The president ordered a board to probe a massive Russian cyberattack. It never did.

This article was originally published by ProPublica, a Pulitzer Prize-winning investigative newsroom. The intruders used malicious code and a flaw in a Microsoft product to steal intelligence from the National Nuclear Security Administration, National Institutes of Health and the Treasury Department in what Microsoft President Brad Smith called “the largest and most sophisticated attack the world has ever seen.” The president issued an executive order establishing the Cyber Safety Review Board in May 2021 and ordered it to start work by reviewing the SolarWinds attack. “The two incidents were quite different in that regard, and we do not believe a review of SolarWinds would have necessarily uncovered the gaps identified in the Board’s latest report,” they said. The GAO said it accepted the board’s Log4j review because it included “information from the SolarWinds incident.” But aside from footnotes, the report mentions SolarWinds only once. Asked to explain why it credited Homeland Security for completing a review that never occurred, Marisol Cruz-Cain, a director with GAO’s information technology and cybersecurity team, said in a statement that the office “stands by the statements and assessments.” “GAO believes the government had taken sufficient steps to review the SolarWinds incident,” she said, including through collaboration with multiple federal agencies and the private sector and “by disseminating relevant guidance about SolarWinds.” GAO also conducted its own study of SolarWinds, which was published in 2022.