This story is available exclusively to Insider subscribers. Become an Insider and start reading now.
- The Senate Intelligence Committee on Tuesday held its first public hearing on the SolarWinds hack.
- The CEOs of Microsoft, SolarWinds, FireEye, and CrowdStrike said the hack's scope was unprecedented.
- Lawmakers of both parties lambasted Amazon Web Services for declining to appear at the hearing.
- Visit the Business section of Insider for more stories.
Senators grilled top tech executives about the sprawling SolarWinds cyberattacks during a hearing Tuesday that brought widespread support for new cooperation between the cybersecurity industry and government.
The Senate Intelligence Committee hearing was the chamber's first inquiry into the massive hack that compromised hundreds of US companies and nine major government agencies. Hackers implanted malware into widely used software distributed by SolarWinds, which the cybersecurity firm FireEye first discovered in December.
The CEOs of those two companies testified along with the CEO of CrowdStrike, a cybersecurity firm investigating the attacks, and Brad Smith, the president of Microsoft. The hearings did not bring many new revelations about the attacks — while the executives testifying generally supported the widely held belief that Russia was behind the attacks, they were also careful to note that this theory was unproven. It's also still unknown how the attacks began.
But the hearings did signal how the nation would move forward from what senators and executives speculated might be the largest cyberattack in history — including new legislation, a potential new federal agency, and new ways of pushing back against foreign adversaries.
Here are five key takeaways from Tuesday's hearing.
1. Fingers pointed to Russia as the hack's perpetrator — and companies want the US to hold Russia accountable
The committee's Democratic chair, Sen. Mark Warner of Virginia, advocated attribution to Russia as a way of moving forward on cybersecurity policy, but its Republican vice chairman, Sen. Marco Rubio of Florida, warned against characterizing the hacks as an act of aggression until lawmakers could "see the full extent of the damage."
Smith of Microsoft made the most forceful case against Russia, arguing that the attack's sophistication and methods tracked with previous attacks linked to Moscow, and the other executives did not disagree. But FireEye CEO Kevin Mandia argued that attribution was the government's job and that the companies were best suited only to provide evidence. The companies did say they supported drawing some international boundaries against hacking that endangered lives — and pushing back against hostile nation-state hackers.
The hearing comes with the Biden administration said to be preparing sanctions against Russia over the hack. Lawmakers pressed CEOs for details to establish whether the hacking demonstrated recklessness or put Americans in harm's way, which could make the attacks grounds for sanctions and distinct from the routine type of espionage also carried out by US intelligence agencies.
2. Amazon was a no-show despite being invited, and lawmakers weren't happy about it
Amazon Web Services, which has not previously been identified as a major target or company involved with the attacks, declined to take part in the hearings.
The committee wants to investigate how hackers used Amazon's cloud infrastructure to stage the attacks, and was obviously frustrated by the company's absence.
Members of the Senate committee took turns disparaging AWS for not taking part. "Apparently they were too busy," Rubio said. "They have an obligation to participate," Republican Sen. Susan Collins of Maine said. "If they don't, I think we should take next steps."
Amazon Web Services did not immediately respond to requests for comment from Insider.
3. Lawmakers and tech leaders agreed there should be more robust information-sharing around cyber threats
Mandia called for a central agency to be created in which "first responders" in the cybersecurity industry — such as his incident-response company, FireEye — could report intelligence on cyberattacks immediately.
That kind of agency would allow the industry to pool information with government oversight and would connect the industry and government in a new way — perhaps allowing the US to better defend against other nations such as Russia and China where government effectively oversees cybersecurity.
Mandia said such an agency would allow companies to "get the intel out quickly" and, perhaps, address major cyberattacks as they unfold. Smith said be believed the government should also share cyberattack intelligence with the companies, as well.
4. A new law setting standards for breached companies could be on the horizon
The companies took the unusual step of calling for more legislation in their industry — but also stressed a caveat. The executives said there should be a US law requiring disclosure of a cybersecurity breach but also said there should be limited liability for companies that step forward.
Asked bluntly whether the country should "create a legal obligation" to disclose hacks, Microsoft's Smith said yes — provided there is the liability limitation, which would address whether companies could be sued over attacks they disclose.
"The time has come" for that legislation, Smith said, adding he thought it could happen this year. The committee chair, Warner, said he was open to the liability clause as long as it didn't "excuse sloppy behavior," naming Equifax's widely criticized handling of a 2017 data breach.
5. The hearings showed cooperation between government and industry
In closing, Warner said that stopping attacks in real time was "just not going to happen" if left up to only the FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. "We need a different model," he said, adding that he "invited" the companies to think about that.
There were few of the sharp questions from senators that have marked past tech hearings, such as those on antitrust. Democratic Sen. Ron Wyden of Oregon attempted to force the executives to answer questions about whether basic cybersecurity steps would have prevented the attack, but the executives deflected his interrogation, and one of Wyden's GOP colleagues, Sen. Richard Burr of North Carolina, derided the aggressive questioning.
Mandia, meanwhile, was lauded throughout the proceedings for bringing the attacks to light and called by his first name by several senators.
https://ift.tt/3bE3bZf
Business
Bagikan Berita Ini
0 Response to "5 takeaways from the Senate hearing on SolarWinds attacks - Business Insider"
Post a Comment