China’s decision to classify online data based on its importance to national security and public interest is an implicit nod to both the growing threat posed by malicious hackers and Beijing’s continued push to centralize control of cyber operations. Here in the United States, we have seen sophisticated cyber attacks targeting everything from small, private investment pools to regional energy pipelines to the highest reaches of the U.S. government.
Unlike China, however, the United States relies on a small cadre of cybersecurity providers to manage its cybersecurity infrastructure. This is the kind of private-sector role that has worked in the past. But if providers want to avoid the long hand of government, they must fortify how they manage their operations. Otherwise, activist lawmakers in Washington will intervene.
Pressure on the cybersecurity industry was amplified last year after SolarWinds Corp. received notice of a massive data breach in its widely-used systems. The private equity firms Thoma Bravo and Silver Lake Partners acquired the Austin-based company in 2015 and, as alleged in a court action filed this month in Delaware, set about cutting operating costs and offshoring operations to increase profits in the short term.
While this type of restructuring may sometimes work, it was a dicey maneuver to implement in the cybersecurity industry, given the clients who entrusted their valuable data with SolarWinds. Among its major clients are several government agencies, including the Justice, Defense, Homeland Security and State departments, as well major corporations such as Microsoft and Cisco.
Indeed, the downsides of offshoring some of its cybersecurity operations to “a low-cost development center in Romania,” according to the court action, became readily apparent in November 2020 when SolarWinds received word of the breach begun a year earlier by hackers working for Russia’s Foreign Intelligence Service. Notification came, unfortunately, nine months after the company unknowingly spread the breach far and wide through the rollout of its Orion product suite update beginning in March 2020.
It also spread because SolarWinds’ systems were, as a U.S. General Accountability Office (GAO) report noted, “widely used in the federal government to monitor network activity on federal systems.” As the GAO also noted, the hackers focused on a small group of “high-value customers” where “the primary purpose of espionage” was greatest.
The pervasive nature of the SolarWinds attack counsels that our cybersecurity infrastructure is far from secure and that the onus is on both the public and private sectors to address the glaring gaps. It also points to the need for the vetting of companies entrusted by government agencies and corporate partners with valuable, and at times highly classified, data before hiring them. Even more important is the imperative that these businesses take a stronger stance toward protecting that information.
The SolarWinds attack calls into question whether private companies have the resources — or even a real concern — to gird the nation’s cybersecurity infrastructure against state-sponsored attacks.
In the case of SolarWinds, the firm outsourced labor to places such as the Czech Republic, Poland and Belarus, and laid off American employees. Add to this the private sale of a 5 percent, $315 million stake in the company by insiders to the Canada Public Pension Plan Investment Board days before the U.S. government issued an emergency warning about the Russian-led cyber espionage.
While there are hard questions that need to be answered about what SolarWinds and its two main investors may have known about the risks and attacks beforehand, the government’s own reliance on private firms clearly shows that Washington itself is not up to the task. To gain back the public trust and to keep the federal government from imprudently stepping in, companies tasked with guarding our nation’s most sensitive data — and those investing in these businesses — need to take a long, hard look at their responsibilities.
We live in a society where openness is a national virtue, but cybersecurity is an ever-growing threat. What we have learned from the SolarWinds fiasco is that we cannot afford technological underinvestment by firms and agencies tasked with keeping America’s companies, investors, citizens and their data safe.
James C. Allen, CFA, is a professional experienced in corporate finance, investment analysis and financial markets regulation. He is principal at Delahaye Advisers LLC in Charlottesville, Va.