Here are the 5 most important takeaways from the US Senate's grilling of SolarWinds, Microsoft, CrowdStrike and FireEye over what could be the biggest cyberattack in history
- The Senate Intelligence committee held its first public hearing on the SolarWinds hack Tuesday.
- The CEOs of Microsoft, SolarWinds, FireEye, and CrowdStrike said the hack’s scope is unprecedented.
- Lawmakers of both parties lambasted Amazon Web Services for declining to appear at the hearing.
- Visit the Business section of Insider for more stories.
Senators grilled top tech executives about the sprawling SolarWinds cyberattacks during a hearing Tuesday that brought widespread support for new cooperation between the cybersecurity industry and government.
The Intelligence Committee hearing was the Senate’s first inquiry into the massive hack that compromised hundreds of US companies and nine major government agencies. Hackers implanted malware into widely used software distributed by SolarWinds, which the cybersecurity firm FireEye first discovered in December.
The CEOs of those two companies testified, as well as the CEO of CrowdStrike, a cybersecurity firm investigating the attacks, and Brad Smith, the president of Microsoft. The hearings did not bring many new revelations about the attacks – while the executives testifying generally supported the widely-held belief that Russia was behind the attacks, they were also careful to note that this theory remains unproven. It’s also still unknown how the attacks began.
But the hearings did signal how the nation will move forward from what senators and executives speculated may be the largest cyberattacks in history – including new legislation, a potential new federal agency, and new ways of pushing back against foreign adversaries.
Here are 5 key takeaways from Tuesday’s hearing.
1. Fingers pointed to Russia as the hack’s perpetrator — and companies want the US to hold Russia accountable
Committee chair Mark Warner of Virginia advocated for attribution to Russia as a way of moving forward on cybersecurity policy, but vice chairman Marco Rubio, a Florida Republican, warned against characterizing the hacks as an act of aggression until lawmakers can “see the full extent of the damage.”
Smith of Microsoft made the most forceful case against Russia, arguing that the attack’s sophistication and methods track with previous attacks linked to Moscow, and the other executives did not disagree. But Mandia argued that attribution was the government’s job, and that the companies were best-suited only to provide evidence. The companies did say they supported drawing some international boundaries against hacking that endangers lives – and pushing back against hostile nation-state hackers.
The hearing comes as the Biden administration is reportedly preparing sanctions against Russia for its suspected role in orchestrating the hack. Lawmakers pressed CEOs for details to establish whether the hacking demonstrated recklessness or put Americans in harm’s way, which could make the attacks grounds for sanctions and distinct from the routine type of espionage also carried out by US intelligence agencies.
2. Amazon was a no-show despite being invited, and lawmakers weren’t happy about it
Amazon Web Services, which has not previously been identified as a major target or company involved with the attacks, declined to take part in the hearings.
The committee wants to investigate how hackers used Amazon’s cloud infrastructure to stage the attacks, and was obviously frustrated by the company’s absence.
Members of the Senate committee took turns disparaging AWS for not taking part. “Apparently they were too busy,” griped Rubio. “They have an obligation to participate,” said Susan Collins, a Maine Republican. “If they don’t, I think we should take next steps.” Amazon Web Services did not immediately respond to Insider’s requests for comment.
3. Lawmakers and tech leaders agreed that there should be more robust information-sharing around cyber threats
Mandia called for a central agency to be created where “first-responders” in the cybersecurity industry – such as his own incident-response company, FireEye – can report intelligence on cyberattacks immediately.
That kind of agency would allow the industry to pool information with government oversight, and would connect the industry and government in a new way – perhaps allowing the US to better defend against other nations such as Russian and China where government effectively oversees cybersecurity.
Mandia said such an agency would allow companies to “get the intel out quickly,” and potentially address major cyberattacks as they unfold. Smith said be believes the government should also share cyberattack intelligence back out to the companies, as well.
4. A new law setting standards for breached companies could be on the horizon
The companies took the unusual step of calling for more legislation in their industry – but also stressed a caveat. The executives said there should be a US law requiring disclosure of a cybersecurity breach – but also said there should be limited liability for companies that step forward.
Asked bluntly if the country should “create a legal obligation” to disclose hacks, Microsoft’s Smith said yes – provided there is the liability limitation, which would address whether companies could be sued over attacks they disclose.
“The time has come” for that legislation, Smith said, adding he thought it could happen this year. Committe chair Warner said he was open to the liability clause – as long as it didn’t “excuse sloppy behavior,” naming Equifax’s widely criticized handling of a 2017 data breach.
5. The hearings showed cooperation between government and industry
In closing Warner made the admission that stopping attacks in real time is “just not going to happen” if left up to the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). “We need a different model,” he said, and “invited” the companies to think about that.
There were very few of the sharp questions from senators that have marked past tech hearings, such as those on antitrust. Ron Wyden, an Oregon Democrat, attempted to force the executives to answer questions about whether basic cybersecurity steps would have prevented the attack, but the executives deflected his interrogation and another senator, Republican Richard Burr of North Carolina, derided the aggressive questioning.
Mandia, meanwhile, was lauded throughout the proceedings for bringing the attacks to light, and called by his first name by several senators.
Source: Read Full Article