The SolarWinds Attack
I don‘t want to get deep into SolarWinds. Let me just put it this way: First of all, I feel sorry for them because it was a really sophisticated and a vicious attack. It went on over a long period of time. So, to the best of our knowledge, we were not impacted. I’ll just leave it at that.
Do we all have to do a lot of work? You always should be paranoid. You always should be very, very careful. Now that said, we have done secure engineering practices for multiple decades.
You’ve got to make sure that your code supply chain is really, really secure. Because when you are a provider to banks and governments and health-care providers, you don‘t want to be the source of carrying infections and malware and all those things in there.
Secure engineering practices are well known. It gets into all kinds of practices around code signing and encryption, not just of data but of actually how you build your code. You have got to be careful of what components are brought in.
There are some products that in turn have 30,000 other packages embedded in them. Now, whenever something happens, you‘ve got to grab the latest version of one of those packages and put it in there. So you’ve got to have the discipline to make sure that you’re not getting lazy and letting something filter in.
The way a classic threat functions [is the bad actors] wait for the one open door or window, and they use that and then they have access to the whole building. That‘s exactly what happened here.
Secure engineering practices are fundamental to us [at IBM]. It‘s how we build our mainframe. It’s how we build our software. It’s how we build Linux. So you’ve got to go do that. And we work very deeply, by the way, with all of the agencies, both government and private sector, who do these things to try to make sure they stay ahead of it, and stay ahead of the vulnerabilities.