Cybersecurity

Hearings examine consequences of massive SolarWinds breach

The massive Russian hacking incident that has become known as the SolarWinds breach will be in the spotlight on Capitol Hill this week as multiple House and Senate panels examine the extent of what is likely the largest cyber breach in U.S. history.

“Preliminary indications suggest that the scope and scale of this incident are beyond any that we’ve confronted as a nation, and its implications are significant,” Senate Intelligence Committee Chairman Mark Warner (D-Va.) plans to say as part of his opening statement, which was provided to The Hill.

President Biden has made responding to the breach a priority. He intends to roll out an executive action to address “gaps” in federal cybersecurity, has tasked the intelligence community with completing an assessment on the extent of the breach and brought it up during his first call in office with Russian President Vladimir Putin.

Warner is among the many bipartisan members of Congress focused on creating meaningful change in the wake of the breach, planning to discuss with witnesses topics including whether norms in cyberspace needed to be established and potential mandatory reporting with some liability protections for companies that get hacked.

The Senate Intelligence Committee will kick off the week of hearings on the breach on Tuesday afternoon, when SolarWinds CEO Sudhakar Ramakrishna will testify alongside Microsoft President Brad Smith, FireEye CEO Kevin Mandia and CrowdStrike President and CEO George Kurtz.

Former SolarWinds CEO Kevin Thompson will join Ramakrishna, Mandia and Smith on Friday morning to testify on the SolarWinds breach during a joint hearing held by the House Homeland Security and House Oversight and Reform panels.

Warner plans to use his panel’s hearing, which follows a classified briefing the committee received in January, to underline the enormity of the threat from the cyber espionage incident, which was ongoing for more than a year before it was discovered.

“Even though what we’ve seen so far indicates this was carried out as an espionage campaign targeting 100 or so networks, the reality is that the hackers responsible have gained access to thousands of networks, and the ability to carry out far more destructive operations … if they wanted to,” Warner will say.

Both Congress and the Biden administration are still confronting fallout from the incident, which a White House official announced last week involved breaches of at least nine agencies and 100 private sector groups.

Agencies impacted by the breach — which U.S. intelligence officials have said is “likely” Russian in origin — include the Commerce, Defense, Homeland Security, State and Treasury departments. FireEye and Microsoft were also compromised as part of breach, and FireEye has been credited with drawing attention to the incident by announcing it had been breached.

The House Homeland Security and Oversight and Reform panels announced a joint investigation into the breach in December shortly after its discovery, and since the announcement, the House Armed Services Committee formed a specific cyber subcommittee that intends to also examine the hacking incident.

The House Homeland Security Committee held a hearing on a variety of cybersecurity concerns earlier this month, during which committee Chairman Bennie Thompson (D-Miss.) emphasized that the committee would “treat cybersecurity as a central national security priority.”

“We will use what we learn to inform policy that will raise the costs of sophisticated cyber campaigns, prevent intrusions into Federal and private sector networks when we can, and detect and eradicate the adversary more quickly when we cannot,” Thompson said in a statement.

“We hope to learn how private sector companies doing business with the government will evolve their approach to cybersecurity in the wake of these attacks, whether there were missed opportunities for better information sharing that could have identified this campaign sooner, and how the Federal government can support private sector cybersecurity and supply chain risk management efforts,” he continued.

A spokesperson for committee ranking member John Katko (R-N.Y.) also told The Hill Monday that Katko intended to use the hearing to zero in on risks associated with the supply chain and using third-party vendors in government.

“As SolarWinds has reinforced, third-party and supply chain risk is now a core component of all cybersecurity conversations, adding a new layer that amplifies the impact of a cyber-attack,” the spokesperson said. “We expect witness testimony to provide key insight into significant questions that must be addressed to prevent and respond to future cyber espionage campaigns.”

“Ranking Member Katko also expects the witnesses to highlight just how labor and resource intensive it is to hunt out adversarial access and remediate networks after a campaign of this magnitude and sophistication,” the spokesperson added.

IT group SolarWinds has seen the intensive efforts of the hackers involved up close.

The company became the face of the breach in December, when it was revealed that Russian hackers had infiltrated up to 18,000 of its customers through software updates. The Wall Street Journal reported last month that up to 30 percent of compromised organizations have no affiliation with SolarWinds products.

Ramakrishna, who took over as CEO less than two months ago as the scope of the breach was beginning to come into view, said Monday at a virtual event hosted by the Center for Strategic and International Studies that the hackers were extremely advanced and experienced in clearing their tracks.

“There wasn’t one single technique used and it was a long drawn out process with a very deliberate focus on cleaning up after themselves at every step of the way, so that requires more manual focus and more deliberation and understanding of the environments,” Ramakrishna said.

He noted that many of those customers did not install the compromised software, meaning that “a very small number of customers” were actually impacted by the hack, but emphasized that this did not mean that the nation had escaped damage.

“Given the tools, techniques and processes that they have been using, and the attribution to a nation state we feel that they were after a few prized assets … maybe in some cases simply learning about those environments, and in some cases trying to get something out of those environments from an intelligence standpoint,” Ramakrishna said.

There are many questions still unanswered about how the hackers were able to infiltrate and stay in classified systems for as long as they did, and Congress could have a role to play in ensuring the government is better prepared to defend itself against attacks in future.

Kiersten Todt, the former executive director of a cybersecurity commission under former President Obama, told The Hill that while the multiple public hearings were important to responding to the breach, concrete action is needed in order to allow Congress and the White House to work together.

“The size of this breach is so massive and disparate and we are still understanding it, we don’t need siloed activities,” said Todt, managing director of the Cyber Readiness Institute. “This is truly a case where Congress needs to be working with the executive branch to figure out what makes the most sense for action.”