(BigStock Photo)

Microsoft, FireEye, and the U.S. Treasury department have been hacked in the SolarWinds attacks.

This statement is true but doesnt tell the whole story accurately.

Its true because by most peoples understanding, these organizations have been hacked. But it doesnt tell the whole story accurately because each of these organizations has had different impacts with different levels of severity from the hack.

A good example of why this matters is how we talk about cancer. Years ago having cancer was a binary thing, too. Either you had cancer and were going to die or you didnt. And cancer was often talked about in hushed tones with euphemistic terms the C word.

Because of advances in medicine, this is no longer the case: people can and do survive cancer. So now we talk about cancer more openly in a way that reflects that reality in terms of types of cancer and stages. That helps us understand if its a kind of cancer that could be treatable and survivable or one that is untreatable and terminal.

The same is true now about being hacked. Some hacking is catastrophic, but some is survivable. We see this reality in the different reports coming out about SolarWinds hacks. Some organizations are severely affected while others less so. But these crucial nuances are lost when we say theyve all been hacked.

There is no hacked scale that is used by professionals, let alone that can be used by laypeople. This is one reason why we continue to just hear about hacked.

If were going to understand the nuances in the SolarWinds cases better, we need to define a scale. Since the most important thing in hacks is the spread and severity, the cancer staging system gives a good model to adapt because it tracks the spread and severity of cancer in five stages. We can do the same with hacks.

The key factors in these levels are the attackers access and control: less of each is better, more is worse.

For instance, SolarWinds has said that 18,000 customers were impacted. But this doesnt mean that 18,000 customers networks experienced Stage IV and are fully and totally controlled by the attackers.

The information SolarWinds provides only tells us that those customers experienced Stage 0: the attackers may have had a way to get further into the network. To know if attackers did go further and customers were more severely affected requires more investigation.

On Dec. 17, Microsoft said it can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed we have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others. Taking the information at face value, that would seem to indicate that Microsoft experienced Stage 0 or Stage I.

FireEye made a disclosure on Dec. 8 of its own compromise that would turn out to be part of the SolarWinds attacks. It seems to indicate that the attacker was able to steal information but gave no indication that the attackers were able to alter data or gain administrative control of the network, likely making what the company experienced a Stage II.

Details of the U.S. Treasurys attack arent as clear in part because we only have the information second and third-hand. The information in the New York Times report clearly indicates that the attackers at least had read access on the network, which is consistent with Stage II. However, some of the details that have emerged about how the attackers may have gained access to cloud properties imply the possibility that the attackers had achieved Stage IV on the network.

The goal with any scale is to make things simple but not simplistic. But no scale is ever perfect; there are always going to be ways that scales can obscure critical details. The important thing with scales like this is to enable us to easily and succinctly understand the relative comparative severity of the situation. What we know does indicate that the Treasury situation is worse than the Microsoft or FireEye situations in this regard, this scale is accurate and useful.

The key point for everyone now is to understand that hacked isnt a simple binary state: there are different degrees of it. By understanding this we can better assess how serious a situation is and what we need to do in response.

The rest is here:

How hacked is hacked? Heres a hack scale to better understand the SolarWinds cyberattacks - GeekWire