Security News > 2023 > February > SolarWinds and Market Incentives

In early 2021, IEEE Security and Privacy asked a number of board members for brief perspectives on the SolarWinds incident while it was still breaking news.

The lessons are many, but I want to focus on one important one we've learned: the software that's managing our critical networks isn't secure, and that's because the market doesn't reward that security.

Why did SolarWinds have such bad security? The answer is because it was more profitable.

The New York Times reports that the company's cybersecurity advisor quit after his "Basic recommendations were ignored." In a very real sense, SolarWinds profited because it secretly shifted a whole bunch of risk to its customers: the US government, IT companies, and others.

The market rewards short-term profits at the expense of safety and security.

Any system of procuring that software needs to evaluate the security of the software and the security practices of the company, in detail, to ensure that they are sufficient to meet the security needs of the network they're being installed in.

News URL

https://www.schneier.com/blog/archives/2023/02/solarwinds-and-market-incentives.html