The Senate Select Committee on Intelligence concluded its hearing on the massive SolarWinds hack on Tuesday having touched on proposals ranging from the creation of a new federal agency for reporting cyber threats to best practices for businesses and government agencies to avoid future hacks. 

The hearing featured Microsoft President Brad Smith, SolarWinds CEO Sudhakar Ramakrishna, and the CEOs of cybersecurity firms CrowdStrike and FireEye. Though there was some back-and-forth over the details, all agreed that the federal government should create a new clearinghouse for cybersecurity.  

"I still believe it is critical we find a way to have a centralized agency that we can report threat intelligence to confidentially," said Kevin Mandia, CEO of FireEye, which first identified the threat back in December. "That means we get the intelligence into the hands of people who can take actionable steps way faster than disclosure of incidents, which just takes too long." 

He also joined the rest of the panel in calling for some kind of reporting requirement for companies, though the exact details were debated, such as whether it should be confidential or if there should be liability protections. 

Mandia explained that FireEye's discovery of the hack — which compromised 100 private companies and nine federal agencies through 18,000 entities who downloaded a tainted software update from the SolarWinds Orion platform — was a massive undertaking, requiring "thousands of hours" of investigation to essentially find a "needle in a haystack." 

All the participants stressed the importance of a combined public-private response. Vice-chairman of the Committee Sen. Marco Rubio said "The bottom-line question is, 'how did we miss this?'" and what can the private sector and the U.S. government do together to make sure it doesn't happen again.

Rubio also cautioned against the use of certain loaded words, such as "attack", to describe what happened, and he stuck to the Biden and Trump administration's conclusions that the hack was only "likely of Russian origin."  

Smith of Microsoft was more explicit in assigning blame. 

"At this stage, we've seen substantial evidence that points to the Russian Foreign Intelligence Service, and we've seen no evidence that leads us anywhere else," he said. 

New Committee Chair Sen. Mark Warner noted that the intrusion had the potential to be "exponentially worse," given the level of access achieved.  

Crucially, however, the panel shared the opinion that right now the breach looks like an act of espionage, rather than an attempt to disrupt or wreak havoc on the U.S. economy or government. 

"Disruption would have been easier than what they did," Mandia said. "They had focused, disciplined data theft. It's easier to just delete everything in a blunt force trauma and see what happens, which other actors have done." 

This is another reason the panel roundly agreed that whoever committed the hack was highly sophisticated. Smith noted that in all likelihood at least 10,000 engineers were involved in pulling it off. 

"This is indicative of a nation-state actor, and it's in their interest to maintain persistence," said George Kurtz, president and CEO of CrowdStrike. "If they were collecting data, they want to continue collecting information over a period of time." 

On the question of whether or not the hack was ongoing, Ramakrishna of SolarWinds stressed that the tainted "code has been removed and is no longer an ongoing threat to the Orion platform."

Share:
More In Business
Spain fines Airbnb $75 million for unlicensed tourist rentals
Spain's government has fined Airbnb 64 million euros or $75 million for advertising unlicensed tourist rentals. The consumer rights ministry announced the fine on Monday. The ministry stated that many listings lacked proper license numbers or included incorrect information. The move is part of Spain's ongoing efforts to regulate short-term rental companies amid a housing affordability crisis especially in popular urban areas. The ministry ordered Airbnb in May to remove around 65,000 listings for similar violations. The government's consumer rights minister emphasized the impact on families struggling with housing. Airbnb said it plans to challenge the fine in court.
Roomba maker iRobot files for bankruptcy protection; will be taken private under restructuring
Roomba maker iRobot has filed for Chapter 11 bankruptcy protection, but says that it doesn’t expect any disruptions to devices as the more than 30-year-old company is taken private under a restructuring process. iRobot said that it is being acquired by Picea through a court-supervised process. Picea is the company's primary contract manufacturer. The Bedford, Massachusetts-based anticipates completing the prepackaged chapter 11 process by February.
Serbia organized crime prosecutors charge minister, others in connection with Kushner-linked project
Serbia’s prosecutor for organized crime has charged a government minister and three others with abuse of position and falsifying of documents related to a luxury real estate project linked to U.S. President Donald Trump’s son-in-law Jared Kushner. The charges came on Monday. The investigation centers on a controversy over a a bombed-out military complex in central Belgrade that was a protected cultural heritage zone but that is facing redevelopment as a luxury compound by a company linked to Kushner. The $500 million proposal to build a high-rise hotel, offices and shops at the site has met fierce opposition from experts at home and abroad. Selakovic and others allegedly illegally lifted the protection status for the site by falsifying documentation.
Load More