The House Committee on Oversight and Reform and Committee on Homeland Security held a virtual hearing on 26 February 2021 to understand and discuss the SolarWinds attacks. The hearing was entitled “Weathering the Storm: The Role of Private Tech in the SolarWinds Breach and Ongoing Campaign.” During the hearing, Sudhakar Ramakrishna, former CEO of Pulse Secure and the president and current CEO of SolarWinds Corporation, Kevin B. Thompson, former CEO of SolarWinds Corporation, Kevin Mandia, CEO of FireEye, Inc., and Brad Smith, president of Microsoft shared their comments. The key points from this hearing can be summarized as follows:
Aspects of the SolarWinds Attack
SolarWinds was established in 1999 in Oklahoma as a network equipment provider and its main role is to help specialists in the IT field to manage the IT environment and troubleshoot problems. The company’s main headquarters is still in the US, with a team that consists of more than 3000 specialized employees. The hearing included the following points:
1. Acknowledging the breach and trying to learn from it: Sudhakar Ramakrishna, president and CEO of SolarWinds, explained how the cyberattack occurred and what had happened, and acknowledged the challenges that SolarWinds and network users had faced during this unprecedented breach. He also discussed lessons learned from the attacks during the efforts to address it, with the goal of learning from mistakes in order to prevent their reoccurrence in the future.
The company also received assistance from the US intelligence community, including the CIA and the FBI. Ramakrishna discussed how these systemic improvements would be incorporated in the Software Development Life Cycle (SDLC) and offered recommendations for strengthening US cyber security.
2. Quickly addressing damages for users: The main goal of the SolarWinds company is to ensure the security of its users, and in order to achieve this goal, the company—within only three days after learning about the attacks— was able to address the damages that occurred to its users by offering repairs for the damaged product. Company representatives devoted themselves to raising user awareness about the attacks, and vast resources were allocated to help companies working in both the private and public sectors, as well as users, to overcome the damages resulting from the attack.
3. Complex three-pronged technique for carrying out the cyberattack: In explaining how the attack occurred, Ramakrishna stated that there were three main steps in the cyberattacks on SolarWinds: First, injecting the malware “Sunburst” into Orion products in order to spread this widely among government supply chain users. Secondly, the malware was used during the setup for Orion to ensure that the Orion program was infected with the malicious code, Sunburst. Thirdly, the attack moved through the victims’ networks, covertly using US government cloud services. After the above steps, the malware became incorporated into the user environment. It is worth mentioning that the investigations found that the malicious code was not present in Orion program materials and products launched before 2020 March and after June 2020.
According to investigations, after the malware entered SolarWinds user networks, the attackers carried out wide-reaching and intensive intelligence attacks, and were able to remain in the networks for an extended period of time before the attack was discovered and repelled. The malware such as Sunburst were able to inject the malware without raising suspicions. This caused widespread alarm in software development and technology circles.
Ramakrishna stated that attackers had used US cloud infrastructure and managed the attack through many US-based servers in order to mimic usual network activity and therefore to evade threat-detection technologies.
4. Need to coordinate between the US government and technology companies: There is a potential for another attack not only against SolarWinds but more broadly, through exploiting other security loopholes in the technology community, and by expanding the scope of the threat and increasing its impact. Therefore, the US government will need to coordinate with the technology industry.
This is why the US intelligence community and law enforcement have worked so closely with the SolarWinds Corporation following these developments, in order to publish detailed reports on how these attacks occurred and to prevent any other possible attacks of the same variety on other companies. To this end, the Sunburst code is not incorporated in the software development environment, and various technology communities are conducting reviews to determine the likelihood that a similar attack could occur.
5. The negative global impact of the SolarWinds breach: Preliminary conclusions indicate that using Sunburst not only threatened the SolarWinds company, but also the global software supply chain more generally, since a number of other companies have faced similar attacks.
6. Strengthening the SolarWinds environment to prevent another breach: In light of SolarWinds’ efforts to learn from the attacks and to work towards sustainable improvements, the company established a new committee for technology and cybersecurity. This committee’s main responsibilities will involve providing counsel to the management and overseeing initiatives that will aim to improve cybersecurity.
By launching a powerful additional protection software, SolarWinds is trying to uncover threats to all company networks and is also trying to strengthen its product development environment, through ongoing inquiries into particular environments for product development, and by identifying the reasons for the breach and working to address them.
Finally, Sudhakar recommended that there should be cooperation between the company and congressional committees in order to ensure the security and stability of the digital ecosystem, and to ensure active participation and contributions from SolarWinds in these committees. He also said that the company could contribute to a national solution for cyber threats through sharing the expertise that gained from countering the recent attack.
