- The Senate Intelligence Committee held its first public hearing on the SolarWinds hood on Tuesday.
- The CEOs of Microsoft, SolarWinds, FireEye and CrowdStrike said the extent of the hack was unprecedented.
- Lawmakers from both parties paralyzed Amazon Web Services for refusing to appear at the trial.
- Visit the Insider Business Department for more stories.
Senators lamented the top tech executives over SolarWinds’ extensive cyberattacks during a hearing Tuesday that drew widespread support for new collaboration between the cyber security industry and the government.
The Senate Intelligence Committee’s hearing was the chamber’s first inquiry into the massive hack that endangered hundreds of U.S. companies and nine major government agencies. Hackers have implanted malware in software widely used by SolarWinds, which first discovered cyber-security firm FireEye in December.
The CEOs of the two companies testified along with the CEO of CrowdStrike, a cyber security firm investigating the attacks, and Brad Smith, the president of Microsoft. The trials did not bring many new revelations about the attacks – although the drivers who testify generally supported the general view that Russia was behind the attacks, they were also careful to note that this theory was unproven. It is also unknown at this time what he did to cause the injuries.
But the hearings did indicate how the nation would proceed from what senators and administrators speculate could be the biggest cyberattack in history – including new legislation, a potential new federal agency and new ways to push back against foreign opponents.
Here are five key takeaways from Tuesday’s hearing.
1. Fingers point to Russia as the perpetrator of the hack – and companies want the US to hold Russia accountable
The Democratic chairman of the committee, Senator Mark Warner of Virginia, advocates attributing Russia as a way forward with cyber security policy, but his Republican vice chairman, Senator Marco Rubio of Florida, warned of the hacks as’ to characterize an act of aggression legislators could ‘see the full extent of the damage’.
Smith of Microsoft argued the most powerful case against Russia, arguing that the attack’s refinement and methods followed by previous attacks related to Moscow, and the other drivers did not differ. But FireEye CEO Kevin Mandia argued that the award was the job of the government and that the businesses were best placed to provide evidence. The companies said they supported drawing international borders against life-threatening burglary – and returning against hostile nation-state hackers.
The trial comes with the Biden government saying it was preparing sanctions against Russia over the hack. Lawmakers have asked executives for details to determine whether the burglary showed recklessness or whether Americans were in trouble, which could have spurred the attacks on sanctions and other than the usual espionage carried out by U.S. intelligence agencies.
2. Amazon was a no-show despite its invitation, and lawmakers were not happy about it
Amazon Web Services, which had not previously been identified as a key target or company involved in the attacks, declined to participate in the trials.
The committee wants to investigate how hackers used Amazon’s cloud infrastructure to organize the attacks, and was obviously frustrated by the company’s absence.
Members of the Senate committee took turns disrespecting AWS for not participating. “They were apparently too busy,” Rubio said. “They have an obligation to participate,” said Republican Sen. Susan Collins of Maine. “If they do not, I think we should take the next steps.”
Amazon Web Services did not immediately respond to requests for input from Insider.
3. Legislators and technology leaders agree that there should be more powerful erasure of information around cyber threats
Mandia called for the creation of a central agency in which ‘first responders’ in the cyber security industry, such as its incident response company, FireEye, could immediately report information on cyber attacks.
This kind of agency will enable the industry to combine information with government oversight and connect the industry and government in a new way, and perhaps enable the US to better defend against other countries such as Russia and China, where the government effectively oversees cyber security.
Mandia said such an agency would enable companies to get out of the internet quickly and perhaps address major cyberattacks as it unfolds. Smith said he believes the government should also share cyberattacks with the companies.
4. A new law setting standards for offending companies may be imminent
The companies have taken the unusual step of requesting more legislation in their industry – but also stress a caveat. Management said there should be a U.S. law that requires the disclosure of a cyber security breach, but also that there should be limited liability for companies that emerge.
Asked directly whether the country should create “legal obligations” to disclose hacks, Smith of Microsoft said yes – provided the liability limitation exists, which will address the question of whether businesses can be sued for attacks they disclose.
“The time has come” for the legislation, Smith said, adding that he thought it could happen this year. Committee chairman Warner said he was open to the liability clause as long as it did not excuse ‘sloppy behavior’, citing Equifax’s widely criticized handling of a 2017 data breach.
5. The hearings show co-operation between the government and the industry
In conclusion, Warner said stopping real-time attacks “just is not going to happen” if left to the FBI and the Department of Homeland Security (Cybersecurity and Infrastructure Security Agency). “We need a different model,” he said, adding that he had “invited” the companies to think about it.
There have been few of the sharp questions from senators who have marked technological hearings in the past, such as those on antitrust. Democratic Sen. Ron Wyden of Oregon tried to force executives to answer questions about whether basic cyber security measures could have prevented the attack, but executives averted his interrogation, and one of Wyden’s GOP colleagues, Senator Richard Burr of North- Carolina, has the aggressive interrogation.
Mandia, meanwhile, has been praised during the proceedings for revealing the attacks and being named by several senators.