Hearings
Hearing Type:
Open
Date & Time:
Tuesday, February 23, 2021 - 2:30pm
Location:
Dirksen 106
Witnesses
George
Kurtz
President and CEO
CrowdStrike
Full Transcript
[Senate Hearing 117-79]
[From the U.S. Government Publishing Office]
S. Hrg. 117-79
OPEN HEARING: HACK OF
U.S. NETWORKS BY A FOREIGN ADVERSARY
=======================================================================
HEARING
BEFORE THE
SELECT COMMITTEE ON INTELLIGENCE
OF THE
UNITED STATES SENATE
ONE HUNDRED SEVENTEENTH CONGRESS
FIRST SESSION
__________
TUESDAY, FEBRUARY 23, 2021
__________
Printed for the use of the Select Committee on Intelligence
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
45-485 PDF WASHINGTON : 2022
-----------------------------------------------------------------------------------
SELECT COMMITTEE ON INTELLIGENCE
[Established by S. Res. 400, 94th Cong., 2d Sess.]
MARK R. WARNER, Virginia, Chairman
MARCO RUBIO, Florida, Vice Chairman
DIANNE FEINSTEIN, California RICHARD BURR, North Carolina
RON WYDEN, Oregon JAMES E. RISCH, Idaho
MARTIN HEINRICH, New Mexico SUSAN COLLINS, Maine
ANGUS KING, Maine ROY BLUNT, Missouri
MICHAEL F. BENNET, Colorado TOM COTTON, Arkansas
BOB CASEY, Pennsylvania JOHN CORNYN, Texas
KIRSTEN E. GILLIBRAND, New York BEN SASSE, Nebraska
CHUCK SCHUMER, New York, Ex Officio
MITCH McCONNELL, Kentucky, Ex Officio
JACK REED, Rhode Island, Ex Officio
JAMES INHOFE, Oklahoma, Ex Officio
----------
Michael Casey, Staff Director
Brian Walsh, Minority Staff Director
Kelsey Stroud Bailey, Chief Clerk
C O N T E N T S
----------
FEBRUARY 23, 2021
OPENING STATEMENTS
Page
Warner, Hon. Mark R., a U.S. Senator from Virginia............... 1
Rubio, Hon. Marco, a U.S. Senator from Florida................... 4
WITNESSES
Mandia, Kevin, CEO, FireEye, Inc................................. 6
Prepared statement........................................... 9
Ramakrishna, Sudhakar, CEO, SolarWinds Inc....................... 14
Prepared statement........................................... 16
Smith, Brad, President, Microsoft Corporation.................... 23
Prepared statement........................................... 26
Kurtz, George, Co-Founder and CEO, CrowdStrike................... 41
Prepared statement........................................... 44
SUPPLEMENTAL MATERIAL
Responses of Kevin Mandia to Questions for the Record............ 86
Responses of Sudhakar Ramakrishna to Questions for the Record.... 90
Responses of Brad Smith to Questions for the Record.............. 94
Responses of George Kurtz to Questions for the Record............ 107
OPEN HEARING: HACK OF
U.S. NETWORKS BY A FOREIGN ADVERSARY
----------
TUESDAY, FEBRUARY 23, 2021
U.S. Senate,
Select Committee on Intelligence,
Washington, DC.
The Committee met, pursuant to notice, at 2:32 p.m., in
Room SD-106 in the Dirksen Senate Office Building, Hon. Mark R.
Warner (Chairman of the Committee) presiding.
Present: Senators Warner, Rubio, Feinstein, Wyden,
Heinrich, King, Bennet, Casey (via WebEx), Gillibrand, Burr,
Risch, Collins, Blunt, Cotton, Cornyn, and Sasse.
OPENING STATEMENT OF HON. MARK R. WARNER, A U.S. SENATOR FROM
VIRGINIA
Chairman Warner. Good afternoon, everyone. I'd like to call
this hearing to order and apologize to our witnesses and others
with them. With COVID and a vote just been called, we're going
to a little bit be playing this by ear. So I'm going to make my
opening statement, ask the Vice Chairman to make his opening
statement. We'll be monitoring the vote, which just opened a
moment ago. We've got two, so we'll either tag team through
this or take a five-minute recess to get us all a chance to go
vote on both these items.
First, I'd like to take this opportunity to welcome our two
new Members, one of which I think at least is on Zoom, Senator
Casey, and also Senator Gillibrand, to the Committee. I look
forward to working with both of you as Members of the Senate
Intelligence Committee in the bipartisan tradition of this
Committee.
The Intelligence Committee's record of working together in
the interests of America's national security has been due, in
no small part, to the tireless efforts of our former Chairman,
Senator Burr, and our new Vice Chairman, Senator Rubio. So I
want to take this opportunity during my first hearing as
Chairman, to thank you both for your partnership and
friendship. I'm confident that we'll be able to keep working
together in a bipartisan way in the 117th Congress.
I'd also very much like to welcome our witnesses today:
Kevin Mandia, CEO of FireEye; Sudhakar Ramakrishna, President
and CEO of SolarWinds; Brad Smith, President of Microsoft
Corporation; and, I believe remotely, George Kurtz, President
and CEO of CrowdStrike. I would like for the record to note
that we also asked a representative from Amazon Web Services to
join us today but, unfortunately, they declined. But we will be
expecting to get a full update--and we've had one update from
our friends at Amazon--but it would be most helpful if in the
future they actually attended these hearings.
Today's hearing is on the widespread compromise of public
and private computer networks in the United States by a foreign
adversary, colloquially or commonly called ``the SolarWinds
hack.'' While most infections appear to have been caused by a
trojanized update of SolarWinds's Orion software, further
investigations have revealed additional victims who do not use
SolarWinds's tools. It has become clear that there is much more
to learn about this incident, its causes, its scope and scale,
and where we go from here.
This is the second hearing this Committee has held on this
topic. Our first was a closed hearing held on the now-infamous
January 6th to hear from government officials responding to the
SolarWinds incident. It's going to take the combined power of
both the public and private sector to understand and respond to
what happened. Preliminary indications suggest that the scope
and scale of this incident are beyond any that we've confronted
as a Nation and its implications are significant.
Even though what we've seen so far indicates that this was
carried out as an espionage campaign targeting more than 100 or
so companies and government agencies, the reality is the
hackers responsible have gained access to thousands of
companies and the ability to carry out far more destructive
operations if they'd wanted to. And I want to repeat that. This
intrusion had the possibility of being exponentially worse than
what has come to pass so far.
The footholds these hackers gained into private networks,
including some of the world's largest IT vendors, may provide
opportunities for future intrusions for years to come. One of
the reasons the SolarWinds hack has been especially concerning
is that it was not detected by the multibillion-dollar U.S.
Government cybersecurity enterprise or anyone else until the
private security firm, FireEye--and I want to again complement
our friend, Kevin Mandia, who's appeared before this Committee
a number of times--on their own without a requirement to
report, actually publicly announced that it had detected a
breach of its own network by a nation-state intruder.
A very big question looming in my mind is: Had FireEye not
detected this compromise in December and chosen on their own to
come forward, would we still be in the dark today? As Deputy
National Security Adviser, Anne Neuberger, who has been chosen
by the President to lead the response in this, and to the
SolarWinds hack, said last week, ``The response to this
incident from both the public and private sector is going to
take a long time.''
All of our witnesses today are involved in some aspect of
the private sector response to this incident. I want to hear
from them on the progress so far, the challenges we'll need to
overcome in order to fully expel these hackers, and how we can
prevent supply-chain attacks like this in the future. I'd also
like to hear from them about their experiences working with the
Federal Government, namely, the Unified Coordination Group, in
mitigating this compromise.
The SolarWinds hack was a sophisticated and multifaceted
operation: a software supply chain operation that took
advantage of trusted relationships with software providers in
order to break into literally thousands of entities. Combined
with the use of this sophisticated authentication exploits, it
also leveraged vulnerabilities and major authentication
protocols, basically granting the intruder the keys to the
kingdom, allowing them to deftly move across both on-premises
and cloud-based services, all while avoiding detection.
While many aspects of this compromise are unique, the
SolarWinds hack has also highlighted a number of lingering
issues that we've ignored for too long. This presents us an
opportunity for reflection and action. A lot of people are
offering solutions, including mandatory reporting requirements,
wider use of multi-factor authentication, requiring a software
bill of goods, and significantly improving threat information
sharing between the government and the private sector.
I've got a number of questions, but there are three that
I'd like to pose in my opening.
One, why shouldn't we have mandatory reporting systems,
even if those reporting systems require some liability
protection, so we can better understand and better mitigate
future attacks? As I pointed out, Senator Collins was way ahead
of all of us on this issue, literally years and years ago, when
she and Senator Lieberman first put forward legislation that
required this critical, mandatory reporting on critical
infrastructure.
There's an open question, though, on who should receive
such report, even if you put that mandatory reporting in place.
Do we need something like the National Transportation Safety
Board, or other public-private entity that can immediately
examine major breaches to see if we have a systemic problem, as
we seem to see in this case? I think there's also some truth to
the idea that if a tier-one adversary, a foreign nation-state,
sends their A team against almost any ordinary company in the
world, chances are they're going to get in. But that cannot be
an excuse for doing nothing to build defenses and making it
harder for them to be successful once inside an enterprise. I'm
very interested in hearing from the witnesses what they think
our policy response should be, and what solutions they will
actually they think will actually improve cybersecurity and
incident reporting in the United States.
Beyond the immediate aspects of the SolarWinds hack are
larger issues that this Committee needs to consider. Do we need
to finally come to some agreement on common norms in
cyberspace, hopefully, again, on an international basis, that
potentially are enforceable, and at least says to our
adversaries: If you violate these warm norms, there will be
known consequences? For example, we have these norms in other
conflicts. We have military conflict that exists, but there's
been for some time a norm that you don't knowingly bomb a
hospital or bomb an ambulance that's got a Red Cross shield on
it. Should we, therefore, consider efforts that subvert
patching, which are all about fixing vulnerabilities to be
similarly off limits?
