In fairness, there are probably no really good answers to the question: How did your company leave your IT infrastructure so unprotected that it was used to deliver malware to several branches of the federal government as well as a series of high-profile private sector targets?
But maybe blaming an intern was not the best approach.
On Friday, former SolarWinds CEO Kevin Thompson testified about the massive espionage campaign that originated at his former company at a congressional hearing held jointly by the House Oversight and Homeland Security Committees. Members of Congress honed in on the fact that the company had used the password “solarwinds123” to log in to a file transfer server, though it was not clear at the hearing whether that password was used in the intrusion that subsequently infected many government departments and private companies with malware via a malicious SolarWinds update.*
John Eddy, executive vice president at Goldin Solutions which is working with SolarWinds, later said in an email to Slate that “SolarWinds has determined that the credentials using that password were for a third-party vendor application and not for access to the SolarWinds IT systems. Furthermore, the third-party application did not connect with the SolarWinds IT systems. As such, SolarWinds has determined that the credentials using this password had nothing to do with the SUNBURST attack or other breach of the company’s IT systems.” Still, the question of the poor password hygiene was front and center at the Congressional hearing about the espionage campaign.
According to Thompson and current SolarWinds CEO Sudhakar Ramakrishna, an intern who worked at the company posted the “solarwinds123” password on GitHub back in 2017. Security researcher Vinoth Kumar later discovered that the password had been posted publicly since at least June 2018 and informed the company of the leak in 2019, at which point, according to Ramakrishna, it was removed from GitHub.
Needless to say, that explanation still leaves a lot of questions unanswered. For instance, was the intern actually responsible for setting the “solarwinds123” password? And, if so, why on earth had the company delegated responsibility for setting such an important password to an intern? Was the password actually changed when the leak was discovered in 2019 or was it just removed from GitHub? And why was there no multifactor authentication protecting that server if it could be used to transfer files onto company servers?
But this is, by and large, a profoundly unproductive path to go down when it comes to trying to understand how the SolarWinds compromise happened and what we can do to try to better protect ourselves from similar intrusions in the future. What are companies—much less Congress—supposed to take away from Thompson’s and Ramakrishna’s testimony about how to do a better job of securing their data and networks? Don’t hire interns?
One of the most frustrating elements of the aftermath of cybersecurity breaches is this kind of finger-pointing, in which the different actors involved all find someone else to point to (or, in some cases, sue) and say: This was not my fault; this was the fault of organization X for not telling me how to better secure my data, or contractor Y for failing to protect the credentials we gave them, or software company Z for not finding and fixing every vulnerability in the code they sold us. Take the Office of Personnel Management breach in 2015, for instance, which was probably the previous largest single act of cyberespionage directed at the U.S. federal government. During the lengthy aftermath, at various points, OPM laid blame for the breach at the feet of its contractor KeyPoint, the White House Office of Management and Budget, and the company SAP, which made OPM’s enterprise management software.
This is frustrating because even though all of these actors likely have some role to play in improving security, it’s rarely any one individual’s sole fault that something went wrong or that it wasn’t discovered until too late. But it’s in everyone’s interests to pretend that there is a single responsible party—anyone other than them!—so those narratives often take hold.
The SolarWinds case is particularly egregious: Rather than implicating any of the stakeholders who actually had some agency and capabilities to identify or prevent the espionage campaign, the company has instead chosen to pin blame for the incident on someone who clearly had no authority to strengthen its security, and also now has no opportunity to answer these accusations: an intern, long since gone, who made a mistake that should probably never have been within their power to make in the first place.
It’s a tempting narrative—as the stories about how a massive, complicated breach is the fault of a single actor often are—in which some clueless college student shows up for a summer and sets a dumb password and then carelessly leaves it up in some publicly accessible code on GitHub. Above all, it’s a story that’s easy to understand, especially for members of Congress. For instance, California Rep. Katie Porter pointed out at the hearing, “I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad.”
And while she’s not wrong—that solarwinds123 was a stupid password, that it should never have been up to interns to set important company passwords—it would be a mistake to imagine that stopping the next SolarWinds will be as easy as setting more complicated passwords or cracking down on interns, especially because the company now says that password has nothing to do with the subsequent compromise. Focusing on that element at a Congressional hearing provides a narrative that lets SolarWinds off the hook for how little it was monitoring its own servers. It lets all of the government departments using the software off the hook for how little vetting they had done of the company’s security practices before purchasing SolarWinds products. And it lets everyone off the hook, really, except for a nameless intern whose mistakes have now been aired at a congressional hearing, even though they were apparently unrelated to the massive cyber espionage breach.
Correction, March 4, 2021: This article originally misstated that the former CEO of SolarWinds blamed the large-scale breach on a bad password and an intern. SolarWinds says that bad password was unrelated to the cyberespionage campaign.