerable to the attack demands a reckoning that runs the policy gamut. But the best place to start may be the least flashy: security of the software supply chain.
Russia has perpetrated attacks through the supply chain before, and no wonder. By targeting a single weak link, especially a firm with widely used products, adversaries can reach thousands more—including those of high value. That also explains the hackers’ apparent interest in breaching Microsoft, Crowd-Strike and FireEye.
Perfection, however, is impossible to achieve—which is why the next frontier is figuring out how to root out those attackers officials should assume have found a way in. Agencies ignored a Government Accountability Office report advising them to update a malware catching tool called “Einstein” that proved significantly less smart than its namesake. Einstein could nab only known assailants, not identify new ones; an improvement is in immediate order. So is a strategy for speedy recovery from infiltration. This has to be an urgent priority for the Biden administration.