Once again, I want to thank our witnesses for joining us
today, both in person and remotely. I personally talked to
nearly all of our witnesses, in some cases multiple times since
this incident was first reported. I appreciate their
transparency and willingness to be part of this conversation.
After our witnesses conclude their remarks, we'll move to a
round of five-minute questions based upon order of arrival. As
reminder to my colleagues, this incident is not over. So too
are the criminal investigations by the FBI. So there might be
some questions our witnesses cannot answer. However, I'm
confident we'll get those answers at some point as we move
forward. I now recognize the Vice Chairman for a statement.
OPENING STATEMENT OF HON. MARCO RUBIO, A U.S. SENATOR FROM
FLORIDA
Vice Chairman Rubio. Thank you, Mr. Chairman, and thanks
for convening this hearing. And I'd like to welcome our
witnesses from Microsoft, FireEye, SolarWinds, and CrowdStrike
who are here to help the Committee's examination of what is the
largest cyber-supply chain operation ever detected. So we
really do appreciate you being with us.
As the Chairman mentioned, we had extended an invitation to
Amazon to participate. The operation we'll be discussing today
used their infrastructure, at least in part, to be successful.
Apparently, they were too busy to discuss that here with us
today and I hope they'll reconsider that in the future.
This operation involved, as has already been said, the
modification of the SolarWinds Orion platform, which is a
widely-used software product. It included a malicious backdoor
that was downloaded, from my understanding, to up to 18,000
customers between March and June of last year. But the most
insidious part of this operation was that it hijacked the very
security advice promulgated by computer security professionals
to verify and apply patches as they are issued.
So there are many concerning aspects to this first-of-its-
kind operation, at least at this scale, that has raised
significant questions. My understanding is that if FireEye had
not investigated an anomalous event within their own network in
November of last year, it's possible this would be a continuing
and unfettered operation to this day.
I think everyone's asking, despite the investment that's
been made in cybersecurity collectively between the government
and the private sector, how no one detected this activity
earlier, as it appears that they have been in the system for
close to five to six months before it was detected--maybe even
longer; closer to a year. But the bottom-line question is, how
did we miss this? And what are we still missing? And what do we
need to do to make sure that something like this, using these
sorts of tools, never happens again?
Second, I think there's great interest in knowing exactly
what these actors did. Based on what we know, to include what
government has stated publicly, the actor seems to have
undertaken follow-on operations against a very small subset of
the 18,000 networks to which they potentially had access. So
aside from the mechanical aspects of removing a hacker from a
network, what do we know about why these actors chose the
targets that they did? What actions did they undertake within
those networks? And what do we know that we do not know? I
always love that question. What do we know that we do not know?
In essence, what are the open questions now and in the future
about these sorts of tools and how they can be used? Or what do
we still have open ended that we are not able to answer at this
time? And perhaps most importantly, who has the single
comprehensive view of the totality of activity undertaken?
That's another thing that everyone has struggled with is who
can see the whole field here on this?
And third, what is it going to take to rebuild and have
confidence in our networks? And speaking with several of you in
the days leading up to this, one of the hallmarks of this
operation was the great care that was taken by this adversary
to use bespoke infrastructure and tradecraft for each victim.
Unlike other malware or ransomware, cleanup operations, there
is no template here that can be used for remediation. So what's
it going to take to have confidence in both government and in
the private sector networks again?
Fourth, what do we need to do to raise the bar for the
cybersecurity of this Nation? Is cyber deterrence an achievable
goal? How do we need to enhance cybersecurity information
logging and sharing across the spectrum to protect against APTs
in the future?
And finally, though this is a question for the government
rather than the witnesses here today, I think it's important
for this Committee to ask itself, and to inform the Members of
the Senate, what does the United States Government need to do
to respond to this operation?
Government officials initially stated this was an
intelligence gathering operation. Just recently, however, the
White House stated, quote: ``When there is a compromise of this
scope and scale, both across government and across the U.S.
technology sector to lead to follow-on intrusions, it is more
than a single incident of espionage. It is fundamentally of
concern for the ability for this to become disruptive.'' End
quote. While I share this concern that an operation of this
scale, with a disruptive intent, could have caused mass chaos,
those are not the facts that are in front of us. Everything we
have seen thus far indicates that at some level, this was an
intelligence operation and a rather successful one that was
ultimately disrupted.
While there are a myriad of ways for sovereign states to
respond, I caution against the use of certain terms at this
time until the facts lead us to the use of terms such as attack
and so forth. I've always advocated for standing up to our
adversaries. I think that's important. I will continue to
advocate for that. But I want to know today what the actor's
intent seemed to be and to the extent of the damage before we
categorize it. It may very well have reached that level.
This Committee and the rest of the Congress should consider
what policies we need to pursue to better defend our Nation's
critical networks, in order to get a fuller view of the
problem. Perhaps we should consider mandating certain types of
reporting, as the Chairman already mentioned. As it relates to
cyber-attacks, we must improve the information-sharing, of this
there is no doubt, between the Federal Government and the
private sector. And I look forward to being an active and
constructive participant in these debates on these new issues,
as I know every Member on this Committee is.
And with that, I again, want to welcome you and thank you
for the testimony and the insights that you will share with us
and the American people. It is important that the public
understand the current persistent information conflict that the
United States finds itself in against nation-state adversaries
like Russia, but also like China and Iran and North Korea.
Thank you, Mr. Chairman.
Chairman Warner. Thank you, Senator Rubio. I think we're
going to go ahead and we'll just tradeoff. I believe the order
of the speakers is going to be: FireEye, SolarWinds, Microsoft,
and CrowdStrike.
So Kevin, if you want to start us off, that'd be great.
STATEMENT OF KEVIN MANDIA, CEO, FIREEYE, INC.
Mr. Mandia. Thank you, Mr. Chairman, Vice Chairman Rubio,
and the rest of the Members of the Senate Intelligence
Committee. It is a privilege to be here with the opportunity to
speak with you.
And as the first witness, I'm going to discuss what
happened from a first-hand experience as a stage two victim to
this intrusion. I have opinions on who did it. I have opinions
on what to do about it. But in the next four minutes, I don't
have enough time to get through all that. So I look forward to
your questions.
I just want to give you a little background on FireEye.
Responding to breaches is what we do for a living. We have a
whole bunch of Quincy-type people that do forensics 2,000 hours
a year. And people hire us to figure out what happened and what
to do about it when they have a security breach. We responded
to over 1,000 breaches in 2020. It was a tough year for chief
information security officers. And as I sit here right now
testifying to you, we're responding to over 150 computer
security breaches.
In short, this is what we do for a living. And what we're
going to tell you today, we tell you with high confidence and
high fidelity on the intent of the attackers and what they did.
So now I want to present kind of the anatomy of this
attack. You know, we're referring to it as the SolarWinds
campaign. But it's a little bit broader than that. Whoever this
threat actor is--and we all pretty much know who it is--this
has been a multi-decade campaign for them. They just so
happened to, in 2020, create a backdoor SolarWinds implant.
So the first part of this ongoing saga, stage one of this
campaign, was you had to compromise SolarWinds. And the
attackers did something there that was unique in that they
didn't modify the source code there, they modified the build
process, which to me means this is a more portable attack than
just at SolarWinds. When you modify the build process, you're
doing the last step of what happens before code becomes
production for your buyers and customers, which just shows this
is a very sophisticated attacker.
And once they did that stage one compromise of SolarWinds,
we didn't find the implant till December 2020. And it had been
out there, if you look at a timeframe perspective, from March
2020 and there was an update in June 2020, as well. But the
attacker did something interesting when you get the timing.
They did a dry run in October 2019, where they put innocuous
code into the SolarWinds build just to make sure the result of
their intrusion was making it into the SolarWinds platform
production environment.
I want to explain how we found this implant because there's
no magic wand to say where's the next implant? When we were
compromised, we were set up to do that investigation. It's what
we do. We put almost 100 people on this investigation. Almost
all of them had 10,000 hours there, so to speak, 10,000 hours
of doing investigations, and we unearthed every clue we could
possibly find. And we still didn't know. So how did the
attacker break in?
So we had to do extra work. And at some point in time,
after exhausting every investigative lead, the only thing left
was--the earliest evidence of compromised was a SolarWinds
server. And we had to tear it apart. And what I mean by that is
we had to decompile it. Specifically, there were 18,000 files
in the update, 3,500 executable files. We had over a million
lines of assembly code. For those of you that haven't looked at
assembly, you don't want to. It's something that you have to
have specialized expertise to review, understand, piece apart,
and we found the proverbial needle in the haystack--an implant.
But how do we get there? Thousands of hours of humans
investigating everything else. And that's one of the reasons I
share that as you wonder why people missed it. This was not the
first place you'd look; this was the last place you'd look for
an intrusion. Over 17,000 companies were compromised by that
implant.
So stage one was to compromise SolarWinds, get an implant
in, and indiscriminately went to the 17,000 folks that
downloaded it. That means the attackers had a menu of 17,000
different companies.
Stage two of this attack was the companies that these
attackers intended to do additional action on and I want to
talk about what they did during stage two victims. I want to
say, stage one, the attacker hasn't done anything more than
crack open the window into a company. But they haven't gone
into the house to rob anything yet.
Stage two, they go into the house to rob it. When we look
at the stage two threat actor, or stage two victims, this is
where Microsoft's top-down viewpoint from their Cloud, where
there's a lot of activity, comes up with approximately 60
victim organizations. And we read that the government is aware
of about 100 organizations. For us being a stage two, we had
first-hand account of what they do. The attackers came in
through the SolarWinds implant. And the very first thing they
did is went for your keys, your tokens. Basically, they stole
your identity architecture so they could access your networks
the same way your people did.