The Attack on the Fire Eye, Inc.
1. Carrying out intensive investigations to uncover the cause and scope of the attack: Kevin Mandia, CEO of Fire Eye, spoke about the cyberattack against the company and how they discovered it had been caused by the malware Sunburst, which had been inserted into the SolarWinds network. He also discussed the steps that the federal government needs to take in order to protect the country, government agencies, and private companies in cyberspace.
According to Mandia, more than 100 employees of Fire Eye, Inc. were engaged in intensive investigations to understand the attacks and scope of its effects on the company, because this kind of complex attack requires special skills as well as the ability to analyze and understand the situation, and to come up with solutions.
2. The attackers were backed by foreign intelligence agencies: The results of preliminary investigations indicated that the attackers had been trained by a foreign intelligence agency with first-rate capabilities to carry out the attack. These results were obtained using a special list from the company with information on thousands of investigations into cyberattacks over the last 17 years.
The recent cyberattacks that US institutions experienced differed from previous attacks with regard to the level of organization and precision in determining targets, as well as the targeting of specific individuals, careful planning, and use of new technologies that US institutions had not seen before.
3. The importance of coordinating efforts to protect US data: The federal government and the private sector can share confidential information in order to quickly make decisions about defense. This is the first important step that should be taken to protect the country as a whole from the dangers of cyberattacks, and will require quick responses, mitigating the effects of the attacks, and taking the necessary steps to prevent their reoccurrence in the future.
Therefore, the federal government should develop a wide-reaching program for reporting threats and sharing information in order to ensure the protection and security of electronic data, to encourage entities to establish standards for cybersecurity, to reduce punitive measures, and to offer greater incentives for private sector organizations in this regard. This includes protecting employees, protecting privacy and civil rights, and offering technical support to small organizations that do not have sufficient capacity or experience in the sphere of cybersecurity.
4. FAA safety procedures are a “model for effective information sharing”: Mandia noted that the Federal Aviation Administration’s safety reporting system is a model for sharing information between the private and public sector in a non-punitive system that allows for effective communication about threats. This model includes a number of key principles, including federal government efforts to maintain aircraft safety and to work to develop safety procedures further, as well as publishing reports on accidents in the public and private sector.
5. The need to develop the Cybersecurity and Infrastructure Security Agency: According to Mandia, the capacities of the Cybersecurity and Infrastructure Security Agencyare still limited. He believes that the only way to improve and develop this agency to deal with existing cyberthreats is to cooperate with the private sector and to make the most of their resources, talents, and capabilities.
This will also require involving the National Security Agency and the United States Cyber Command in certain wide-reaching attacks. The sharing of information at the right times before and during cyberattacks will also build trust between the private and public sector.
Mandia finished by saying that although it is not possible to ward off all future cyberattacks, it is possible to reduce the intensity of the attacks and to minimize their effects by taking quick action, and by coordinating among various agencies and between the private and public sectors and through early detection of the attacks and quickly notifying victims.
Microsoft’s Perspective on the Cyberattack
1. Warning about the danger of unknowing victims: Brad Smith, president of Microsoft, discussed the recent attack on SolarWinds and Microsoft, and how they carried it out in an effort to better understand. He offered several solutions and proposals for work together to prevent future breaches of this scope in the future, through strengthening cybersecurity and especially through cooperation between the private and public sectors.
Smith warned that the victims of attacks could pose a threat, since investigations were operating on the assumption that that the breach included service providers first and then moved to cloud services, and then there is a danger posed by unknowing victims who were no longer using cloud services.
2. Breach of 17,000 local networks: The Fire Eye company experienced a breach to its local network through a backdoor that was generated through a program update from the SolarWinds company, which was infected with the malware. Microsoft said that the “initial malware was concealed within the update,” and was then distributed to more than 17,000 customers, which contributed to the breach of 17,000 local networks without anyone noticing, because the malware was installed through the Orion update. The attackers were able to breach private networks and to set up more powerful malware in more important networks, and were thus able to open a new portal to communicate with victims’ networks and to close the original backdoor, which made it more difficult to uncover.
3. The attackers focused on targeting communications technology companies: The results of Microsoft’s preliminary investigations indicated that the Russian attackers used a technology they have often used in previous attacks, known as “password spraying,” which enables them to enter the network. They may have used supply chains used in previous attacks to create new points of entry.
Information and communications technology companies make up around 50 percent of the targets of the recent cyber attack, while private and governmental organizations—including civil society organizations such as academic institutions and think tanks—make up the other half of targets. Anne Neuberger calculated that as of 17 February 2021, the number of private companies that have faced attacks is around 100 companies and nine US government corporations, in addition to companies from a number of other countries that have not yet been revealed.
