- The Senate Intelligence Committee held its first public hearing on the SolarWinds hack on Tuesday.
- Microsoft CEOs SolarWinds, FireEye and CrowdStrike said the scope of the hack was unprecedented.
- Lawmakers on both sides criticized Amazon Web Services for refusing to attend the hearing.
- Visit the Insider Business section for more stories.
Senators questioned key technology executives about SolarWinds’ cyber attacks during a hearing on Tuesday that brought broad support for new cooperation between the cybersecurity industry and the government.
The Senate Intelligence Committee hearing was the chamber’s first investigation into the massive hack that compromised hundreds of American companies and nine major government agencies. Hackers deployed malware to widely used software distributed by SolarWinds, which cybersecurity firm FireEye first discovered in December.
The CEOs of these two companies testified together with the CEO of CrowdStrike, a cybersecurity company that investigated the attacks, and Brad Smith, the president of Microsoft. The hearings did not bring many new revelations about the attacks – although the executives who witnessed generally supported the widely held belief that Russia was behind the attacks, they were also careful to note that this theory has not been proven. It is also unknown how the attacks started.
But hearings signaled how the country would move ahead of what senators and executives speculated could be the biggest cyber attack in history – including new legislation, a potential new federal agency and new ways to fight foreign adversaries.
Here are five main conclusions from Tuesday’s hearing.
1. Fingers singled out Russia as the perpetrator of the hack – and companies want the US to hold Russia accountable
Democratic committee chairman, Senator Mark Warner, of Virginia, defended the assignment to Russia as a way to advance cybersecurity policy, but his Republican vice president, Senator Marco Rubio of Florida, warned against characterizing hacks as a act of aggression even lawmakers could “see the full extent of the damage”.
Microsoft’s Smith presented the most compelling case against Russia, arguing that the sophistication and methods of the attack were accompanied by previous attacks linked to Moscow, and the other executives did not disagree. But FireEye CEO Kevin Mandia argued that the assignment was a government job and that companies were better suited just to provide evidence. The companies said they supported the design of some international borders against hackers who put lives at risk – and against hackers from hostile nation states.
The hearing takes place with the Biden government, which is preparing sanctions against Russia for the hack. Lawmakers lobbied CEOs for details to establish whether hacking demonstrated recklessness or put Americans in danger, which could make the attacks a sanctioned and distinctive type of routine espionage also carried out by US intelligence agencies.
2. Amazon did not attend, despite being invited, and lawmakers were not happy about it
Amazon Web Services, which has not previously been identified as a major target or company involved in the attacks, declined to participate in the hearings.
The committee wants to investigate how hackers used Amazon’s cloud infrastructure to prepare for the attacks and was obviously frustrated by the company’s absence.
Senate committee members took turns to discredit AWS for not participating. “Apparently, they were very busy,” said Rubio. “They have an obligation to participate,” said Republican Senator Susan Collins of Maine. “If they don’t, I think we should take the next steps.”
Amazon Web Services did not immediately respond to requests for comment from Insider.
3. Legislators and technology leaders agreed that there should be a more robust sharing of information about cyber threats
Mandia called for the creation of a central agency in which the cybersecurity industry’s “first responders” – such as its incident response company, FireEye – could report intelligence on cyber attacks immediately.
Such an agency would allow the industry to gather information with government oversight and connect industry and government in a new way – perhaps allowing the US to defend itself better against other nations, such as Russia and China, where the government effectively oversees cybersecurity.
Mandia said that such an agency would allow companies to “get information quickly” and, perhaps, deal with major cyber attacks as they happen. Smith said he believed the government should also share intelligence about cyber attacks with companies.
4. A new law setting standards for violated companies may be on the horizon
Companies took the unusual step of demanding more legislation in their sector – but they also emphasized one caveat. Executives said there should be a U.S. law requiring disclosure of a cyber security breach, but they also said there should be limited liability for companies to move forward.
Asked outright whether the country should “create a legal obligation” to disclose hacks, Smith said yes – as long as there is a limitation of liability, which would determine whether companies could be prosecuted for the attacks they disclose.
“The time has come” for this legislation, said Smith, adding that he thinks it could happen this year. Committee chairman Warner said he was open to the liability clause, provided he did not “excuse sloppy behavior”, citing Equifax’s widely criticized treatment of a 2017 data breach.
5. Hearings showed cooperation between government and industry
In closing, Warner said stopping attacks in real time “just won’t happen” if left to the FBI and the Department of Homeland Security’s Cyber Security and Infrastructure Agency. “We need a different model,” he said, adding that he “invited” companies to think about it.
There have been few sharp questions from senators who have marked previous technology hearings, such as those on antitrust. Democratic Senator Ron Wyden of Oregon tried to force executives to answer questions about whether basic cybersecurity measures would have prevented the attack, but executives dodged the interrogation and one of Wyden’s Republican Party colleagues, Senator Richard Burr from North Carolina, scoffed at the aggressive questioning.
Mandia, meanwhile, was praised throughout the process for bringing up the attacks and being called by his first name by several senators.