And that's why this attack was hard to find because these
attackers, from day one, they had a backdoor. Imagine almost a
secret door in your house and the first thing that happens when
it comes to that secret door is all your keys are right there.
They just grab them, and now they can get into any locks you
have in your house the same way your people do. And I think,
during a pandemic, where everybody's working from home, it's
way harder to detect an attack like this, where the only
indicator of compromise was just somebody logging in as one of
your employees. And there's nothing else far-fetched about
that.
Right after they got our valid credentials, our two-factor
authentication mechanisms bypassed, they went to our O365
environment. And whether it was O365, or something else, I've
had enough experience over my 25 years of responding to
breaches to know this group targets specific people, almost
like they have collection requirements. So there they targeted
emails and documents. So stage two was: get credentials so you
could log in; get the keys to the safety deposit boxes; stage
the next step. Step two of that was access email, access
documents with said keys.
And then the third thing was dependent on who you were, and
what you did, and what industry you are as a victim. But it's
primarily what I put in the other category: steal source code,
steal software. In the case of FireEye, take some of our red
teaming tools that we use to assess people's security programs.
Bottom line: exceptionally hard to detect. And when I got
my first briefing on this and reviewed the facts on day one,
everything about this aligned to a threat actor, who, it is my
opinion, was more concerned about operational security than
mission accomplished. And that the minute you could detect
these folks and stop them breaking through the door, they sort
of evaporated like ghosts until their next operation.
So with that, on behalf of FireEye, I'd like to thank all
of you for the opportunity to set the stage for the other
witnesses. I'm very excited to work with all of you, and to my
fellow witnesses and others in the private sector as well as
the public sector to advance our Nation in defending ourselves
in cyberspace. And I look forward to taking your questions.
[The prepared statement of Mr. Mandia follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Warner. Thank you, Kevin.
Sudhakar?
STATEMENT OF SUDHAKAR RAMAKRISHNA, CEO, SOLARWINDS INC.
Mr. Ramakrishna. Chairman Warner, Vice Chairman Rubio, and
Members of the Committee, on behalf of SolarWinds' employees,
partners, and customers in the U.S. and around the world, I
would first like to say thank you for inviting us to this
hearing.
By way of background, I'm Sudhakar Ramakrishna, and I
joined SolarWinds on January 4th of this year. Prior to
SolarWinds, I was with a company called PulseSecure for over
five years, and previously held executive roles at other
technology companies.
In my roles, I've been involved with cyber incidents and
have seen firsthand the challenges they present, as well as the
opportunities they create for learnings and improvements. While
our products and customers were the subject of this unfortunate
and reckless operation, we take our obligation very seriously,
to work tirelessly to understand it better to help our
customers, and to be transparent with our learnings with our
industry colleagues and the government.
SolarWinds started in 1999 in Oklahoma as a provider of
network tools and to this date, we have remained true to our
mission of helping IT professionals solve their problems and
manage their networks, now through more than 90 products.
Today, we remain a U.S.-headquartered company, with over 3,000
employees working extremely hard to deliver customer success.
When we learned of these attacks, our very first priority,
and that remains true today, was the safety and protection of
our customers. Our teams worked incredibly hard and tirelessly
to provide remediations within about 72 hours of knowing about
these attacks. We also acted very quickly to disclose these
events to the authorities, while providing remediations and
starting our investigations of what do we learn about this, who
may have done it, and what exactly happened in the process of
insertion into our Orion platform?
We believe the Orion platform was specifically targeted in
this nation-state operation to create a backdoor into the IT
environments of select customers, as my colleague Kevin noted,
as well. The threat actor did this by adding malicious code,
which we call ``Sunburst,'' to versions released between March
and June 2020. In other words, a three-month window was when
the code with the malicious Sunburst code was deployed.
I will note that this code has been removed and is no
longer an ongoing threat to the Orion platform. Additionally,
after extensive investigations, we have not found Sunburst in
our more than 70 non-Orion products.
Perhaps the most significant finding to date in our
investigation is what the threat actor used to inject Sunburst
into other Orion platforms. This injected tool, which we call
``Sunspot,'' was stealthily inserted into the automated build
processes of Orion and was designed to work behind the scenes.
Sunspot, which we discovered, poses a grave risk of automated
supply chain attacks through many software development
companies, since the software processes that SolarWinds uses is
common across the industry.
As part of our commitment to transparency, collaboration,
and timely communications, we immediately informed our
government partners and published our findings with the
intention that other software companies in the industry could
potentially use the tool to detect possible current and future
supply chain attacks within their software build processes.
We understand the gravity of the situation and are applying
our learnings of Sunspot and Sunburst and sharing this work
more broadly. Internally, we call these initiatives ``secure by
design.'' And it's premised on zero-trust principles and
developing a best-in-class secure software development model to
ensure our customers can have the utmost confidence in our
solutions.
We have published these details regarding our efforts in
various blog posts. But in summary, they are focused on three
primary areas:
The first is further securing our internal infrastructure.
The second is ensuring and expanding the security of our
build environments.
And third, ensuring the security and integrity of the
products we deliver.
Given our unique experience, we are committed to not only
leading the way with respect to secure software development,
but to share our learnings with the industry. While numerous
experts have commented on the difficulties that these nation-
state operations present to any company, we are embracing our
responsibility to being an active participant in helping
prevent these types of attacks. Everyone at SolarWinds is
committed to doing so. And we value the trust and confidence
our customers place in us.
Thank you again for your leadership in this very important
matter. We appreciate the opportunity to share our experiences
and our learnings. And I look forward to your questions.
[The prepared statement of Mr. Ramakrishna follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Vice Chairman Rubio. Thank you. And for the Members who
haven't yet voted, I guess everybody's voted because
everybody's almost gone here.
So, Mr. Smith, thank you for being here. We appreciate it.
STATEMENT OF BRAD SMITH, PRESIDENT, MICROSOFT CORPORATION
Mr. Smith. Well thank you, Vice Chairman Rubio, and a huge
thank you to Chairman Warner for bringing us all together to
discuss what is obviously such an important issue to the
country, and indeed to the world. And I also just want to say
thank you to Kevin and Sudhakar. It took the leadership, and
I'll say even the courage, of companies like FireEye and
SolarWinds to step forward and share information. And it is
only through this kind of sharing of information that we will
get stronger to address this.
I think Kevin and Sudhakar have done an excellent job of
describing what happened. So I don't want to retrace the steps
that they so ably took. Let me talk about two other things.
First, what does this mean? And second, what should we do?
Well, roughly 90 days or so since we first heard about this
from Kevin's firm, from FireEye, I think we can step back and
start to think about what it means.
First, we're dealing with a very sophisticated adversary.
And Vice Chairman Rubio, I think your words of wisdom, of
caution, about avoiding certain labels are well put. But I do
think we can say this: at this stage, we've seen substantial
evidence that points to the Russian Foreign Intelligence Agency
and we have found no evidence that leads us anywhere else. So
we'll wait for the rest of the formal steps to be taken by the
government and others. But there's not a lot of suspense at
this moment in terms of what we're talking about.
It's very, very clear that this agency is very, very
sophisticated. And as Kevin noted, that has been true for a
long time. That is not new. But I think two other things are
new. The first is the scale of this attack, or hack, or
penetration, or whatever we should call it. At Microsoft, as we
worked with customers that had been impacted by this, we
stepped back and just analyzed all of the engineering steps
that we had seen. And we asked ourselves how many engineers did
we believe had worked on this collective effort? And the answer
we came to was at least 1,000. I should say at least 1,000 very
skilled, capable engineers.
So we haven't seen this kind of sophistication matched with
this kind of scale. But there's one other factor that I do
believe puts this in a different category from what we have
seen. And I think even with a thoughtful consideration, it is
appropriate to conclude even now: this was an act of
recklessness, in my opinion.
Why? Well, in part, I think Chairman Warner put it very
well. The world relies on the patching and updating of
software. We rely on it for everything. We rely on it not only
for the safety and health of our computers, we rely on it for
our physical infrastructure, for hospitals, and roads, and
airports, because they all run on software. To disrupt, to
damage, to tamper with that kind of software updating process
is, in my opinion, to tamper with what is in effect the digital
equivalent of our public health service. It puts the entire
world at greater risk. And it was done I think one must
acknowledge in a very indiscriminate way: to seek to plant
malware and distribute it to 18,000 organizations around the
world is in truth an act without clear analogy or precedent.
We've seen this done in Ukraine, but we haven't seen it
done quite like this. It's a little bit like a burglar who
wants to break into a single apartment but manages to turn off
the alarm system for every home and every building in the
entire city. Everybody's safety is put at risk. And that is
what we're grappling with here.
So what do we do?
I think we have to start by acknowledging and recognizing
we need to do a lot. We all need to do a lot. We need to do a
lot ourselves, and we need to do a lot together. Certainly, as
Sudhakar was mentioning, we need to focus on the integrity, the
protection of software build systems.
The International Data Corporation estimates that there
will be half a billion--500 million software apps--created in
the next three or four years. That's half a billion build
systems. And it's not just software companies; it's banks, it's
hospitals, it's governments. It's everyone that creates
software. There are new steps that we will need to take to
better secure and protect against the kind of attack that we
saw here.
Second, I think we have a lot of work still to do,
certainly across the United States, when it comes to the
modernization of our IT infrastructure and to the application
of IT best practices. At Microsoft, we can only see this attack
among our customers when it got to their use of their cloud
services and all of the attacks that took place, took place on
premise. Meaning a server that was in a server room or a closet
somewhere. And it points to the fact that until we modernize
and move more people to the cloud, we're going to be operating
with less visibility than we should.
Third, we do need to enhance the sharing of threat
intelligence. That's the term in the cybersecurity community
for information about attacks that people are seeing. And our
basic challenge today is that that information too often exists
in silos. It exists in silos in the government, exists in
different companies. It doesn't come together.
