SolarWinds at five — Peter Bassill

Five years on from the disclosure of the SolarWinds Orion compromise, what actually changed in how UK boards think about third-party software risk — and what did not. A practitioner's retrospective on the case study that defined the decade.

Five years ago this past December, FireEye disclosed it had been compromised by a state-aligned actor — and that the route in had been a tampered software update for SolarWinds Orion, a network management product. Within days, the scope expanded beyond anything anyone in the industry was prepared for. The same backdoored update had been pushed to around 18,000 SolarWinds customers, including several US federal agencies, Microsoft, the UK National Cyber Security Centre's industrial partners, and a long list of FTSE 100 firms whose supply chain risk assessments did not, on the day, include the name SolarWinds.

I want to write a retrospective because the SolarWinds case is the one that defined how the past five years of supply chain thinking has played out. Some of what it changed is real and durable. Some of what it changed was performative and has faded. The honest read, five years on, is mixed, and worth being clear-eyed about as the next regulatory cycle approaches.

What SolarWinds actually was, in one paragraph

The Russian Foreign Intelligence Service (SVR), known in the cyber world as Cozy Bear or APT29, compromised SolarWinds' software build pipeline. They modified the Orion product's source code to include a backdoor (named Sunburst by Mandiant, Solorigate by Microsoft). The backdoored code was signed with SolarWinds' legitimate code-signing certificate and shipped to customers as a normal product update. For around nine months, customers ran the trojaned code without anyone noticing. The attackers were selective about which of the 18,000 affected customers they actually exploited beyond initial access — the published estimate is fewer than 100 secondary intrusions. Those that were exploited were exploited carefully, with long dwell times, and with operational discipline. The full scope is still being mapped.

What changed in board thinking

Three things, in roughly the order they happened.

Supply chain risk became a board topic. Before SolarWinds, the phrase third-party risk in board papers usually meant suppliers' ability to deliver, not suppliers' ability to be compromised. After SolarWinds, the conversation shifted. Most FTSE-listed audit committees now include some version of which of our software suppliers, if compromised, would let an attacker into our network? on the standing agenda. Five years ago that question was asked in maybe one in twenty boards. Today it is closer to half. Imperfect, but a real shift.

Software Bills of Materials (SBOMs) moved from concept to procurement. The US Executive Order 14028 in May 2021 made SBOMs a federal procurement requirement. UK government procurement has followed at a slower pace, but private-sector procurement has, in several sectors, started requiring SBOMs as a precondition for vendor onboarding. The work is uneven and the SBOMs that get delivered vary in quality, but the principle is now established.

The senior security leader's accountability changed. Tim Brown, the SolarWinds CISO, became the first US CISO to face SEC charges over public disclosures relating to a breach. I have written about that case in this post. The case settled with mixed outcomes for the SEC, but the precedent is set. The CISO who signs off public statements about security controls is doing so under a regulatory exposure that did not exist before SolarWinds.

What did not change

Three things, less satisfying.

The structural concentration in the software supply chain. SolarWinds compromised one network management vendor. The lesson many drew was we need to reduce dependence on single vendors. Five years on, software vendor concentration has, if anything, increased. Microsoft is more central to most enterprise estates than it was in 2020. The hyperscaler cloud providers have more critical workloads on them. Single-vendor identity providers (Okta, Microsoft Entra, Google) handle authentication for a larger share of the enterprise estate than they did. The structural fragility SolarWinds exposed has not been addressed; it has, in many cases, deepened.

The supplier-of-the-supplier problem. SolarWinds was a supplier compromise. The compromise route into many of its customers, including Microsoft and the US federal agencies, was a trusted upstream. The lesson at the time was we need to understand our suppliers' suppliers. Five years later, very few firms have a meaningful map of their tier-two and tier-three suppliers. The MOVEit / Cl0p extortion campaign in 2023 was a near-replay of this problem at a different scale. The CrowdStrike outage in 2024 (covered here) was another variant. We have not solved this problem. We have only learned to talk about it.

The signature trust model. SolarWinds was signed code, signed with the legitimate vendor certificate. The signature was real. The code was malicious. This was not new in 2020 — code-signing compromises had happened before — but it should have produced a serious rethink of how much trust is placed in valid signature as a security signal. It largely did not. Most endpoint protection still treats signed code from a known vendor as benign. The trust model has not meaningfully shifted.

What the next five years probably look like

Three predictions, with the usual humility about predictions.

The Cyber Security and Resilience Bill, on its current trajectory, will incorporate SBOM-style requirements for managed service providers and upstream critical suppliers within the next two years. The drafting is not finalised, but the direction is consistent with both the EU NIS2 and the US executive order.

Personal accountability for senior officers will continue to widen. The Brown case is the beginning, not the end. UK regulators — the ICO, the FCA, the sectoral regulators in CNI — are converging on a model where the senior responsible person for cyber is personally on the hook for the controls in place before the incident. The named senior accountable executive at the firms in next year's enforcement reports will be the case studies the year after.

The next SolarWinds-shape event is already in progress somewhere. State-aligned operators have spent the past five years getting better at exactly the kind of patient supply chain compromise that worked in 2020. The attackers have not stopped. The detection has improved unevenly. The probability of a similar-scale event being disclosed in the next 24 to 36 months is, in my estimation, high.

One paragraph for boards

If your firm is reviewing its cyber posture in early 2026 and the SolarWinds case is not on the discussion list, that is an oversight worth correcting. The questions worth asking are: which of our software suppliers operates in the same way SolarWinds did? (the answer, for most firms, is dozens), what would we detect if one of them shipped trojaned code to us tomorrow? (the honest answer, for most firms, is little before significant dwell time), and what would we do operationally if we learnt today that a major software supplier had been compromised nine months ago? The last question is the most useful because it surfaces the gap between policy and capability that the next event will exploit.

Five years on, the SolarWinds story is still the most important case study in the supply chain category. The work it should have triggered is still mostly ahead of us.