Three days after being appointed to run US software group SolarWinds, Sudhakar Ramakrishna received a call any chief executive would dread.
The company’s general counsel had rung to warn him malware had been detected in updates sent out to thousands of clients in the private and public sectors.
“My first reaction was really one of curiosity,” the veteran technology executive recalls. “I started visualising what could have happened.”
Ramakrishna had not been due to take over until the following month but, given the gravity of the attack, part of a cyber-espionage campaign the US government later blamed on Russia, he was quickly appointed to SolarWinds’ board so he could receive daily updates. Within days, he was revising his top 10 priorities for his new job to take account of the radically changed circumstances.
Few CEOs experience such a cyber-baptism of fire, which prompted the US to set up a high-level task force to co-ordinate its response. Even fewer would respond as coolly. For leaders, cyber attacks “seem to be much more personal [and] emotional” than other crises, according to Michael Smets, management professor at Oxford’s Saïd Business School.
Even a pretend attack can push executives to the brink. Luxembourg’s House of Cybersecurity runs an intense hour-long exercise for business leaders, called Room#42, to promote resilience to cyber threats. Twice, executives have “lost control”, even screaming at colleagues, says Pascal Steichen, who runs the cyber resilience unit.
Such responses may reflect a gulf exposed in a recent report that Smets and others prepared for Istari, the cyber risk management company owned by Singapore’s Temasek. All 37 CEOs interviewed for the study said the buck stopped with them on cyber security, but nearly three-quarters were uncomfortable making decisions about it.
What is obvious is that the threat is increasing. Since the 2020 SolarWinds hack — dubbed Sunburst — hackers have succeeded in taking the Colonial Pipeline network offline with a ransomware demand, prompting petrol shortages in parts of the US, breached The Guardian newspaper’s internal systems, and forced the UK’s Royal Mail to suspend temporarily its international postal services. This month, USS — the UK’s biggest private sector pension plan — warned the personal data of about 470,000 members could have been exposed to a cyber attack on outsourcing group Capita.
As experts point out, hacking is an asymmetric menace. “Attackers only have to get it right once,” says Kelly Richdale, a board director and adviser on cyber security. Steichen says Luxembourg’s simulator — which will seek out the flaws in a business’s systems — is modelled on popular escape rooms, except “you can’t escape, you can only fail”.
Senior leaders increasingly realise that if no system is entirely protected against attempted breaches, then it is not enough to focus only on technological responses. Experts say CEOs should not shift responsibility on to their chief information security officer, or even on to their audit committee. Instead they should treat cyber attacks as a strategic issue, to be handled at the highest level. Properly addressed as a risk management problem, the threat can also be an opportunity to identify strategically important operations, and even to improve the business as a whole.
“You continuously improve but you’re never fully secure,” says SolarWinds’ Ramakrishna. “You don’t work from a position of fear, but constant learning and constant improvement.”
Regulators have helped to put cyber security firmly on the boardroom agenda. The US Securities and Exchange Commission, Bank of England and European Central Bank are among regulators to have increased their focus on cyber resilience in the past year. For instance, an SEC proposal would require public companies to disclose directors’ cyber security expertise “if any”. “Not every [board] member has to be an expert in financial risk, but has to be able to read a spread sheet or a P&L [profit and loss account],” Richdale points out. Similarly, “the board has to be versed in the basics of cyber attacks and digital concepts” — a level of knowledge she says is lacking at many companies.
Achieving, or hiring, this level of expertise is easier for larger companies, adds Mitchell Scherr of cyber security company Assured Cyber Protection: “In the midsized businesses, the board doesn’t know what questions to ask and the tech folks don’t know what to provide to the board.”
This gap is particularly perilous because it is often small- and medium-sized companies that inadvertently open the backdoor of larger targets to hackers, through so-called “supply chain attacks”. Sunburst was a classic example, if a particularly sophisticated one, because the SolarWinds software had been installed by many customers (although the company estimates fewer than 100 private companies and nine federal agencies were targeted). Another was the attack last year on Australian health insurer Medibank. There, hackers gained access to customer data with a stolen username and password used by an outside information technology service provider. Richdale said: “The perimeter of cyber [security] has expanded.”
This puts the problem squarely on the desk of CEOs, whose role is to maintain a strategic view of risks and opportunities that covers the entire supply network. CEOs and boards are also best placed to assess reputational risk. Experts advise that leaders are in a better position than CISOs to identify the “crown jewels” — strategically important assets or operations that need the highest level of protection. For a hotel, that might be guests’ passport details; for a spa, it could be customers’ health data; for a manufacturer, it could be intellectual property. Scherr recalls one Chinese company that hacked into a start-up’s system under cover of ordering its products. The attacker copied the target’s innovative technique and started manufacturing and selling the same items at a quarter of the price. Once companies have addressed the main risks, they can move to cover any residual risk with cyber insurance.
Manuel Hepfer of Istari says the push towards greater cyber resilience can also offer opportunities to streamline processes. “The CIO came to present at an executive meeting and asked us how many servers we thought the company had,” one chief executive told Istari. “The lowest estimate in the room was four, the highest 250. The reality was more than 4,000. That was an incentive for all of us to understand more. We realised that we spend millions each year on this kind of technology but don’t really understand it.”
Istari identified a “preparedness paradox”. The companies that said they were best placed to withstand a cyber attack were less likely to be ready. Leaders whose companies had been hacked already said they had been able to rebuild better, which Oxford’s Smets likens to the Japanese art of kintsugi, repairing broken pottery with gold.
Ramakrishna says he has rebuilt SolarWinds’ culture on the basis of transparency, collaboration, and humility. “You’re not going to be able to solve all the problems yourself. You might need the community to help,” he says. When asked to advise other boards he urges them to adopt the same “bias to transparency” that SolarWinds uses, and to share knowledge of a cyber attack with their wider network.
How far to collaborate with rivals in a crisis is a decision only the CEO and board are likely to be able to take. Most err on the side of secrecy. Luxembourg’s Steichen says 70 per cent of those companies that have run a Room#42 simulation do not look for outside assistance in handling a cyber crisis. “Our general motto is: ‘Don’t suffer in silence’,” he says.
SolarWinds’ own mantra is “secure by design”. Ramakrishna describes this as a “forever project”. Could a Sunburst-style attack happen again? Ramakrishna points to recent breaches of companies “steeped in security”, such as Microsoft, whose Exchange email programme was attacked by supposed Chinese hackers in 2021: “It could happen to SolarWinds, to any other company, no matter its size, scope, assets,” says Ramakrishna. “What we can do is work together to reduce the likelihood.”