Fourth, I think because of that need, it is time not only
to talk about, but to also find a way to take action to impose
in an appropriate manner some kind of notification obligation
on entities in the private sector. And so of course you know,
it's not a typical step when somebody comes and says, ``place a
new law on me, put it on ourselves, put it on our customers,''
but I think it's the only way we're going to protect the
country. And I think it's the only way we're going to protect
the world.
And finally, I do believe it is time--it's maybe even
overdue time--for us to look at the rules of the road, the
norms and laws, that if not every government is prepared to
follow, at least the United States and our likeminded allies
are prepared to step up and defend. And among other things, to
say that this kind of tampering indiscriminately and
disproportionately with a software supply chain needs to be
off-limits. And there needs to be attribution and there needs
to be accountability, as officials in the White House are now
considering.
Finally, I'll close by addressing one question that Vice
Chairman Rubio, I think you posed. Who knows the entirety of
what happened here? One entity knows. It was the attacker. The
attacker knows everything they did. And right now the attacker
is the only one that knows everything they did. We have pieces.
We have pieces at Microsoft, SolarWinds, FireEye, CrowdStrike
others, we all have slices. People in the U.S. Government.
But we need to bring those slices together. And until we
do, we'll be living and working and defending on an uneven
playing field. That is not a recipe for success. But let's also
acknowledge one other thing: we know more than we did 100 days
ago. We are better informed, we are smarter, and we can turn
that knowledge into a resolve and action. That's what we need
to do. That's what I hope the Congress can do. That's what I
think the country and our allies need to do. If we use what we
have learned, we can better protect our future. Thank you.
[The prepared statement of Mr. Smith follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Vice Chairman Rubio. Thank you. And finally Mr. Kurtz, I
believe, is on virtual?
Mr. Kurtz. Yes.
Vice Chairman Rubio: All right. Excellent.
STATEMENT OF GEORGE KURTZ, CO-FOUNDER AND CEO, CROWDSTRIKE
Mr. Kurtz. Thank you. Good afternoon, Chairman Warner,
Ranking Member Rubio, and Members of the Committee, thank you
for the opportunity to testify today.
During my three-decade career in cybersecurity, I have seen
first-hand the evolution of adversary techniques and have been
at the forefront of developing the solutions to thwart them. By
the time I co-authored the original edition of ``Hacking
Exposed'' in 1999, which later became the No. 1 selling book in
security, it was clear that organizations consistently failed
to adequately defend themselves.
When I co-founded CrowdStrike in 2011, it was based on a
conviction that the then-dominant approaches to security were
no match for adaptive and well-resourced adversaries. We set
out to elevate the industry's focus from stopping malware to
preventing breaches regardless of their source.
My testimony today is based on my prior and current
experiences protecting thousands of organizations across the
globe. I will begin by discussing our high-level findings in
the supply chain compromise and what lessons we might take away
from it.
In mid-December, SolarWinds engaged our professional
services team to perform incident response. Although we had not
worked with SolarWinds prior to this engagement, nor had they
used our software in the past, our teams collaborated
effectively to investigate the breach, enhance their security
posture, and share actionable intelligence with the entire
security community. With their encouragement, we continue to
coordinate and share findings with customers, industry
partners, and Federal agencies as appropriate.
Today, I would like to highlight a few significant
capabilities this particular threat actor exhibited. Notably,
the threat actor took advantage of systemic weaknesses in the
Windows authentication architecture, allowing it to move
laterally within the network as well as between the network and
the Cloud by creating false credentials, impersonating
legitimate users, and bypassing multi-factor authentication.
The threat actor modified code within the development
pipeline immediately prior to the software build, the final
stage before source code becomes software. The threat actor
leveraged unique IP addresses for commanding and controlling
infrastructure for each of its victims, complicating
investigations into the scope of the campaign, but used common
encryption methods and scrubbing techniques to avoid leaving
behind unique indicators.
The threat actor was selective in activating the backdoors
it implanted, purposefully selecting its victims from the wider
universe of those who were vulnerable. With respect to
attribution, CrowdStrike refers to this activity cluster behind
these events using the name ``StellarParticle.'' We are aware
that the U.S. Government has stated this threat actor is likely
of Russian origin. While we currently are unable to corroborate
that finding, we have no information to suggest it is
incorrect.
Regardless of attribution, there are a number of takeaways
from these events. This campaign, in particular, emphasized the
need to improve two important security disciplines: those
involving supply chains and those involving security
development.
StellarParticle is just the latest demonstration of supply
chain attacks as a threat factor. This follows a number of
previous high-impact campaigns where the origins of attack are
at the vendor level. With respect to software development, in
addition to ensuring secure coding practices and adequate code
review, organizations must protect the development platforms
and code repositories at least as well as their enterprise
environment.
Next, I would like to extend our considerations beyond this
particular campaign, and address six essential cybersecurity
concepts and emerging technologies.
The first is threat hunting. We know that the adversaries
periodically breach even very well-defended enterprises.
Properly trained and resourced defenders can find these bad
guys and thwart their goals.
The second concept is speed. Every second counts to stop
threat actors from achieving their objectives.
Third is the power of machine learning prevention. The core
state-of-the-art cybersecurity solution is the ability to
defeat novel threats. Machine learning and artificial
intelligence are essential.
Fourth is the need to enhance identity protection and
authentication. As organizations further embrace Cloud services
and work-from-anywhere models, enterprise boundaries have
continued to erode. This trend increases the risk of relying
upon traditional authentication methods and further weakens
legacy security technologies.
One of the most sophisticated aspects of the
StellarParticle campaign was how skillful the threat actor took
advantage of architectural limitations in Microsoft's Active
Directory Federation service. The Golden SAML attack allowed
them to jump from customer on-premise environments and into
Cloud and cloud applications, effectively bypassing multi-
factor authentication. This specific attack factor was
documented in 2017 and operates at Cloud-scale version of
similar identity-based attacks I originally wrote about in
1999.
Moving to the fifth concept, let's touch upon principles of
zero trust. Instead of authenticating to a network or device
once and having ready access to everything that's connected,
users must re-authenticate or otherwise establish permission
for each new device, or resource they wish to access. This
reduces or prevents lateral movement and privilege escalation.
Finally, I will touch upon something known as XDR, which
stands for ``extended detection and response.'' Security teams
demand contextual awareness and visibility from across their
entire environments, including within Cloud and ephemeral
workloads. As this Committee will appreciate, XDR generates
intelligence from what otherwise may be no more than
information overload. Each of these concepts applied equally to
all organizations and regardless of size is a must.
The last point is critical. Often, adversaries specifically
target smaller organizations as a means to a greater end. This
is part of the supply chain problem. We are proud that a number
of security companies, including CrowdStrike, are committed to
offering comprehensive, easy-to-use solutions and managed
security services to organizations of all sizes with varied
budgets. We also appreciate the need for improvements to
government cybersecurity.
Some of the most talented people in the field have worked,
or currently work, in government organizations. Unfortunately,
in many instances, our government colleagues are hobbled by
legacy technologies, programs, complex procurement processes,
or compliance obligations that detract from their core security
work.
I realized that I've described a set of enormous challenges
today. But I would like to close in a positive note. With
CrowdStrike's visibility into trillions of security events
across thousands of customers globally, I'm encouraged by the
silent victories the security community experiences every
second of every day. Defenders face an endless, evolving
threat. But I remain optimistic that working together, we can
prevail.
I hope my testimony today has offered some guidance on how
we can accomplish that shared goal. CrowdStrike has its sleeves
rolled up and is ready to continue to work with this Committee
and the greater security community to achieve success. I would
like to thank the Committee for inviting me to testify today
and for its leadership. I look forward to answering your
questions.
Thank you.
[The prepared statement of Mr. Kurtz follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Vice Chairman Rubio. Thank you. Let me just begin, Mr.
Kurtz, by saying you've shown tremendous operational security
behavior there. That backdrop you have in that video, you could
be anywhere in the world.
[Laughter]
There's no way we could tell where you are just looking at
that. I'm going to get that backdrop. That's awesome.
So let me ask you and Mr. Mandia the same question. So let
me just say, you know, everyone is familiar--I think the
general public is familiar--with cyber-attacks and hacks. And
the general guidance everyone is given is, you know, don't put
some simple password like ``1234.'' They're easy to guess.
Because we've seen, you know, they can guess it. There's all
kinds of things out there that are also to be able to be
cracked by them.
Then there's the infamous--or the well-known--phishing
email. You get an email, you click on it, and they're in your
system. These are all hardware-type, sort of brute-force
intrusions.
For folks at home, who may watch this later or trying to
understand what the big deal about all this, this involves the
other thing we're told that we need to do all the time, which
is constantly upgrade your software. Every time you get a
software update, put it in because it's got new security
features. So these guys get into that software update and
you're basically in. It's almost like bringing them into your
system under the guise of protecting you.
And that's what we're dealing with here today. And this has
been a known vulnerability; something that people knew was a
theoretical possibility. My understanding is this is the first
time we've ever seen it at this scale or scope. And you'll
correct me in your answer if I'm wrong.
The question I would have for all of you, but really for
Mr. Mandia and Mr. Kurtz, is this a sophisticated technique?
This is not something that someone could do out of the basement
of their home. Or is this something that could eventually we
could see it become widespread? What level of sophistication do
you need to embed yourself in the software upgrade that
ultimately winds up in someone's system?
Mr. Mandia. You know, I'll jump on that first. And this was
a planned attack. This is not something done in somebody's
basement. There is somebody that thought about this. My gut is
this attack started somewhere where somebody said, ``If we
wanted to compromise these entities, where's the supply
chain?'' They probably had a list of five to ten companies.
SolarWinds was one of them. And they figured out who can we get
into? How do we do the implant?
When they got into SolarWinds, they didn't just rush right
to the implant. They wanted to make sure they could inject code
first in the build process. That was in October `19. Then four
to five months later, they have an implant. In that four to
five months, they designed an implant that masqueraded to look
like SolarWinds traffic. It was hard to pick up on the network.
