Microsoft Claims Russian SolarWinds Hackers Have Defeated Brooks’s Law

60 Minutes did a segment on the SolarWinds hack, and spoke with Microsoft president Brad Smith:

“SolarWinds Orion” is one of the most ubiquitous software products you probably never heard of, but to thousands of I.T. departments worldwide, it’s indispensable. It’s made up of millions of lines of computer code. 4,032 of them were clandestinely re-written and distributed to customers in a routine update, opening up a secret backdoor to the 18,000 infected networks. Microsoft has assigned 500 engineers to dig in to the attack. One compared it to a Rembrandt painting, the closer they looked, the more details emerged.

Brad Smith: “When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000.”

One can only assume that “thousand engineers” who Microsoft claims worked on the hack for Russia did more than rewrite those 4,032 lines of code. Presumably, those 4,000+ lines of code enabled the backdoor, and much of the Russians’ engineering efforts went into code that was executed after breaking in to these exploited SolarWinds installations.

But, still, 1,000 engineers? That seems contrary to Fred Brooks’s famed maxim that “adding manpower to a late software project makes it later”. Same goes with Microsoft putting 500 engineers on the job of investigating the hack. No matter how bad the crime, putting 500 detectives on the case isn’t going to work.

I don’t know jack shit about the details of this SolarWinds case, but I know I’m a lot more worried about a small team of truly talented hackers — a team so small they could fit in a car — than a 1,000-person initiative. Brooks’s Law aside, how is a 1,000-person team expected to keep something like this hack secret?

Tuesday, 16 February 2021