Lawmakers and witnesses at the Senate Intelligence Committee’s hearing on the SolarWinds emphasized the possibility of legislation mandating certain businesses to disclose some breaches to the federal government.
The hearing comes about two months after FireEye’s revelation that hackers used a malicious software update on the SolarWinds Orion IT management system to hack several government agencies and private firms — including FireEye itself. The hackers, which lawmakers and several companies believe to be Russian intelligence, used other third-party infrastructure in attacks as well.
Currently there is no rule mandating a company like FireEye to disclose a breach to the federal government, even when national security is a concern.
“Had FireEye not detected this compromise in December and chosen on their own to come forward, would we still be in the dark today?” asked Committee Chairman Mark Warner, D-Va., in his opening remarks.
FireEye Chief Executive Officer Kevin Mandia, one of four witnesses, told lawmakers his firm notified all government clients before the public disclosure.
The SolarWinds and related attacks were hard to detect, said Mandia, and there was good reason they slipped beneath most organizations’ radar. Malicious software updates are hard to prevent, the hackers used unique infrastructure for each victim making tracking harder, and, generally, the hacking was conducted with an eye toward operational security.
Ranking Republican Marco Rubio, R-Fla., noted that while the attacks could have been worse, it is still the current understanding of the Senate Intelligence Committee that the campaign was intended to steal information.
Mandia said that stealing information so discretely is actually more difficult than wonton distruction. The latter, he said, just required deleting files.
The hearing was the first public hearing with SolarWinds CEO Sudhakar Ramakrishna, who emphasized efforts by the company to use its experience and notoriety to help other companies.
“We are embracing our responsibility to being an active participant in helping prevent these types of attacks,” he said.
During the attack, malicious code was injected into the automated build process behind Orion updates. Ramakrishna said the company revised its systems so no one attack on the build process could infect all vulnerable systems. He also noted, with other witnesses agreeing, that many firms would be vulnerable to this kind of code injection, and said SolarWinds would actively share any lessons it learned in how to stop them.
Mandia, as well as fellow witness Brad Smith, president at Microsoft, discussed with lawmakers the possibility of a legal obligation for businesses or people doing incident response to notify federal agencies in the event of a widespread breach.
There were a number of factors to consider. Smith noted that lawmakers would want to limit the types and sizes of companies obligated to respond — calling it no use to impose the demand on small firms. Mandia emphasized the need for secrecy.
John Cornyn, R-Texas, and Roy Blunt, R-Missouri, suggested that liability protection would need to be instated; Warner said such protection would need to have clear upper bounds as not to let “an Equifax” completely off the hook.
Several times, senators referred to a bill that did not pass, introduced by Collins and then-Sen. Joe Lieberman, I-Conn., in 2012 to smooth the process of notifying government.
At the hearing, Collins said the earlier bill “was defeated largely due to the lobbying efforts of a large business group,” one which the FBI later revealed was hacked, she added, even as it was lobbying against mandatory reporting.
A second thread through the hearing was lawmakers suggesting that, given the National Security Agency is unable to do domestic surveillance, that some other agency should be able to step up.
“I’m looking at us as the Congress to recognize that we have an [intelligence community] that is not structurally prepared to respond to something like this, when your greatest capabilities are at the NSA, and they’re prohibited from surveilling the systems” where such an attack could be detected, said Ben Sasse, R-Nebraska.
Though the hackers used U.S. based infrastructure in the espionage effort, it is unclear how domestic surveillance would have prevented a largely undetectable attack. Mandia replied to Sasse that the reason the hackers were not detected was largely a function of how covert these hackers were.
Creating a mechanism to notify federal agencies of breaches appeared to be the priority of the day for the committee with the widest agreement among its witnesses.
“This is about moving information fast, to the right place, so it can be put to good use,” said Smith.