Major Themes in the Senate Hearing on the SolarWinds Hack

Earlier this week, the US Senate Select Committee on Intelligence held a hearing on the Solarwinds breach that included participation from the majority of the committee as well as witnesses from Solarwinds, FireEye, Microsoft, and Crowdstrike. This one is readily available for public consumption and I wanted to share some the biggest takeaways I had from the hearing.

It is widely agreed that Russia as a nation-state actor compromised the software vendor Solarwinds; how they initially compromised Solarwinds is still not widely understood, but once compromised, the actor manipulated the software build process that Solarwinds used for creating, testing, and releasing their software patches and updates for their Orion product line. We do know the compromised build process enabled them to gather information, capture and/or create credentials, bypass multifactor authentication, and otherwise move around in what is thought to be up to 100 companies and nine federal agencies. Considering that the Solarwinds Orion product is used by somewhere around 18,000 organizations, the number of targeted companies is only a subset of what could have (or may have) been a much larger breach.

Right out of the gate, Senator Mark Warner, the chairman of the committee foreshadowed what I believe were some of the major themes throughout the hearing. 

First, that there seems to be a general consensus that there needs to be a single central federal agency to which both public agencies and private organizations can report breaches. The goal would be not waiting to report a fully investigated breach or compromise, but to provide for the rapid sharing of threat intelligence. This would help the entire industry more rapidly respond and mitigate a threat that may only be known to a single organization or agency, and if it were more broadly know and understood could help prevent continued or future attacks using the same infrastructure or techniques. Senator Warner equated this proposed agency to something similar to the National Transportation Safety Board (NTSB) or the Financial Crimes Enforcement Network (FinCEN). 

During testimony, there were several mentions to what protections would be provided to the organizations sharing this information to encourage rapid and broad disclosure without the disclosure being a mechanism for organizations to skirt the responsibility of implementing and executing best practices from a cybersecurity perspective. This topic was reiterated several times by FireEye CEO and Mandiant founder, Kevin Mandia, along with the idea of defining a category of individuals that would be a “first responder” that would have a duty to report threat intelligence to this centralized agency as part of their investigation process. The witnesses from the companies by and large agreed that even with first responders reporting information quickly to a centralized agency, there may not be enough skilled security practitioners in the industry to action it.

The second point made by the Chairman was around the broader rules of engagement for nation-state actors when conducting cyber activities and what should or be or not be off-limits. This line of thought struck me as extremely interesting as it falls into line with what Brad Smith, a witness at the hearing and the President of Microsoft and their chief legal strategist, talks about in his book Tools and Weapons as a cyber Geneva Convention and with some alignment to the Paris Call for Trust and Security in Cyberspace. The notion is that there are accepted rules of engagement that nation-states would abide by that are similar to the world of conventional warfare – like not bombing hospitals or the taking of food from a starving population – and that nation-state actors in the cyber realm should also not target hospitals, or in the case of software companies target the software and patching process that is relied upon by companies, the government, and individuals alike. 

There is not much elaboration on what other rules of engagement would be included, but the idea of any cyber adversary obeying any conventions to me seemed like a huge reach, or at least overly optimistic. With that, I would assume the work done in the middle of the 20th century to hammer out the Geneva Conventions were met with equal skepticism.

Another theme throughout the hearing was the role of attribution, who was responsible for the attack, and what role did it play in the broader cybersecurity landscape. As security practitioners, we know that attribution can be an extremely difficult task and the panel of witnesses recommended that attribution should really be the role of government as they are the best equipped to have the aggregate view and context do proper attribution and are probably exclusively positioned to enact any repercussions to the actor. It was widely agreed upon that while attribution is difficult and the realm of the government, it was extremely important to do, because without it there can be no consequences for actors thus no (dis)incentives to cease activity.

While the hearing had lots of interesting tidbits and even a pretty funny OPSEC joke directed at the very inconspicuous Zoom background of George Kurtz, the CEO of Crowdstrike, the last big item I took from the hearing was the scale of this breach at every level. Microsoft estimated that it took a team of upwards of 1,000 engineers to design, plan, and execute the attack; FireEye leveraged no less than 100 of their highly trained experts and thousands of hours to do a root cause analysis to find the source of the attack in their environment. Orion is used in 18,000 organizations, with at least 100 companies and nine federal agencies known to been affected, and there is an estimate that nearly 30% of the organizations affected were not compromised via Solarwinds, thus there is a lot of the scope of the breach that is still unknown. 

I thought it was odd that there was a lot of conversation around the lack of Amazon’s presence at the hearing, even after being requested to appear, and there was no mention of Google. It feels to me that if the actor leveraged known or compromised credentials to access Microsoft Office 365 (O365) email and data, why wouldn’t the actor not do the same thing to the other largest productivity suite used, Google Workspace (GSuite).

There remain many questions on how public and private industry can collaborate better to prevent this in the future, what role the National Security Agency (NSA) versus the FBI have in protecting the nation when attacks like this are commonly executed from US-based infrastructure, and the NSA does not have a domestic monitoring mandate, it really becomes the purview of the FBI which may not be equipped to handle threat campaigns of this magnitude.