Well, on the bright side, the SolarWinds Sunburst attack will spur the cybersecurity field to evolve all over again

Stupid question

From the quality of the threat design, the range of techniques used, and the nature of its victims, this was a nation state at work [..]

What is a "threat design"?

Inside or outside job?

From the ReversingLabs analytic reports I read, the attack was teased out over several months deep in the source code slowly creating a camouflaged set of code in the right house style that was compiled directly into live builds. If the report's true, I'd be surprised if an outside hacking team was able to get in that deep, take that amount of time, and then know the existing code well enough to blend into the house-style.

The ReversingLabs report makes it feels more like work done by someone familiar with the codebase as an employee or contractor - could be someone who left, but still had a way of getting access for instance, or a contractor planted by an outside agency who had enough time to learn the system before crafting the attack piece by piece.

Reasons for hacking Solarwinds need not be spying either. For instance, the ultimate target could have been financial systems. A Solarwinds type hack would allow a team to place a trojan into an automated trading system that then buys a few more bitcoin, or overprices a stock would be almost unnoticeable - demand goes up, prices follow and a connected seller slowly makes a fortune. As more information comes out, this could turn out to be a people or HR problem as much as a system or network problem.

How did they somehow bypass the source code control system? (Assuming there WAS a SCCS, and not just a bunch of files in a directory.) If they came through the front door one could start with a "git blame" command and start following the trail through logs. They might find something unusual that could result in updates to their security system such as time-of-day restrictions on who can access what, or by what access channel such activity is allowed.

Funding model?

As already mentioned upstream this might be all down to the money and time available to the core developers to look internally at their processes and not just at the agressive targets for the next commercial release.

Like a high security business with massive front office security, turnstiles, finger and retinal printing etc. Which, it turns out, makes it impossible for the developers in the basement working 7 days weeks to meet an arbitrary deadline to get out of hours pizza deliveries. So they modify a back door to the server room so the alarm doesn't sound when the delivery guy calls.

Possible moral is to spend a bit more on your core team even if it makes the performance metrics look worse.

We didn't get hacked because.....is very hard to prove.

No doubt the blame will fall on the developers and not those responsible for not funding internal security.

Noting also that if you are a criminal one of your primary aims is to subvert the police force. Also noting Burgess et al.

Intelligent article and interesting comments. From my semi-layperson's viewpoint are we seeing an illustration of Andy Grove's book title Only The Paranoid Survive?

Tall fences make for friendly neighbours.

The internet was envisioned as a friendly digital utopia where everyone could freely exchange information. Unfortunately human nature and politics have interfered with the original vision of the internet described by Sir Timothy John Berners-Lee.

It is only a matter of time before nation states (the EU being such) erect Chinese walls between themselves and that vicious outside world.

Tall fences make for friendly neighbours.

Removing Windows would be a great first step

.. but the problem is that the people making the decisions can be bought with lunches and fed misinformation galore.

So yes, yet another hack. And another set of excuses. Rinse, repeat, ad infinitum.

Most of the people involved don't want to fix things, they just want more budget to waste. Bad news for the people on the receiving end but that's IT.

0pti0na1

Dome is Earth

1 8100D

I doubt anything special will happen.

Companies will just buy more cyberinsurance, will give out "free credit-monitoring", and pay a few measly fines.