by Chas Kissick
On January 6th, I attended an enlightening talk by Sean Lyngaas PPS’07 on the national security implications of the SolarWinds hack, hosted by Sanford Professor David Hoffman and co-sponsored by the Kenan Institute and the Duke Center on Law, Ethics and National Security.
Like many other talks I’ve attended on Sanford, this discussion began by outlining Sean Lyngaas’ career journey from Duke to his current position as a senior reporter at CyberScoop. Unlike other talks at Sanford, and perhaps due to the fast-moving nature of both tech and journalism, I felt like I was actually given an inside look at how this kind of issue unfolds on a day-to-day basis, and walked away with lessons on how I should approach this story and future ones like it.
Lyngaas didn’t set out to be a tech reporter. After looking for jobs in the think-tank realm, he ultimately ended up in cybersecurity journalism — a field in which he didn’t have a hard technical background.
As Lyngaas delivered us breaking news and facts about recent events— such as confirmation that the Justice Department was hacked, on top of previous disclosures by the Department of Energy and others — it made me realize how critical journalistic work in this field is. How it really does just take one person to resolve to discover and report the news that we all need to be aware of in order to stay digitally safe with “real-world” repercussions.
Reporting on the hack could not be an easy job. There were many parties involved, from Microsoft and FireEye to the tens of thousands of SolarWinds clients who were exposed to malware and may have suffered data breaches.
Journalism is also about telling a story in context, and Lyngaas does a good job at that as well. He most changed my perspective when he pointed out that there is also a danger of over-reacting to such cyber incidents.
For example, we all know that the 2016 elections were affected in some immeasurable way by the alleged Russian campaigns run with Cambridge Analytica on Facebook. We also know that the national division that followed the election was directly in line with Russia's goals as well. Our national division was more palpable than ever on the day of this talk, with U.S. capitol riots having happened that very morning.
I also liked that Lyngaas was notably deliberate in pointing out what he did and did not know, explicitly stating his caution to attribute past attacks to certain actors because he does not have a security clearance. I may have been smug when asking about the possible repercussions for the negligence in having “solarwinds123” as a password in the company’s system, but Lyngaas wisely pointed out that we don’t even know whether this password was relevant in the attack and that such finger-pointing should only come after an investigation, not before.
It’s not that consequences wouldn’t come. Home Depot is still paying out breach settlements six years after its security breach, and the legal landscape has changed dramatically in recent years. Professor Hoffman also pointed out that it’s hard to punish companies for failing when they’re defending against attacks from major world powers. Talk of kicking victims while they’re down led me to think about how that could incentivize under-disclosure as well.
Ultimately, the talk was not only educational in bringing breaking news right to Duke’s virtual campus, but it also taught me to approach such news stories with a bit more caution, a bit more civility, and a more responsible attitude that will hopefully keep us from hurting ourselves more than others ever could.
Chas Kissick is a second year MPP/MBA student.