It had things in it in the malware, and you know malware--a lot
of times you hear that word, you just shut down. And what's he
going to say next?
Well, this is what this malware did. It slept for the first
11 days after it was installed. So that if somebody did detect
its beacon going out, they wouldn't be able to associate a
beacon from the SolarWinds machine to the update they did
randomly 11 days sooner. Another thing it did is it looked for
nearly 50 different products and shut them down when it ran.
So people are like, why didn't anybody detect this implant?
It's because when it executed, it looked to see if
CrowdStrike's agent was on the endpoint, if FireEyes agent was
on the endpoint, if Windows Defender was on the endpoint, and
it shut it off. You don't make a backdoor as a bad guy as a
regular user. You make one as the root user, a system-level
backdoor.
Senator Rubio, there's no doubt in my mind this was
planned. It was an operation. There was a lot of people
involved. And the question really is: where's the next one? And
when are we going to find it?
Vice Chairman Rubio. Mr. Kurtz, I'm guessing you probably
agree with that assessment. So this is all without little doubt
a nation-state actor. It would take that level of
sophistication, is that right? Do both of you agree with that?
Mr. Mandia. I do.
Mr. Kurtz. Yes.
Vice Chairman Rubio. Who? Who is that nation-state actor?
Have you seen indications in it that tell you this is who we
believe it is?
Mr. Mandia. George, you want to go first on that one?
Mr. Kurtz. Well, when we look at the adversaries across
various nation-state actors, obviously, there's a level of
sophistication and tradecraft. And as I pointed out in my
testimony, the tradecraft and operational security was superb.
One of the things that we typically look for are things like
markings within tool chains. And what we saw, in particular
with the back door and the build process, was something we call
``code washing.'' And that was actually removing these tool
chains to these fingerprints that Kevin indicated that our
company and his company keep on file, right? So we know who the
bad guys are and how they operate.
In this particular case, these tool chains and the
infrastructure is very unique. What that means is they took
particular care to actually conceal their identity. And at the
highest level, we've attributed, as I said in my written and
verbal testimony, to a particular a cluster of activity. I know
the government has talked about Russia as being one of the
threat actors. You know, from our perspective, we have nothing
further to add to either confirm or deny that; but what I can
tell you, it is absolutely a sophisticated nation-state actor.
And as Kevin said, this took a lot of work. A lot of
planning went into this. And we think about how difficult
software is to build. Each one of my esteemed panelists are in
the software business. We know how hard it is to build
software, to get software working. And the idea to actually
inject something and have it all work without errors, and
without anyone actually seeing it is, again, superb tradecraft
and something you have to look at and say it's very novel in
its approach.
So I'll turn it back to Kevin and Brad, they probably have
some further thoughts on the attribution piece. But as I
mentioned, a sophisticated actor that we continue to track.
Mr. Mandia. And one thing unique to this case is when you
do the evidence on 1,000 cases a year and something doesn't
fall into a grouping, that's odd. That's peculiar. And then
when you go back 17 years of cases and digital fingerprints,
and it still doesn't fall into it. You start doing process of
elimination. You talk. You know, when we found the IP addresses
used to attack FireEye, we did go to partners like Microsoft,
we went to the U.S. Government--what I call ``ring zero.'' You
go to the intel agencies. Nobody had seen them in use before.
I'll just sum up my comments this way. We went through all
the forensics. It is not very consistent with cyber espionage
from China, North Korea, or Iran. And it is most consistent
with cyber espionage and behaviors we've seen out of Russia.
Chairman Warner. Appreciate those answers. I do think we've
had the previous Administration acknowledge likely Russian.
We've had testimony of the people in front of us. We've had the
current Administration acknowledge this source as well. I think
the sooner we make even more fulsome attribution, the better
because we need to call out our adversary--know we know who did
it--and plan an appropriate response.
And I agree with Senator Rubio: we don't even have our
language down entirely. Sometimes we know we know what
espionage is; we know what a denial of service attack would be
at the other end of the spectrum. Where this fits is, I think,
one ongoing question.
But I think we've oftentimes talked about this as ``the
SolarWinds hack.'' But there are other vectors. In my
understanding, the Wall Street Journal has reported that as
many as 30 percent of the victims were not accessed through
SolarWinds but by other means--and maybe this is best for
FireEye and CrowdStrike. And obviously, Microsoft would have a
view as well.
Why aren't we getting more details about the other vectors
that the adversary has entered? The other platforms that may
have been utilized? Again, I think this is reflective of the
point that since we are totally waiting on willing
participants, we could still be uninformed because other major
enterprises could be victims as well but had not chosen to come
forward. So how can we get a better handle on the non-
SolarWinds component of this attack?
Mr. Mandia. I can tell you this is--we're doing Stage Two
investigations right now for our customers. And the number one
other way we're seeing these attackers break in is what's
called ``password spraying.'' They're just popping passphrases
that they got from some breach over here and they're
recognized. If you think about it, all of us probably have
Amazon accounts; we have Microsoft accounts; we have Google--
whatever we're using. We have an email account and a passphrase
that we may use to access a whole bunch of applications. Some
of those third-party breaches make our user ID and passphrase
aware to the threat actor and then they try it on your
corporate networks.
So these aren't when I say password spraying, I almost feel
like, sir, they know some of these passphrases by the time they
show up and knock on your door. So you know, we have 3,300
employees at FireEye, I have to believe that some of them use
their FireEye.com email to access dozens, if not more, of the
apps on the internet. If any of those vendors get compromised
and their passphrase is compromised and they use the same
passphrase for Amazon.com as FireEye.com, we may have a
problem. So that's another attack that they use.
And here's the reality: this group has zero-day capability,
most likely. They're going to--how they get initial foothold to
them network will continue to change. But the way you know it's
them is when they come back in, they target the same things,
the same people, the same emails, similar documents, like they
have collection requirements.
Chairman Warner. To my question, Brad and George, if you
want to add to this. Again, we've talked about this as a
SolarWinds hack, but there are other vectors that they entered.
And, but for the fact that you came forward, both SolarWinds
and Microsoft came forward, there may be other very large
enterprises that have not been as forward leaning that may mean
this vulnerability still exists.
Mr. Smith. Yes. I would say, Mr. Chairman, a couple of
things. First, absolutely. There are more attack vectors and we
may never know exactly what the right number is.
I think the first question you're in effect asking is well,
why? And I would analogize to this: you know, this is like
finding someone in the building and now you have to figure out
how they got in. And you know, in our case at Microsoft, we
identified 60 customers where we figured out that they had
obtained, once they got in, typically, the password to
somebody, an IT administrator who could get them into, say,
something like Office 365. But in each instance, they got in on
premise, so it wasn't in our server or our service. And so we
need to work with somebody else to get to the bottom.
Chairman Warner. But doesn't that mean, though, that this
is not demonstrating a unique vulnerability that's in Microsoft
enterprise?
Mr. Smith. Oh absolutely.
Chairman Warner.--or Microsoft Cloud? But there may be
other brand-name players that may have been penetrated that
have not been as forthcoming who are leaving policymakers and
potentially customers in the dark. Is that true or not true?
Mr. Smith. It is absolutely true. I think it means two
things. One is yes, there's a variety of services. And there
are a lot of ways in. I also would just pick up on one of the
things that Kevin said, because he used a phrase that is
familiar to all of us in the cybersecurity community but
probably not to, say, somebody who is watching this hearing
from home--this notion of a ``password spray.''
Yes, I think in recent years, we've all sort of learned
that people may try to figure out our own individual password.
A password spray is when you use a single password, and you
apply it to a lot of accounts. For example, if I were to go
back to where I grew up near Green Bay, Wisconsin and have
1,000 email addresses from people in Green Bay, and I just
applied the password ``gopackgo,'' I'll bet dollars to
doughnuts, there's a Green Bay Packers fan who's using that
password. In fact, I'll bet there's more than one. And if I
find ten of those, 1,000, then I'm in and I can go from there.
So it just points to a variety of tactics. From the most
sophisticated really, when you're talking about disrupting a
supply chain, to the very broad that point to just a lot of
factors. We all need to keep learning about how to secure our
own email and other accounts.
Chairman Warner. Well, I'm going to move to Senator Cornyn.
But it does beg the question that Senator Rubio and I both
asked about when a large enterprise like Amazon is invited they
ought to be participating. There are other brand name known IT
and software and cloud services that may have been vulnerable
to this kind of incident as well, and their public and active
participation, we're going to make sure that takes place.
Senator Cornyn.
Senator Cornyn. Thank you, Mr. Chairman. And thanks to each
of you for testifying here today. I share the concern that has
been expressed that Amazon Web Services declined to
participate. I think that's a big mistake. It denies us a more
complete picture that we might otherwise have. And I hope they
will reconsider and cooperate with the Committee going forward.
Mr. Ramakrishna, thank you for talking with me yesterday.
And since you're headquartered in Austin, Texas, I took
particular note of that fact and appreciate that conversation.
I think one of the things we discussed is something that
Chairman Warner brought up and that is, even though SolarWinds
is the focus of what we're discussing here today, this is not
unique to SolarWinds. Correct?
Mr. Ramakrishna. Senator Cornyn, thank you for that
question. You're absolutely right. I'll elaborate on the
question that Senator Warner asked and tie the two comments
together here.
Supply-chain attacks are happening as we speak today,
independent of solo events. There was a report just two days
ago about a French company being hacked and it was dubbed as a
supply-chain attack.
As we discovered what we call Sunspot--the code, the
injected tool--and as we evaluated it, it is blindingly obvious
that that can be applied to any software development process,
which is the reason why we believe that dubbing it simply as a
solo-events hack is doing injustice to the broader software
community and giving us a false sense of security, possibly,
which is the reason why that--even though we are taking
corrective steps and learning from this experience--we consider
it our obligation to be a very active participant in this
endeavor to make us all more safe and secure by promptly
outlining our findings and communicating them with both our
government authorities as well as the industry.
