Executives with technology companies impacted by the massive cybersecurity breach known as the SolarWinds hack are giving U.S. lawmakers more reason to worry, warning the intrusion is both bigger and more dangerous than first realized.
The officials, including those from FireEye, the cybersecurity firm that first discovered the breach last December, and SolarWinds, the Texas-based software management company at the center of the hack, testified before the Senate Intelligence Committee Tuesday and told lawmakers they are still trying to assess the damage.
“These attackers, from Day One, they had a back door,” FireEye Chief Executive Officer Kevin Mandia said of the hack that impacted as many as 18,000 SolarWinds customers around the world.
“You wonder why people missed it? This wasn’t the first place you’d look,” he said. “This is the last place you’d look for an intrusion.”
Making matters worse, Microsoft President Brad Smith, whose company’s source code — the basic programming essential to run Microsoft programs and operating systems — was accessed in the breach, said more victims may still be out there.
“There are more attack vectors, and we may never know what the right number is,” Smith said. “Right now, the attacker is the only one who knows everything they did.”
Act of recklessness
Smith further warned that the massive hack was more dangerous than most people would like to admit, calling it “an act of recklessness.”
"The world relies on the patching and updating of software. We rely on it for everything,” he said. “To disrupt, to damage, to tamper with that kind of software updating process is, in my opinion, to tamper with the digital equivalent of our public health service."
To date, U.S. officials have said that while the breach exposed thousands of companies, the hackers appear to have been interested in only about 100 private-sector firms and nine U.S. government agencies in what they have described as a Russian intelligence operation.
U.S. officials have been reticent to share details, saying for now intelligence agencies are still working to “sharpen the attribution.”
FireEye and Microsoft, though, told lawmakers there is little doubt Russia is responsible.
“We went through all the forensics. It is not very consistent with cyber espionage from China, North Korea or Iran. And it is most consistent with cyber espionage and behaviors we’ve seen out of Russia,” FireEye’s Mandia told lawmakers.
"We've seen substantial evidence that points to the Russian foreign intelligence agency,” Microsoft’s Smith added. “We have found no evidence that leads us anywhere else."
Of particular concern, they said, was the ability of the hackers to shut down safeguards meant to find and neutralize malware, while also leaving few traces they were ever there.
“The tradecraft and operational security (were) superb," CrowdStrike CEO George Kurtz told lawmakers. “To actually inject something and have it all work without errors and without anyone actually seeing it is, again … it's very novel in its approach.”
Lawmakers urged the White House Tuesday to do everything it can to speed up the attribution process.
“The sooner we make a more fulsome attribution, the better," said Democrat Mark Warner, Senate Intelligence Committee chairman. "We need to call out our adversary … plan an appropriate response."
The White House Tuesday promised the wait will soon be over.
“It will be weeks, not months, before we respond,” White House press secretary Jen Psaki told reporters.
“We reserve the right to respond at a time and a manner of our choosing,” she added.
Bulking up US cyber defenses
Efforts are likewise underway to help harden the country’s cyber defenses.
Earlier this month, Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger said the Biden administration is drafting policies to prevent further attacks and predicted some of the proposals could be formalized as part of an “executive action.”
On Tuesday, technology executives and lawmakers also raised the possibility of creating a mandatory reporting requirement so that companies impacted by cyber intrusions at the hands of countries like Russia or China come forward quickly to share what they know.
They also argued that more needs to be done to impose costs on countries that put critical systems at risk, both by the U.S. itself and with its allies.
“I think deterrence is one of the most important parts of a national strategy, and frankly, it isn't one that has been very well developed,” independent Sen. Angus King said.