On 13 December 2020, cybersecurity firm FireEye disclosed that nation-state attackers had infiltrated SolarWinds' Orion network management software, creating what would become the most significant supply chain cyberattack in history. The breach exposed a fundamental vulnerability in how organisations manage vendor access: a single compromised credential cascade through 18,000 customers, including nine US federal agencies and Fortune 500 companies.
The attack began with attackers inserting malicious code into SolarWinds' software updates between March and June 2020. When customers installed routine updates, they unknowingly granted attackers persistent access to their networks. This breach demonstrated how vendor credential management failures can transform trusted business relationships into national security threats.
The Critical Gap in Government Vendor Access Control
Defence and public sector organisations face a unique challenge in vendor credential management. Unlike private companies that can limit third-party access, government agencies require extensive contractor and vendor integration for everything from IT infrastructure to classified research programmes. Each vendor relationship creates potential attack vectors through shared credentials, privileged access, and interconnected systems.
The SolarWinds incident exposed how traditional credential management approaches fail at scale. Government agencies typically manage vendor access through manual processes, shared accounts, or basic identity management systems that assume credentials remain secure once issued. This assumption proved catastrophic when attackers gained access to SolarWinds' internal systems and leveraged existing vendor credentials to move laterally across customer networks.
The attack succeeded because it exploited the trust relationship between vendors and customers. SolarWinds' legitimate credentials provided attackers with authorised access to customer systems, bypassing traditional perimeter security controls. For government agencies handling classified information or critical infrastructure, this represented a complete failure of access control architecture.
The Scale of Compromise: By the Numbers
The SolarWinds breach affected approximately 18,000 organisations that downloaded compromised software updates, according to SolarWinds' own SEC filings. However, the attackers demonstrated strategic targeting, with Microsoft estimating that fewer than 1,000 organisations were actually compromised through follow-on activities.
Among confirmed victims, nine US federal agencies were breached, including the Departments of State, Treasury, Homeland Security, Energy, and Commerce. The attackers maintained persistent access for up to nine months before detection, with some intrusions continuing for months after the initial disclosure.
Financial impact data reveals the true cost of credential compromise. SolarWinds reported spending over $18 million on incident response in 2021 alone, while facing multiple federal investigations and lawsuits. The company's market capitalisation fell by approximately $3.3 billion in the weeks following disclosure, according to financial filings.
The UK's National Cyber Security Centre identified that British government departments were among those affected, though the full extent remains classified. Similar impacts were reported across NATO allies, demonstrating how vendor credential compromise can cascade across international government networks.
The SolarWinds attack succeeded despite extensive deployment of modern security tools across victim organisations. Identity and Access Management (IAM) systems failed because they authenticated legitimate SolarWinds credentials — the attackers were using valid access tokens obtained through the supply chain compromise.
Privileged Access Management (PAM) solutions, designed to control high-value accounts, proved ineffective because the attackers leveraged standard vendor access rather than obviously privileged credentials. The malicious code operated within normal software update processes, avoiding PAM monitoring focused on administrative activities.
Single Sign-On (SSO) and Multi-Factor Authentication (MFA) provided no protection because attackers bypassed these controls entirely. Once inside victim networks through legitimate SolarWinds access, attackers could move laterally without triggering authentication challenges designed for external access.
Zero Trust architectures, increasingly adopted across government agencies, failed to prevent the breach because they still relied on validating credentials rather than controlling their creation and distribution. The fundamental assumption — that credentials can be trusted once verified — remained intact and exploitable.
These tools address authentication and monitoring but do not solve the core problem: organisations cannot control credentials they allow others to create and hold. Vendor credentials, by definition, exist outside organisational control boundaries, creating persistent blind spots in security architecture.
Structural Solution: Organisational Credential Control
The SolarWinds breach demonstrates that effective security requires organisations to maintain complete control over all credentials accessing their systems, including vendor access. This means shifting from credential verification to credential generation and distribution.
Under a controlled credential model, organisations generate all access credentials centrally, distribute them in encrypted form, and maintain continuous revocation capability. Vendors and contractors never possess plaintext credentials, eliminating the possibility of credential theft or misuse. Access becomes truly unphishable because users cannot disclose credentials they do not hold.
This approach transforms vendor relationships from trust-based to verification-based. Rather than trusting vendors to secure their own credentials, organisations maintain cryptographic control over access rights. When vendors require system access, they request specific permissions that are granted through encrypted credential distribution, not permanent credential sharing.
MyCena's patented technology implements this model by ensuring users never see or control their own credentials. The system generates cryptographically secure credentials, distributes them in encrypted form, and enables instant revocation across all access points. For government agencies, this means vendor access can be controlled with the same rigour applied to classified information handling.
Implications for Defence and Public Sector Leaders
The SolarWinds breach created lasting regulatory and operational changes across government agencies. The US Executive Order on Cybersecurity (EO 14028) now mandates specific controls for software supply chains and vendor access management. Similar requirements are emerging across allied nations, creating compliance obligations that traditional security tools cannot address.
Government leaders must recognise that vendor credential compromise represents a systemic risk requiring architectural solutions, not incremental security improvements. The shift toward controlled credential distribution will become a requirement, not an option, as regulatory frameworks evolve.
Organisations should immediately audit vendor access arrangements and identify credentials existing outside their direct control. Each uncontrolled credential represents a potential SolarWinds-style compromise vector that could provide attackers with authorised access to critical systems.
The lesson from SolarWinds is clear: in an interconnected threat environment, credential control cannot be delegated to third parties, regardless of trust relationships or contractual obligations. Security architecture must assume credential compromise and design accordingly.