Senator Cornyn. Our time is limited today and I hope at
some point we can talk about the attribution and the putting
the Russian intelligence services or whoever is responsible
here at risk because right now it seems to me that we are doing
a very bad job, generally speaking, of punishing the people who
are perpetrating these attacks.
But let me just ask you, at different times, I know there's
been legislation offered. Senator Collins and I discussed some
that she had introduced previously with Joe Lieberman, our
friend the former senator. It seems to me that there should be
an obligation of some sort, on the part of a victim of a cyber-
attack like this, to share what they know, what they've
learned, with the appropriate authorities. And I can only
imagine the chills that run up and down some people's backs
when I say that. I think about liability concerns, other
reputational risks, and the like.
But if we're going to get our arms around this at all, it
seems to me we need to know a lot more than we know under the
current practices in terms of the obligation of the victims to
step forward. Before I asked you about that and what that would
look like with perhaps with some sort of liability protection
associated with it. I will tell you that I'm a Member of the
Judiciary Committee, as Senator Feinstein is. And we actually
have designated seats on the Intelligence Committee from
certain authorizing committees like the Judiciary Committee.
And Mr. Smith, from your experience testifying there,
usually when we're talking about data breaches, people want to
talk about the company that allowed the data breach, how could
we sue them? And which is an entirely different perspective
than I think we need to have--a more complete approach to this
and one that does not treat the victim as the offender, but one
that works more cooperatively.
So what about some sort of mandatory disclosure obligation
that maybe would be coupled with some sort of liability
protection? I know in the intelligence field in the past, phone
companies that have cooperated with certain collection have
gotten liability protection as part of part of that.
Mr. Smith, do you have a view on that?
Mr. Smith. Yes, I do. I think the time has come to go in
that direction. I think Senator Collins was either ahead of her
time or the rest of us were behind our time. But either way, I
think we can find a way to move forward this year.
I could perhaps use the word notification rather than
disclosure. We should notify someone. We should notify. I think
a part of the U.S. Government that would be responsible for
aggregating threat intelligence and making sure that it is put
to good use to protect the country, and for that matter people
outside the country. I think we need to decide upon whom it
should be that that duty should fall on. It should certainly
fall on those of us in the tech sector who are in the business
of providing enterprise and other services.
I think it's not a bad idea to consider some kind of
liability protection. It will make people more comfortable with
doing this. This is about moving information fast to the right
place so it can be put to good use.
Senator Cornyn. Mr. Chairman, can I ask the other witnesses
if they have a different view or additional views on that
topic?
Mr. Mandia. No, I agree with it. And coming down to another
level of specificity to me, notification needs to be
confidential or you don't give organizations the capability to
prepare for those liabilities. And so we like the idea of you
can notify with threat intelligence that's actionable, you get
speed from that if it's confidential because you can have
threat data today and your arms around the incident three
months from now. And it's just too big of a gap to have a
disclosure law, and we're getting the intel three months to
five months too late.
So I like the idea of confidential threat intelligence
sharing to whatever agency has the means to push that out to
places, then disclosures that were a legal requirement to
inform those who are impacted. And you don't know that day one.
In FireEye's case, we were sharing intel really fast. And we
did not know what we had lost in our breach yet, but we knew
there was something different about it. So I just think that's
an extra detail. Get the intel out there quickly if it's
confidential.
Senator Cornyn. Mr. Chairman, my time is expired so I'll
yield back.
Chairman Warner. I think this is a subject that we're going
to come back around to and there are models out there. I don't
think our traditional reporting mechanisms necessarily work. So
the National Transportation Safety Board or others. Senator
Wyden's up next.
Senator Wyden. Thank you, Mr. Chairman.
The impression that the American people might get from this
hearing is that the hackers are such formidable adversaries
that there was nothing that the American government or our
biggest tech companies could have done to protect themselves.
My view is that message leads to privacy-violating laws and
billions of more taxpayer funds for cybersecurity.
Now, it might be embarrassing, but the first order of
business has to be identifying where well-known cybersecurity
measures could have mitigated the damage caused by the breach.
For example, there are concrete ways for the government to
improve its ability to identify hackers without resorting to
warrantless monitoring of the domestic internet.
So my first question is about properly configured
firewalls. Now the initial malware in SolarWinds' Orion
software was basically harmless. It was only after that malware
called home that the hackers took control and this is
consistent with what the Internal Revenue Service told me,
which is while the IRS installed Orion, their server was not
connected to the internet. And so the malware couldn't
communicate with the hackers. So this raises the question of
why other agencies didn't take steps to stop the malware from
calling home.
So my question will be for Mr. Ramakrishna, and I indicated
to your folks I was going to ask this. You stated that the
backdoor only worked if Orion had access to the Internet, which
was not required for Orion to operate. In your view, shouldn't
government agencies using Orion have installed it on servers
that were either completely disconnected from the internet or
were behind firewalls that blocked access to the outside world?
Mr. Ramakrishna. Thanks for the question, Senator Wyden. It
is true that the Orion platform software does not need
connectivity to the internet for it to perform its regular
duties, which could be network monitoring, system monitoring,
application monitoring on-premises of our customers.
Senator Wyden. It just seems to me--what I'm asking about
is network security 101 and any responsible organization
wouldn't allow software with this level of access to internal
systems to connect to the outside world, then you basically
said almost the same thing.
My question then, for all of you: is the idea that
organizations should use firewalls to control what parts of
their networks are connected to the outside world is not
exactly brand new. NSA recommends that organizations only allow
traffic that is required for operational tasks, all other
traffic ought to be denied. And NIST, the standards and
technology group, recommends that firewall policy should be
based on blocking all inbound and outbound traffic, with
exceptions made for desired traffic. So I would like to go down
the row and ask each one of you for a yes or no answer. Whether
you agree that the firewall advice would really offer a measure
of protection, from the NSA and NIST? Just yes or no. And if I
don't have my glasses on, maybe I can't see all the name tags,
but let's just go down the row.
Mr. Mandia. And I'm going to give you the ``it depends.''
The bottom line is this. We do over 600 red teams a year; a
firewall has never stopped one of them. You know, a firewall is
like having a gate guard outside of New York City apartment
building and they can recognize if you live there or not and
some attackers are perfectly disguised as someone who lives in
the building and walks right by the gate guard. In theory, it's
a sound thing. But it's academic in practice. It is
operationally cumbersome.
Senator Wyden. I don't want to use up all my time.
Mr. Mandia. Nope.
Senator Wyden. We'll say that your response to NSA and the
National Institute of Standards, ``it depends.'' Let's just go
down the row.
Mr. Ramakrishna. So my answer, Senator, is yes to standards
such as NIST 800-53 and others that define specific guidelines
and rules.
Senator Wyden. Very good.
Mr. Smith. I'm squarely in the ``it depends'' camp.
Senator Wyden. Okay.
Mr. Smith. For the same reasons that Kevin is.
Senator Wyden. Okay, I think we have one other person,
don't we?
Mr. Kurtz. Yes. And I would say firewalls help but are
insufficient. And, as Kevin said, and I would agree with him,
there isn't a breach that we've investigated that the company
didn't have a firewall or even legacy antivirus. So when you
look at the capabilities of a firewall, they're needed. But
certainly they're not the be-all and end-all. And generally,
they're a speed bump on the information superhighway for the
bad guys.
Senator Wyden. I'm going to close and my colleagues are all
waiting. The bottom line for me is that multiple agencies were
still breached under your watch by hackers exploiting
techniques that experts had warned about for years. So in the
days ahead, it's going to be critical that you give this
Committee assurances that spending billions of dollars more
after there weren't steps to prevent a disaster attack,
disastrous attacks, that experts had been warning about was a
good investment. So that discussion is something we'll have to
continue.
Thank you, Mr. Chairman.
Chairman Warner. Is Senator Cotton on the web?
Senator Cotton. Yes, I am here. So thank you, Mr. Chairman.
Gentlemen, thank you for your appearance today.
I want to start, Mr. Smith, with you. Microsoft has said
some of its source code was stolen. Does that present future
security risks? And if so, what are you doing to mitigate it at
Microsoft?
Mr. Smith. Well, the short story is, our security system
does not depend on the secrecy of our source code. I mean, we
live in a world where probably there's more source code by tech
companies published in open-source form than there is that's
not published. And at Microsoft, our source code is accessible
to every Microsoft employee. It's not considered to be a
particular secret, and our entire threat and security model is
based on the premise that there will be times when people will
have access to source code.
Do we like the fact that this actor saw it? Absolutely not.
But we do not believe that it undermines or threatens our
ability to keep our customers or ourselves secure. We will, by
the way, as we always do, to answer the rest of your question,
Senator, we'll ask ourselves, what do we change? It's not
apparent to me that I need to have access to our source code.
It's not apparent to me that our Senate lobbyists need to have
access to our source code. So we may have fewer people that
have access to source code in the future, but it's really not
at all the heart or center of what we're focused on here.
Senator Cotton. Okay. Mr. Ramakrishna, approximately 30
percent of the victims of the attack were not using SolarWinds
software. What do you think that tells us about the nature of
the attack and what victims were targeted and how they were
targeted?
Mr. Ramakrishna. Senator Cotton, thanks for the question.
This is referring to the Wall Street Journal report, I believe.
Thirty percent is an approximation. As best as we know, there
are many different types of attacks and different types of
threat vectors. We are not a security company per se. So we
wouldn't have detailed information about those types of threat
vectors. But what I can share is the discoveries that we have
made with Sunspot can apply to any supply chain out there, and
it's quite possible that there are active supply chain attacks
ongoing right now, some of which we may know about, some of
which are yet to be discovered.
Senator Cotton. Mr. Mandia or Mr. Kurtz, would you like to
respond as well?
Mr. Mandia. George, go ahead.
