So many illusions of control in these articles written about #SolarWinds
No regulation is going to stop this from happening.
No new requirements for certifications & attestations of security will make us less vulnerable.
Knowing the ingredients in software won’t fix it either https://twitter.com/slate/status/1340593507040432129
We’re going to keep getting hacked. We’re also going to keep hacking others in exactly the same ways, so everybody needs to clutch their pearls over something other than “norms” because these *are* the norms & we helped set them by our own actions.
We need to get over ourselves.
It’s a very traditional male response we’re seeing here:
Reacting to this with threats
Presuming the problem is related to lack of control & vowing to start controlling more things
Assuming we have enough resources to get control
Actually just looking for excuses to drop bombs
Any pundit who claims to know exactly what must be done to prevent this is part of the problem.
There is no single thing that will stop this from happening again.
There isn’t even a set of best practices to go rush to implement.
Improvements can be made, I’m not saying do nothing
But to say that we’ll be able to do things to will prevent adversaries from hacking us at scale like they did this time, & all the other times, is to say we blindly, naively, believe there’s some magic we can do to remove cybersecurity complexity

Cybersec Santa isn’t coming kids
So what should we do?
We can’t take a whack-a-bug approach, relying on the upcoming Vuln disclosure programs set to begin across the USG March 1.
Without prep for better internal processes & resources, that will be a deadly distraction from massive infrastructure updates we need.
Mandating a bunch of new certifications for security assumes software is some static thing - that it can be considered safe with some tests & that safety never expires. New bug classes are discovered. New features are added. Mandating only certified software will slow all updates
A holistic approach grounded in technical reality lead by field experts who have dealt with global scale security needs to happen.
Playing whack-a-response without looking at our overall strategy is how we got here.
Expecting different results by repeating that approach is insane
Standard disclaimers:
I don’t owe you a debate, so don’t come into my mentions looking for a fight.
I already said once in this thread that I’m not saying improvements can’t be made now, but it bears repeating for mansplainers.
I’m saying that knee jerk changes won’t prevent this
Hoping the new administration isn’t planning to get the same advice we’ve seen in all these articles, featuring commentary from either former officials who clearly weren’t able to prevent this, or from the loudest pundits who lack deep experience solving security issues at scale.
You can follow @k8em0.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.