February 23, 2021
As Congress gears up to press CEOs from SolarWinds, Microsoft, CrowdStrike, and FireEye about the massive data breach that impacted several U.S. government agencies and nearly 18,000 SolarWinds customers last year, Senator Mark Warner (D-Va.) said that aside from getting to the bottom of the hack, there needs to be a clear message sent that cyber warfare against the United States will not be tolerated.
"We need to have some common standards where we warn our adversaries that you take this kind of action, there's going to be consequences," Warner told Cheddar.
Last month, law enforcement, security, and intelligence agencies released a joint statement following an investigation into the breach that said Russia was the likely culprit, though the Biden White House has yet to release a statement on the findings. According to Warner, it isn't a question if Russia is engaging in "asymmetrical warfare" but rather how the U.S. will respond.
"For a long time in America, because we are so I.T. dependent because we are so technology-driven, we were reluctant to hold the bad guys accountable," he said. "We saw that when the Chinese attacked the OPM files of all the government employees or when they attacked Equifax, 150 million Americans had their personal information exfiltrated. We were reluctant to punch back because we were afraid of cyber escalation."
"We can't be timid in this space going forward," Warner stated.
When it comes to grilling the tech companies during the Senate Intelligence Committee hearing, Warner said he plans to press them about avoiding future incidents, what methods of protection are being adopted, and if other cloud-based systems are currently susceptible to similar attacks.
Though Russia has been implicated by U.S. intelligence agencies in the recent attack, the senator said he believes the affected businesses had a responsibility to protect their customers, have to be held liable as well, and be held to mandatory reporting rules.
"There were certain things, obviously, SolarWinds could have done better, but when we're dealing with a tier-one adversary, bringing their A-team, very few private sector companies, on their own, can prevent an intrusion," Warner noted. "But that does not mean that suddenly we're going to let these private sector companies off the hook for having responsible cyber hygiene behavior because even if the bad guys get in if you've got good cyber hygiene, you can spot them earlier."