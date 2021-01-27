The message you get wherever you turn is: Update your software. Software updates, as well as containing new emoji and features, include security solutions that address vulnerabilities in our technology. Install the latest versions, and you’ll be safe, here’s the advice.

However, every new information we discover about the major piracy operation carried out by agents of foreign intelligence, which, until the date of writing these lines, targeted five US government agencies and possibly many companies, with the possibility of more of them being exposed .. It reveals that our problem is not a technology imbalance, but rather the problem is We did not know how to manage trust across the software supply chain and did not think about the consequences of this failure.

Many of the organizations that were hacked in the process knew that they were being targeted by accomplished foreign hackers. To protect itself from the threat and manage its complex networks, it looked for technical solutions, including a piece of a program called “Solar-Windows.” And this spring, when Solar-Windows released an update, it installed it after it thought the new code would make it more secure, like many previous updates.

But these organizations were wrong. It seems that hackers working for the aforementioned foreign intelligence service have reportedly placed a secret loophole in recent versions of Solar-Windows. And when the customers applied the latest version of the program, the hackers gained access to their networks. From there, the hackers gained access to many additional devices and user accounts, and spied without being detected for up to nine months. Although the campaign was discovered, the story is not over yet, as the pirates still have the ability to secretly access many organizations that will be very difficult to protect.

The principle that emerges from this espionage campaign is as clear as it is frightening: the very systems that institutions trust, of necessity, to manage and secure the growing complexity of modern, technical networks, can allow hackers to penetrate them. This network of accreditation is very complex. People responsible for IT security trust computer programs that in turn trust other computer programs, and so on, to the point where it is almost impossible to fully examine or understand them. There is simply too much software and too much software updates. When any thread in the net is removed, the entire net falls.

Indeed, this is not the first time that a security vulnerability has highlighted a vulnerability in the software supply chain. Contrary to the clichés of espionage and suspense circulating about a single pirate infiltrating a single target computer, some of the most insidious operations are slow-cooked slow-cooked operations that gain the privilege of reaching many targets through an important computer program. Indeed, America’s more powerful competitors have known this for years. The 2017 attack known as “Not-Petya”, which caused more than $ 10 billion in losses, managed to reach the first group of its victims by penetrating a tax computer program that is widely used in Ukraine. Foreign espionage operations against other parts of the software supply chain have infiltrated at least six companies since 2016, using each of them as a platform to reach more victims. Another different foreign operation added a “back door” to the widely used security products produced by Juniper, a well-known American company, between 2012 and 2014. Against this background, the latest operation points to the little progress the United States has made in protecting against this type of threat.

The conclusion is simple and disappointing: the case at hand is a reminder that we have a structural problem that no new technical solution or new policy is likely to solve, even for large and powerful organizations. And we’ve underestimated this fact for a very long time, partly because we’ve made progress in how we manage essential parts of our technology, for example, by managing our networks and addressing some of our software weaknesses. But we haven’t made similar progress in determining which systems in the software supply chain deserve our trust. This problem is difficult and intractable, and it will not be solved by technology alone. The only thing worse than acknowledging that fact is not acknowledging it.

The writer is a professor at Georgetown University’s Edmund Walsh School of Diplomacy

To be published in a special arrangement with the Washington Post and Bloomberg News Service.