There is a specific quality of dread that experienced security practitioners get when they think carefully about what happened in December 2020. Not the dread of a novel attack technique, or an adversary with exceptional resources. The dread of recognizing, in granular detail, exactly how many organizations were equally exposed and simply weren’t targeted. The SolarWinds compromise — where a trojanized software update was distributed through a vendor’s legitimate build pipeline and installed with full trust by thousands of downstream customers — was not primarily a story about sophisticated tradecraft. It was a story about the industry’s collective decision to trust software artifacts it couldn’t inspect, from processes it couldn’t verify, at a scale that made the assumption catastrophically fragile.
Four years later, I want to report something encouraging: the reckoning has started. I want to be careful about how encouraging I make it sound, because the progress is real but the baseline was so poor that real progress still leaves us badly positioned.