Mr. Kurtz. Well you know, again, when you look at the
supply chain of attacks here, it is very difficult obviously to
identify these things. And when we look at the adversary's
capabilities, and we look at what was actually done, as we
talked about earlier, it's not an easy problem to solve. And
you know, from my perspective, it's one that we have to come
together, we have to continue to share intelligence and
information. And we have to realize that there are many other
techniques and actors that are out there. And when you look at
the overall landscape you know, 30 percent weren't from
SolarWinds. This isn't a surprise.
Over the last year, we stopped 75,000 breaches that are in
process, and probably a quarter of them were nation-states. So
this happens every day from every nation-state actor, every e-
crime actor, and their variety of tools and different
techniques and tasking orders that are out there. So it's an
ongoing effort and I wish there was a silver bullet. There
isn't. But I think a big part of this is exposing the
techniques and just how prevalent these attacks are to the
American people. So that we can do something about it. And we
can come together as a group, both in the technology field as
well as in government.
Mr. Mandia. And Senator Cotton, this is Kevin Mandia
speaking. To me, the attacker did the SolarWinds implant.
They've already moved on to whatever's next. We've got to go
find it. This attacker, you know, maybe their pencil's down for
a few months. But the reality is, they're going to come back.
They're going to be an ever-present offense that we have to
play defense against, and how they break in will always evolve.
And all we can do is close the window and close the security
gap better next time.
Senator Cotton. Okay, then one final question. I think I'll
direct this toward Mr. Mandia and Mr. Kurtz again.
To what extent do we think this was designed toward what we
might call ``collection'' in the intelligence world; simply
trying to collect information to learn more about America's
intentions, plans, capabilities, or what you might call a
``covert action'' in the intelligence world, say, sabotage of
public utilities or military applications or so far, so forth?
Or could it be both?
Mr. Mandia. Yes, George, I'll jump first. Just because we
got to see what they did first-hand when they broke in us. The
reality is this. They were very focused. They had specific
individuals that they targeted, they had keyword searches that
they did when they broke in. So this was not a group that
operated like a tank through a cornfield. They had a plan, they
had collection requirements, and to some extent, I would say
they were disciplined and focused on those collection
requirements. Not efficient with tradition to just grab
whatever they could grab.
Mr. Kurtz. And just to add what Kevin says, I think it's
important to realize that as technology companies, we all
leverage big data. The adversary does as well. And while
they're collecting this information, they're also storing it,
they're indexing it, and they have the ability to go back to
it. So if a new order comes in--a new, specific order to target
a company, target a government organization--they can look for
that access, they can look at what's already been collected,
they could leverage that.
The second piece of this is in the early days it was
network exploration. Then it turned into data exfiltration. And
then it turned into data destruction and an impact, right? So
certainly, when you have this level of access, you can collect
data. If you start impacting systems, it's a pretty good way to
get caught.
So could it be turned into that? Absolutely. But in
general, what we've seen is collection, and that simply goes
into the big machine, the big apparatus to be used again for
further missions.
Chairman Warner. Senator Bennet.
Senator Bennet. Thank you. Thank you all for being here
today. Thank you, Mr. Chairman, for holding this hearing.
I wanted to get some clarification along the same lines as
Senator Cotton, actually. Mr. Mandia, maybe I'll start with you
just for people at home who don't understand how, you know,
what they've read is this is a SolarWinds----
Mr. Mandia. Right.
Senator Bennet [continuing]. investigation. That's what
they imagine what we're dealing with here. That's clearly not
the case, based on what we saw in the Wall Street Journal
report with only 30 percent of the folks who somehow got pulled
into this who had no SolarWinds----
Mr. Mandia. Right.
Senator Bennet [continuing]. connection. Help us understand
what that means in terms of the ongoing nature of this. You
know, when you say they put their pencils down, have they
really put their pencils down? Or are they out there working
their pencils and we just can't see it because we don't know?
You started out at the beginning saying maybe they went
through a list of, like, five to ten vendors and said these are
the likely ways in and we'll pick this one. But clearly they
picked other ways in as well. So I'm just trying to get a sense
of the full scope of how.
Mr. Mandia. Yes. And you know when I said pencils down, I
mean they were so successful on this breach they probably got a
few days off because they collected so much information.
Senator Bennet. Right. So they're waving the flag.
Mr. Mandia. Basically, right now, there's such vigilance in
the security community they're not going to spoiler their
latest technique right now. We're all looking for it. So
they're pencils down for the next great implant.
Senator Bennet. Right
Mr. Mandia. I would be if I were them. Every intrusion
starts with initial access. How an attacker gets that varies.
When we say the ``SolarWinds implant,'' that was the initial
access for a campaign this group did from March of last year
until about December of last year when we started detecting it.
But this group's been around for a decade or more.
Different people go in and out of that group probably. We're
probably responding to the kids of the people I responded to in
the 90's when this group was active. So the bottom line, how
they gain a foothold in a victim network, SolarWinds was a way.
They will always have other ways.
This is a group that hacks for a living. And then when they
break in, what they do after they break in really doesn't
change that much. They target specific people, primarily folks,
at least in our case, that did work with the government. They
target government projects. They target things that are
responsive to key words. We respond to a lot of threat groups
that when they break in, you can tell they broke in to make
money or they broke in and there's a manual review where
somebody's literally going through every file alphabetically on
a desktop.
These folks have economy of movement. If they broke into
your machine, Sir, they string search it, they find responsive
documents, they get out of Dodge. They have an economy that
shows they're professional. And that doesn't change. So if they
broke in yesterday via SolarWinds and we patched that and fixed
it like we have, tomorrow they're going to have something else.
And they're going to try to come back through whatever doorway
they can find.
Senator Bennet. And tomorrow they might be looking for
something else, too.
Mr. Mandia. The good news is usually they aren't. But
you're exactly right. The collection requirements could change.
We've identified this group because they'd break into a
company. And then we'd get them out. And if they got back in,
they're after the same sort of things and that's one of the
indicators; it's still them. So their tools and tactics can
change but a lot of what they target does not.
Senator Bennet. And I'm happy for anybody to jump in if
you'd like to. But with the rest of my time--there was some
discussion earlier--sorry, we were in and out going to votes
and things--about reasons they might not want to actually
destroy data or destroy systems because they might get detected
if they do that. Whereas if they stay in there and they don't
mess around with stuff--. But if they wanted to really do
mayhem in our systems, what would that look like? What does our
worst nightmare look like?
Mr. Smith?
Mr. Smith. Well I'd offer a few quick thoughts. First
building on your answering your prior question and then
answering this one. I would just add that in addition to
targets in the United States we have identified targets in
Mexico, Canada, the U.K., Belgium, Spain, Israel, and the UAE.
So it was broader and international in scope.
Second, 82 percent of the 60 target victims that we
identified were outside government. So I think there's an
aspect to your question well: who else were they targeting and
why? And I would say that there are at least two other reasons
that we would surmise, two motives if you will. Sometimes if
you're going after a government agency that has very good
security practices in place, you might look for a third party
that might have an individual who was given password and
network access to, say, the government's network.
And you might hope that that third party organization--
maybe it was a computer service provider, maybe it was an
accounting or consulting firm, maybe it was a think tank that
was working on a contract--you would hope that maybe they had
lesser security in place and that's why you would start there.
It's a vehicle to get somewhere else.
And then I do think at times they target tech companies in
part to understand how technology works. But frankly it's
perhaps in the category of counter-intelligence. Every day we
are looking--you heard the reference to threat hunting--we are
looking for evidence of this organization engaged in attacks. I
think they want to know what we know about them and what their
methods are.
But then I do think your other question is so important,
because at the end of the day, what do you do once you're
inside? Do you just collect information? Or do you wreak havoc?
Well, this agency typically collects information. But we know
exactly what havoc looks like. All you have to do is look at a
day in June in 2017 when another part of the Russian government
used exactly the same technique. A supply-chain disruption with
a Ukrainian accounting software program. That, too, was an
update. It turned off, damaged, 10 percent of that country's
computers. ATMs stopped working. Grocery stores stopped the
capacity to take credit cards. Television news stations went
off the air. That is what havoc looks like and that is what we
need to be prepared to defend against as well.
Chairman Warner. We're going to move to Senator Heinrich.
What Mr. Smith just referenced was what we refer to as
NotPetya----
Mr. Smith. NotPetya.
Chairman Warner [continuing]. but was that the potential
existed at--even this attack.
Senator Heinrich.
Senator Heinrich. Thank you, Chairman.
So if I have this right, a nation-state actor that is in
all likelihood the Russians, used U.S. software and then
command and control servers in U.S. data centers to conduct
this attack. And I think the fact that this attack was launched
from within the U.S. is potentially a really important part of
this story. Advanced persistent threat actors know that the NSA
is prohibited from surveilling domestic computer networks. So
it makes sense for them to circumvent U.S. surveillance
whenever possible.
For any of you: do you believe that the adversary launched
the attack from U.S. servers in a deliberate effort to avoid
surveillance?
Mr. Smith. I think it was sort of an I.Q. test. We can't
know exactly what they thought but it looks like they passed
the I.Q. test. They figured out that it would be more effective
and less likely to be detected if it was launched from a U.S.
data center.
Senator Heinrich. Anyone else want to add to that or in
agreement?
Mr. Ramakrishna. No, I think I would agree.
Mr. Mandia. I agree with those statements.
Mr. Kurtz. Yeah.
Senator Heinrich. For Mr. Smith, while the focus continues
to be on how the private sector shares information with the
government, we also want to ensure that the government is doing
enough to share information with the private sector. Mr. Smith,
you expressed concerns in a blog following the SolarWinds
attack about the Federal Government's insistence on restricting
through its contracts our ability to let even one part of the
Federal Government know that the other part has been attacked.
Can you elaborate a little bit about this comment? And in
what ways could the Cybersecurity Information Sharing Act of
2015 be improved to ensure that that is possible?