4. Quick responses to address consequences of the breach: Microsoft has taken a number of steps to respond to the attacks both in regard to detection, reporting, and working to stop them. Microsoft said that the first step is to work with anti-virus software suppliers to develop detection procedures for malware to identify which customers were exposed in the breach and to notify them.
The company took an additional step in banning the malware and closing the backdoor, but by the time they did this, the attacker had been able to open a backdoor to a number of victims for around 6-9 months. The second step was to alert customers of the attack as part of Microsoft’s commitment to transparency towards the customers who were exposed to these threats, in order to carry out special investigations. Then there was another step to try to “address” the attacks through trying to uncover how the Russian attackers had entered their local networks. The last step was for companies that had been targeted by the attacks to notify each other and to share information and increase transparency. Microsoft therefore gave information about the attack to the public.
5. The importance of reporting and transparency to secure the digital ecosystem: According to Smith, it is necessary for companies targeted by the attacks to not hide information so that there can be a more effective response, and to strengthen avenues for protecting against attacks in the future. This requires identifying the parameters of these attacks in other communities in order to ensure secure the US digital ecosystem. There is an urgent need for companies to examine their networks by using a leading antivirus software program. The technology community also needs to be able to identify who the other victims of the attacks were.
Recommendations for Cybersecurity
1. Stringent adherence to cybersecurity rules: Based on Microsoft’s experience with the recent cyberattack, it has identified many opportunities to improve cyber security. First, there needs to be greater attention paid to electronic health. The investigations showed that the federal workers were not aware of the most basic rules for cyber-protection and security, which contributed to the spread of the attack on a wider scale. Therefore, Smith advised that all necessary defensive measures should be taken by the government for increased preparedness.
2. Improving information sharing between the private and public sector: It is important to improve the process of information sharing between the government and the private sector through quickly sharing details on responses to the cyberattack, especially information available to national security agencies. It is also important that the information be more specific and detailed, and that the necessary procedures and united response occurs through joint coordination between different agencies.
Brad Smith, the president of Microsoft, called on the government to launch a unified approach to responding to these cyber incidents and to evaluate them in order to avoid future attacks. He said the government should also try to cooperate with the private sector, especially in cases of a large-scale attack, and that its expectations and needs should be stated clearly. It is also necessary to adhere to clear and consistent reporting to the private sector, and to ensure transparency and for federal agencies to communicate information about the attacks.
Smith suggest that establishing an agency be set up to lead efforts to consolidate information. Although both the private and public sector harbor fears about sharing information and methods used to fight the attacks in order to not give the attackers an opportunity to hide their attacks more effectively in the future, as well as some concerns about consumer privacy, it is nevertheless necessary for these two sides to coordinate.
3. Strengthening the security of the supply chain: It is important to strengthen the security of the supply chain for the private and public sector and for each program and agency, through maintaining and updating software, addressing security loopholes, and offering the best open source security tools to software developers, as well as purchasing software that aligns with the users’ security needs.
4. Sharing best practices for cybersecurity: The participants in the hearing recommended expanding the scope of implementing best practices for cyber security, including the need to develop and improve electronic health, and to adhere to IT updates, and to shift to more secure cloud services that also meet federal security requirements.
5. Imposing sanctions on countries that constitute cyberthreats: This includes strengthening the regulations governing countries’ behavior in cyberspace, and imposing sanctions on countries that pose a threat to other countries through cyberattacks. Smith called on the US government to make a global effort to develop legislation and enforce existing laws and regulations on cyberspace and cybersecurity.
6. Increasing the number of trainers working in the cybersecurity sphere: This requires increased investment in developing a workforce skilled in the field of cybersecurity through coordinating with the private and public sector, increasing federal investments for training people in the cybersecurity sector, establishing programs that integrate cybersecurity and public service, strengthening partnerships to attract talent to the federal government, and cooperating with the private sector in order to learn about the nature of the workforce and skills necessary for cybersecurity positions.
7. Preparing for more developed attacks in the future: Smith stated that it would be necessary to prepare for more developed attacks in the future, and affirmed the importance of cooperation between the private and public sectors, and of making efforts to help both large and small institutions to securitize their IT infrastructures. This is in addition to increasing the number of trainers and strengthening communication and information sharing between different institutions and sectors. This will ensure effective action in case of an attack, and is particularly important since many companies and institutions that experienced attacks are still holding onto the information and the results of their investigations without sharing them more broadly.