A host of federal government policy failures contributed to the rippling damage of the SolarWinds hack, leaders of cyber firms told a Senate panel on Tuesday, with even lawmakers saying Congress must do more to prevent a repeat.
More than two months after the hack became public, the wide-ranging Senate Select Committee on Intelligence hearing committee demonstrated that the U.S. government, the private sector and digital incident responders still are wrestling with the ramifications of an suspected Russian espionage campaign that leveraged the federal contractor SolarWinds.
A number of big questions remain: SolarWinds still hasn’t determined how the hackers originally got into its systems, nobody has fully settled debates on whether the incident amount to espionage, or something worse, and suspicions abound that more victims remain unrevealed.
“It has become clear that there is much more to learn about this incident, its causes, its scope and scale, and where we go from here,” said Senate Intelligence Chairman Mark Warner, D-Va.
Some of the fixes that all parties seemed to agree upon have been long-running, legislative miasmas. For instance, a number of senators and all the panelists — SolarWinds CEO Sudhakar Ramakrishna, Microsoft President Brad Smith, FireEye CEO Kevin Mandia and CrowdStrike President and CEO George Kurtz — said that Congress needs to pass a clear national data breach notification law.
That’s something Congress has tried and failed to do since at least 2003, though. Discussions have been derailed by debates over how or whether such legislation should supersede similar state laws, lawmakers feuding over committee turf and complex disputes over data security standards between powerful lobbies like the financial services and retail sectors.
Further, lawmakers would need to determine who in the federal government would receive mandatory breach reports, and who would have to produce them. “First responders” to data breaches, such as FireEye, should be required to report those incidents to one government agency that could handle such information confidentially, lest victims face lawsuits, Mandia said. Lawmakers would need to structure such a law as to not let companies with lax security off the hook, Warner cautioned.
The lack of clarity has real-world ramifications. Microsoft was flustered that it when it when it discovered the SolarWinds breach had affected one agency, contracts prevents the company from notifying other agencies about the dangers, Smith said.
“It does not strike me as the type of practice that makes a lot of sense for the future,” he said. “There is an opportunity for reform.”
More jobs for the feds
Mandia said other areas where the federal government could make a difference would be in definitive attribution on who’s behind attacks and leveling punishments against them. The Biden administration is reportedly weighing those two steps now, with some of the responses hinging on whether the SolarWinds breach was routine espionage or instead “disruptive” and “indiscriminate.” Smith said he believed it was both, although GOP lawmakers urged caution in labeling the incident as something overly severe.
Smith also said the U.S. government should do more to promote international rules in cyberspace, such as forbidding cyberattacks on the kind of patches and updates that the alleged Russian hackers used to distribute malware via the SolarWinds Orion software.
Smith and Kurtz praised one element of the federal government response, namely alerts from the National Security Agency and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
As sticky as some possible government responses might be, another would be perhaps the stickiest. Sen. Martin Heinrich, D-N.M., asked whether any witnesses believed the hackers sought to avoid surveillance by attacking from a U.S. server, given spy agency prohibitions on snooping on U.S. soil.
“It was sort of an IQ test,” Smith answered. “We can’t know exactly what they thought, but it looks like they passed the IQ test, that they would be more effective and less likely to be detected if it was launched from a U.S. data center.”
For Sen. Ben Sasse, R-Neb., that raised the question of who in the federal government, if anyone, could have stopped the breach. Any bid to remove restrictions on domestic surveillance have prompted years-long debates in Congress.
Confusion remains about what exactly happened, to whom and exactly how.
Ramakrishna said SolarWinds has narrowed down the potential ways that hackers originally got into its systems to three, and couldn’t rule out the possibility that it was via another software tool, JetBrains’ TeamCity.
The Committee invited Amazon Web Services to testify on what it knew, but senators said the company declined and criticized it for doing so. Some senators suggested the possibility of subpoenaing AWS. The company did not respond to CyberScoop’s requests for comment.
Warner said it’s likely that other big companies have suffered intrusions but left the public in the dark. If FireEye hadn’t become a victim and come forward, he wondered, “would we still be in the dark?”
The hackers responsible haven’t only used SolarWinds as a vector to launch the malicious code, and Warner said he wanted to know other ways they got into victims’ systems. Mandia said the most common tactic his company has seen was password spraying, where hackers use known or common passwords to find a way into accounts.
Said Smith: “Absolutely there are more attack vectors, and we may never know exactly what the right number is.”
Correction, 1/23/21: The story originally misidentified Sen. Sasse’s party affiliation.