Top U.S. lawmakers on the Senate Intelligence Committee on Tuesday debated whether new federal laws were needed to require mandatory disclosure from top tech and software companies when their networks are breached.
The question became pertinent as the investigation continues into the attack on SolarWinds, a network software monitoring company. The company was hacked by a sophisticated group of hackers who injected malware into routine software updates that then went out to as many as 18,000 government entities and Fortune 500 companies that were clients of SolarWinds.
Top U.S. government officials have said Russian intelligence services were behind the attack, and as of now nine U.S. federal agencies and about 100 companies were exposed but more victims are likely to be found as the probe continues.
The breach wasn’t detected or reported until cybersecurity company FireEye revealed in December that it was attacked by a sophisticated cyber attacker that had managed to steal company tools it uses to detect weaknesses in client networks. The malware in SolarWinds was likely injected between March and June of 2020.
The fact that no one detected or reported the attack and several likely victims have yet to reveal whether they were breached suggests that U.S. law must require notification, Sen. Mark Warner, D-Va., chairman of the Senate Intelligence Committee, said.
“I would ask if we shouldn’t have mandatory reporting systems, even if it requires some liability protection, so we can better understand and better mitigate future such attacks,” Warner said. “Do we need something like the National Transportation Safety Board or a public-private entity that can immediately examine major breaches to see if we have a systemic problem, as we seem to in this case?”
The United States has no federal data breach notification law, but there are separate state laws. In 2012, Congress failed to pass a bill backed by former Sens. Joe Lieberman and Jay Rockefeller, and Sen. Susan Collins, R-Maine, that would have required U.S. companies to notify customers and the government.
It’s time to consider a federal notification law, Brad Smith, president of Microsoft, told lawmakers.
“I think the time has come to go in that direction,” Smith said. “We should notify a part of the U.S. government that would be responsible for aggregating threat intelligence and make sure that it is put to good use to protect the country.”
Smith said the responsibility for notification should fall on “those of us in the tech sector who are in the business of providing enterprise and other services.” The U.S. government should offer liability protection to companies to help them come forward with information on an attack without suffering financial consequences from customers and clients, Smith said.
Amazon no show
Warner and the top Republican on the panel, Sen. Marco Rubio, R-Fla., said the attack used U.S.-based computer networks including those of cloud services provider Amazon Web Services. The lawmakers said Amazon was asked to testify but declined.
Lawmakers also cited a report in The Wall Street Journal that said 30 percent of victims in the attack were likely breached through a different route than SolarWinds. It’s not clear what the other route was or who were the victims.
Other top tech executives testifying at the first public hearing in Congress on the SolarWinds hack revealed new details on its audacious scale and scope.
Kevin Mandia, the CEO of FireEye, told lawmakers that attackers first broke into SolarWinds as early as October 2019 and carried out a dry run to see if their technique worked.
Mandia said the attack was in three stages. The first stage was breaking into a SolarWinds computer server that held the company’s main software code and injecting it with malware, he said.
Sophisticated and stealthy
Once the software embedded with malware went out to all SolarWinds clients, the second stage was to “rob the victims” by stealing login credentials, keys and tokens that legitimate users would use to gain access to all parts of the network, he said. After deploying the second stage, the attackers likely took emails and other documents.
The third stage was stealing source code from clients of SolarWinds, and in the case of FireEye, the attackers took “red-teaming tools” the company uses to probe weaknesses in client networks, Mandia said.
The malware was so well designed that once it entered an agency or company’s network, it “slept for 11 days,” remaining silent to see if anyone would detect the intrusion. After that period, the malware looked for tools from FireEye, Microsoft and CrowdStrike and shut down as many as 50 of those detection tools, Mandia said.
To pull off an attack of this scale and scope likely took as many as 1,000 “very skilled, capable engineers,” Microsoft’s Smith said. “It was an act of recklessness” by the attackers.
George Kurtz, CEO of CrowdStrike, told lawmakers that the hackers were sophisticated enough to erase their own fingerprints because the attackers were using legitimate login credentials of users to access parts of networks.
Appearing for the first time in a public hearing, SolarWinds CEO Sudhakar Ramakrishna, who took over as the top executive in January, said the tool used by the attackers to break into the company’s software hosting server “poses a great risk to automated supply chains.”
Ramakrishna said the software development process used by SolarWinds is similar to how software is developed by almost all of the tech industry, and attackers could use similar techniques to hack other companies.