The SolarWinds breach serves as a stark reminder that government and private sector entities alike are dependent on a network of companies that can be quietly weaponized against them. The incident is raising questions about what an adequate counterintelligence operation looks like, and whether the federal government has the right framework to assess the security of the products it buys. The truth is that it's only natural for spy agencies to try to infiltrate sensitive targets by first breaching the companies that supply them with technology. Shannon Vavra has more.

A Message From AWS Educate

With over 1,500 institutions and hundreds of thousands of students who use AWS Educate, we wanted to take you on a trip around the world and highlight how students are learning and innovating with the cloud. Learn more.

A large federal footprint is 'nightmare scenario'

SolarWinds has been supplying technology to federal agencies for a long time, and a full public assessment of those deals would be difficult. One estimate, according to FedScoop, shows 48 different resellers were awarded some of the 204 known federal contracts for the company's Orion product since 2006. “It’s almost a nightmare scenario, when you think about it, because these are tools that people put into the most sensitive parts of their network,” says a retired senior government official, who asked not to be identified to speak freely about the compromise of SolarWinds' software updates. More from FedScoop's Dave Nyczepir.

Key briefings held on the big hack

The incoming Biden administration is receiving briefings from U.S. officials on the colossal SolarWinds hack, including a classified session slated for Tuesday, according to a person familiar with the briefings. Meanwhile, DHS’s Cybersecurity and Infrastructure Security Agency briefed Capitol Hill aides Monday on how federal agencies are responding to the breach. At least one agency learned it had been affected after it followed CISA's emergency directive to look for such activity, a congressional aide told CyberScoop.

EU regulators dock Twitter for bug response

European Union authorities have penalized Twitter for failing to report a data breach promptly and not adequately documenting the incident. The decision — issued by Ireland's data protection agency because Twitter's European headquarters are in Dublin — imposes a fine of about $550,000 on the social media company. Twitter was lax in its response to the discovery of a bug in its "Protect My Tweets" feature, the regulators said. It's the first time the agency has fined a “big tech” company for violations of Europe’s General Data Protection Regulation (GDPR). Joe Warminsky breaks down the ruling.

A big live hacking event offered up some broader lessons

HackerOne and Verizon Media recently wrapped what they billed as the world's largest live hacking event, and they came away with some pros and cons. Both were related to the sheer enormity of a five-week, online event with 3,000 registrants. The expanded global scope brought in some new talent for events that are usually more like 50 or 60 people. But it also was a pretty difficult undertaking to manage an event that large. Tim Starks reports.

Tweet Of The Day