The biggest problems in cybersecurity contributed to the ongoing hacking campaign thatfrom IT software company SolarWinds, lawmakers and witnesses said at a hearing Friday before the House Oversight and Homeland Securities committees. Whether it’s a lack of cybersecurity personnel, poor communication between private companies and the federal government, or the absence of global standards for acceptable espionage hacking, longstanding issues all came into play.
Solutions have long been in the works, but they weren’t enough to stopfrom accessing systems at nine federal government agencies and about 100 private companies. At the hearing, current SolarWinds CEO Sudhakar Ramakrishna and prior CEO Kevin B. Thompson testified alongside Microsoft President Brad Smith and FireEye CEO Kevin Mandia about the factors that made the hack possible.
The hacking group showed it could take advantage of myriad weaknesses in US cybersecurity, said Rep. John Katko, a Republican from New York. Worse, they didn’t fear any consequences for their actions, he said. “They’re winning the modern day arms race, and we need to step up.”
The hacking campaign was complex, with attackers poisoning an update to SolarWinds’ Orion products with malicious software. Thousands of entities downloaded the tainted update, and hackers then focused in on select targets for further intrusion. However, as lawmakers discussed at a Senate Intelligence Committee on Wednesday, the hackers also abused services from other companies, not just SolarWinds, to hack about 30% of their targets.
While past major breaches at the, and the prompted some changes, there are still significant weaknesses in the systems that protect US systems. Further changes could come in several forms.
Smith and Mandia both expressed support for a requirement that companies share information about intrusions on their systems with the federal government. Currently, the Cybersecurity and Infrastructure Security Agency fields many such reports, and lawmakers advocated for better flow of information to the rest of the government. Additionally, SolarWinds’ Ramakrishna said the company wants to share what it’s learned with other companies, potentially leading to better systems for safeguarding software updates.
Ramakrishna also emphasized the need to quickly shore up protocols for clear lines of communications between government agencies and tech companies for faster security responses, especially when a sophisticated attacker strikes. “In this case, they behaved like Transformer toys in many ways, constantly morphing and changing their tactics and procedures on us,” Ramakrishna said.
Smith echoed Ramakrishna’s call, highlighting the hurdles that he said slowed Microsoft’s efforts to alert agencies to the SolarWinds hacks.
“The government contracts impose restrictions on Microsoft and other government contractors in this kind of situation,” Smith said. “We found that we could only inform the agency that was the victim itself, and we had to ask them to go talk to another person or individual or part of the government.”
Asked about future prevention efforts, Smith said the government should establish better “rules of the road,” including passing legislation that would level consequences on hacks of this scale.
“If you catch somebody who is engaged in an offense, you need to hold them accountable, and you need a variety of ways to do that,” Smith told the panel.
Consequences may come for the alleged hackers soon, as the administration of President Joe Biden is reportedly considering sanctions against the people suspected of the attack. But there’s no sign that an agreement is imminent in the international community for what counts as an out-of-bounds hack from an espionage agency.