The Senate Select Committee on Intelligence concluded its hearing on the massive SolarWinds hack on Tuesday having touched on proposals ranging from the creation of a new federal agency for reporting cyber threats to best practices for businesses and government agencies to avoid future hacks.
The hearing featured Microsoft President Brad Smith, SolarWinds CEO Sudhakar Ramakrishna, and the CEOs of cybersecurity firms CrowdStrike and FireEye. Though there was some back-and-forth over the details, all agreed that the federal government should create a new clearinghouse for cybersecurity.
"I still believe it is critical we find a way to have a centralized agency that we can report threat intelligence to confidentially," said Kevin Mandia, CEO of FireEye, which first identified the threat back in December. "That means we get the intelligence into the hands of people who can take actionable steps way faster than disclosure of incidents, which just takes too long."
He also joined the rest of the panel in calling for some kind of reporting requirement for companies, though the exact details were debated, such as whether it should be confidential or if there should be liability protections.
Mandia explained that FireEye's discovery of the hack — which compromised 100 private companies and nine federal agencies through 18,000 entities who downloaded a tainted software update from the SolarWinds Orion platform — was a massive undertaking, requiring "thousands of hours" of investigation to essentially find a "needle in a haystack."
All the participants stressed the importance of a combined public-private response. Vice-chairman of the Committee Sen. Marco Rubio said "The bottom-line question is, 'how did we miss this?'" and what can the private sector and the U.S. government do together to make sure it doesn't happen again.
Rubio also cautioned against the use of certain loaded words, such as "attack", to describe what happened, and he stuck to the Biden and Trump administration's conclusions that the hack was only "likely of Russian origin."
Smith of Microsoft was more explicit in assigning blame.
"At this stage, we've seen substantial evidence that points to the Russian Foreign Intelligence Service, and we've seen no evidence that leads us anywhere else," he said.
New Committee Chair Sen. Mark Warner noted that the intrusion had the potential to be "exponentially worse," given the level of access achieved.
Crucially, however, the panel shared the opinion that right now the breach looks like an act of espionage, rather than an attempt to disrupt or wreak havoc on the U.S. economy or government.
"Disruption would have been easier than what they did," Mandia said. "They had focused, disciplined data theft. It's easier to just delete everything in a blunt force trauma and see what happens, which other actors have done."
This is another reason the panel roundly agreed that whoever committed the hack was highly sophisticated. Smith noted that in all likelihood at least 10,000 engineers were involved in pulling it off.
"This is indicative of a nation-state actor, and it's in their interest to maintain persistence," said George Kurtz, president and CEO of CrowdStrike. "If they were collecting data, they want to continue collecting information over a period of time."
On the question of whether or not the hack was ongoing, Ramakrishna of SolarWinds stressed that the tainted "code has been removed and is no longer an ongoing threat to the Orion platform."