The Senate Select Committee on Intelligence concluded its hearing on the massive SolarWinds hack on Tuesday having touched on proposals ranging from the creation of a new federal agency for reporting cyber threats to best practices for businesses and government agencies to avoid future hacks. 

The hearing featured Microsoft President Brad Smith, SolarWinds CEO Sudhakar Ramakrishna, and the CEOs of cybersecurity firms CrowdStrike and FireEye. Though there was some back-and-forth over the details, all agreed that the federal government should create a new clearinghouse for cybersecurity.  

"I still believe it is critical we find a way to have a centralized agency that we can report threat intelligence to confidentially," said Kevin Mandia, CEO of FireEye, which first identified the threat back in December. "That means we get the intelligence into the hands of people who can take actionable steps way faster than disclosure of incidents, which just takes too long." 

He also joined the rest of the panel in calling for some kind of reporting requirement for companies, though the exact details were debated, such as whether it should be confidential or if there should be liability protections. 

Mandia explained that FireEye's discovery of the hack — which compromised 100 private companies and nine federal agencies through 18,000 entities who downloaded a tainted software update from the SolarWinds Orion platform — was a massive undertaking, requiring "thousands of hours" of investigation to essentially find a "needle in a haystack." 

All the participants stressed the importance of a combined public-private response. Vice-chairman of the Committee Sen. Marco Rubio said "The bottom-line question is, 'how did we miss this?'" and what can the private sector and the U.S. government do together to make sure it doesn't happen again.

Rubio also cautioned against the use of certain loaded words, such as "attack", to describe what happened, and he stuck to the Biden and Trump administration's conclusions that the hack was only "likely of Russian origin."  

Smith of Microsoft was more explicit in assigning blame. 

"At this stage, we've seen substantial evidence that points to the Russian Foreign Intelligence Service, and we've seen no evidence that leads us anywhere else," he said. 

New Committee Chair Sen. Mark Warner noted that the intrusion had the potential to be "exponentially worse," given the level of access achieved.  

Crucially, however, the panel shared the opinion that right now the breach looks like an act of espionage, rather than an attempt to disrupt or wreak havoc on the U.S. economy or government. 

"Disruption would have been easier than what they did," Mandia said. "They had focused, disciplined data theft. It's easier to just delete everything in a blunt force trauma and see what happens, which other actors have done." 

This is another reason the panel roundly agreed that whoever committed the hack was highly sophisticated. Smith noted that in all likelihood at least 10,000 engineers were involved in pulling it off. 

"This is indicative of a nation-state actor, and it's in their interest to maintain persistence," said George Kurtz, president and CEO of CrowdStrike. "If they were collecting data, they want to continue collecting information over a period of time." 

On the question of whether or not the hack was ongoing, Ramakrishna of SolarWinds stressed that the tainted "code has been removed and is no longer an ongoing threat to the Orion platform."

Share:
More In Business
Starbucks’ Change Flushes Out a Debate Over Public Restroom Access
Starbucks’ decision to restrict its restrooms to paying customers has flushed out a wider problem: a patchwork of restroom use policies that varies by state and city. Starbucks announced last week a new code of conduct that says people need to make a purchase if they want to hang out or use the restroom. The coffee chain's policy change for bathroom privileges has left Americans confused and divided over who gets to go and when. The American Restroom Association, a public toilet advocacy group, was among the critics. Rules about restroom access in restaurants vary by state, city and county. The National Retail Federation says private businesses have a right to limit restroom use.
Trump Highlights Partnership Investing $500 Billion in AI
President Donald Trump is talking up a joint venture investing up to $500 billion for infrastructure tied to artificial intelligence by a new partnership formed by OpenAI, Oracle and SoftBank. The new entity, Stargate, will start building out data centers and the electricity generation needed for the further development of the fast-evolving AI in Texas, according to the White House. The initial investment is expected to be $100 billion and could reach five times that sum. While Trump has seized on similar announcements to show that his presidency is boosting the economy, there were already expectations of a massive buildout of data centers and electricity plants needed for the development of AI.
Load More