Originally posted to Twitter

Five tips for congressional staffers navigating the @SolarWinds #hack as the next batch of @congressfellows approaches congress:

1) Practice restraint

Don’t apply pressure too early and prepare to accept “we don’t know” as a legitimate answer; #solarigate is still very much in crisis mode and premature congressional letterhead will only slow things down

2) Context from the field

The sheer breadth of this campaign says more about the maturity of cyber supply chain risk management as a field (#CSCRM/cyber #TPRM) than the failings of any particular agency or company 1

3) Use a wide lens

Similarly, don’t fall for the trap putting this all on SolarWinds. There were surely mistakes, but the sheer scope of compromise shows that industry is not prepared to handle these third party risks – which is a far, far greater problem2

4) Consider CISA’s role

Perhaps this opens questions about whether @CISAgov has the authority it needs to shore up federal #cyber posture. Are current powers, like their operational directives, sufficient? Is the state of gov’t cyber tenable long term?

5) Study success stories

This is an opportunity to learn from success stories in an underdeveloped field (#CSCRM). That is, which SolarWinds customers successfully prevented a broader breach (or would have prevented, had they been targeted)? How can gov’t / private sector learn from them?

  1. That isn’t to say #oversight won’t find problems – I’m sure practitioner oversight will find plenty. But you won’t find a ’throat to choke’ that could have single-handedly prevented this thing ↩︎

  2. This has happened before and will happen again - see @Bing_Chris’s piece on HPE/IBM ↩︎