Mr. Smith. Yeah, it was, I have to admit, one of the things
I found surprising and a bit frustrating for us. Because the
first thing we do when we identify a customer who's been
attacked is we let them know. We notify each and every
customer. It was immediately apparent to us that it was
important not just to let an individual department or agency of
the U.S. Government know but to make sure that there was some
central part of the government that would have this information
about the government as a whole.
And what we found was that our contracts prohibited us from
telling any other part of the U.S. Government. So we would
basically go to each agency and say can you please tell so and
so in this other place? And the good news is, people did. They
acted quickly. But it does not strike me as the type of
practice that makes a lot of sense for the future. So there is
an opportunity for reform.
Senator Heinrich. Probably not the most efficient way to
make sure information travels quickly.
Mr. Smith. It doesn't seem like it's consistent with the
year 2021 and technology.
Senator Heinrich. Mr. Mandia. In your statement for the
record you said that victims of crime are the first to know
when they've been violated. But in a case like this, only a few
government agencies and a handful of security or other private
companies are in a position to be the first to know. I agree
that doesn't seem right. You suggested that a small group of
cyber first responders could prevent or mitigate the impact of
cyber incidents through sharing information quickly and
confidentially. That's a very intriguing idea.
Can you describe how you think that would work?
Mr. Mandia. You bet. There's got to be a way for folks who
are responding to breaches to share data quickly to protect the
Nation, protect industries. And that would require (A) defining
what is a first responder. And I think it's pretty simple. If
you're trying to figure out what happened to unauthorized or
unlawful access to a network, you're a first responder.
And if you do that for other companies beside yourself,
you're a first responder. And first responders should have an
obligation to share threat intelligence to some government
agencies so that, without worrying about liabilities and
disclosures, we're getting intel into people's hands to figure
out what to do about it. Right now the unfortunate reality is,
a lot of times when you share threat intel, it's just a public
disclosure.
And it makes people weary to do so and we slow down the
process. So that's what I mean by that. I could articulate
more. But first responders know who they are. And I think it's
easy to define. We have many laws that define certain
categories like Internet provider. We need to know. If you're a
first responder, you're obligated to get threat intel into the
bucket so we can protect the Nation.
Senator Heinrich. No, I think that's very helpful. When you
detected this activity were you obligated to tell the U.S.
Government? Why or why not? And was that obligation legal or
moral?
Mr. Mandia. We notified the government customers we had
before we went public with the breach. And we found out later
based on contractual reviews who we had to notify or not. But
the reality is the minute we had a breach, I was talking to
what I call ring zero. The intelligence community, law
enforcement--you don't want to get email when you don't know if
your email's secure. So the reality is, I would say on the
record, I think we told every government customer we had that
we had a problem, period, before we even went public.
Senator Heinrich. Thank you.
Chairman Warner. Senator Heinrich, both the points that
this was launched from domestic servers and the lack of
information sharing were really important points. And now one
of our new Members joining us remotely, Senator Casey. Your
first intelligence questions.
Senator Casey. Mr. Chairman, thanks very much. And thanks
for the welcome to the Committee. And I appreciate the
testimony of our witnesses.
I wanted to start with the role of the Federal Government
here. And maybe we'll just go down the panel starting with Mr.
Mandia to give us an assessment of the Federal Government's
response to date. And then I'll move to a second question
regarding what we do going forward.
So Mr. Mandia, why don't we start with you?
Mr. Mandia. Without a doubt, the number one thing the
Federal Government can do that the private sector cannot do is
impose risk and repercussions to the adversaries. Period. So
we've got to have some kind of public doctrine to Mr. Smith's
idea of rules of the road. We've got to communicate where
there's a red line. I know we think it's a tough thing to
define, and we admire the problem, but we've got to come up
with what's tolerable, not tolerable, communicate it so we
don't see a gradual escalation. But to impose risk and
repercussions is the purview of the government.
And the second biggest thing is the attribution. The
government's in the best place to get attribution the most
right. So those two things without--, and by the way, there is
no risk of repercussions if you don't know who did it. So those
are the two things that I'd firmly place into--the government
is best suited to do that. And I'll leave it to some of the
other witnesses on the government's role and how to safeguard
the private sector and work with the private sector, because I
know we have a lot of great ideas.
Mr. Ramakrishna. Senator, I'll keep it quick. And the
suggestion I would make is to leverage some of the
recommendations in the Solarium Commission report and have a
single entity in the government, that public sector entity
where all private sector entities can go and communicate with
and communicate to and have the responsibility of that agency
to then disseminate it to every relevant party.
To date, we feel like we have to communicate with multiple
agencies and sometimes that doesn't help us from a speed and
agility perspective.
Mr. Smith. Let me if I could point to two successes that I
think are worth building on. First, I think it's really notable
that the NSA in December published a circular that described in
technical detail the nature of the attack, how people could
identify whether they were victimized by it, and how they could
protect themselves from it.
And I think that it was extremely well done from a
technical and cyber-security perspective and it was published
to the world. And I think that the NSA and the U.S. Government
did the world a great service. And that's the kind of thing
that we should aspire to have our government do in the future.
Second, last week I thought Anne Neuberger at the White
House in a press conference took a similarly critical step. She
shared to all of us information that frankly none of us had;
namely, that the government had identified roughly 100 private
companies and nine Federal agencies that had been impacted by
this incident. And that tells me that there is now at work real
efforts to consolidate this information across the different
parts of the government. So that's encouraging.
She's also indicated that her work is far from done.
They're focused on next steps that need to be taken in a
variety of ways. But I do think this is a very important
moment. The government can speak authoritatively about the
nature of attacks and how to protect ourselves, and the
government can speak authoritatively about the scope that has
happened.
Mr. Kurtz. I would also just like to jump on this. I would
also say that CISA's done a lot of work here--a lot of great
work. Has put out some, I think, interesting information,
indicators, some scripts that helped the public. And while
we're talking about the government and we're talking about
corporations, there's a whole host of smaller entities that are
out there that have no real way to protect themselves. So I
think, to Kevin's point, as a first responder--which we are,
which he is and others--it's important that we have a single
source that we can go to.
We're doing incident response not only for big companies
and governments but for many small companies. We need to be
able to share this information as quickly as we can without
impacting the customer themselves.
Senator Casey. Mr. Kurtz, I'll end with you, just with one
follow-up. When you go through what I think were six proposals
or recommendations, what do you think is the most urgent, at
least as it relates to the Federal Government?
Mr. Kurtz. Well I think there's probably a couple things.
But certainly threat hunting is one of the biggest areas. And
as we've talked about before, it's a sophisticated actor. With
enough time and effort, they're going to go get into somewhere.
And we always make the distinction between an incident and a
breach.
There isn't a major company or a government on this planet
that hasn't had an incident, and they will continue to have
incidents. But you want to be able to identify those very
quickly so they don't turn into breaches. And these are like
sentries that are looking for the bad guys. They're looking for
these indicators, they're looking for these back doors. And
it's a tall task. I pointed out things like machine learning
and artificial intelligence.
All of my fellow witnesses are working on these sort of
techniques as well as us. And that's a big part of a go-forward
strategy. Figure out what's there, use the technology to our
advantage.
Senator Casey. Thanks, Mr. Chairman.
Chairman Warner. Thank you, Bob.
Senator Burr.
Senator Burr. Thanks very much.
Let me thank all of our panelists today for your
willingness to be here and, more importantly, for your
knowledge in this.
I've got to reflect for just a minute and I'm going to do
it even though Senator Wyden left, because I strongly disagree
with what he implied. He implied that because NSA and this--
said that proper hygiene is a firewall that should be something
that should be mandated and everybody should use it and that
would solve our problem.
And the three of you that deal specifically in searching
out intrusions said no, no, no. No. It's helpful, but it
doesn't solve it. And to suggest that in the day of COVID that
you've got a choice between washing your hands, hand sanitizer,
and masks, but if you choose just to wash your hand and not do
the other two, you're never going to get COVID. It's ludicrous.
And I want the record to show that what the response from those
who track these was listen, this is sophisticated. They're way
past this.
So yeah, that's a good thing for companies to adhere to.
But don't think that that's going to solve it with the
adversaries we're up against right now. I want to turn to
George just real quick, and I want to go on Senator Heinrich's
question. In the SolarWinds attack, Amazon Web Services hosted
most of the secondary command and control nodes. And all of
AWS's infrastructure was inside the United States.
Now I feel like having a cyber-attack deja vu here, whether
it's Russian hack of DNC in 2016, the North Korea and Sony
hack, or current supply chain hacks, we constantly see foreign
actors exploiting domestic infrastructure for the command and
control to hide the nefarious traffic in legitimate traffic.
Here's the problem. Given the legal restrictions on the
intelligence community, we don't have the ability to surveil
the domestic infrastructure. So what should the U.S. Government
role be in identifying these types of attacks?
Mr. Kurtz. Well I think it's working with providers like
AWS, working with folks like Microsoft, working with others,
CrowdStrike and FireEye and others. Because when you look at
this particular attack, why did they use U.S. infrastructure?
Because they just wanted to blend in. Right? And I can tell you
there's a ton of attacks that we look at that use foreign
infrastructure, that use bulletproof hosting, which is you know
the ability to anonymize and pay for hosting and
infrastructure. And we know who they are and we tend to look
for those bad actors. Right?
So if you can use infrastructure that looks legitimate no
matter whose infrastructure it is, you're going to blend in and
make it harder. And this particular attack was insidious just
the way it communicated and the protocols it used. It looked
like legitimate traffic going to infrastructure that you know
is normal. But that's why it's important, when you think about
these attacks, to have visibility. I talked about threat
hunting, to have visibility on the end points, because that's
at the tip of the spear.
And these network access devices are just speed bumps, as I
talked about earlier. What's actually happening is on the end
point. What's actually happening is beaconing out. And you have
to have visibility. And you have to collaboratively work with
the private sector and the public sector together. And I think
that's the only way we're going to solve it.
Senator Burr. Kevin, I want to turn to you and I want to
ask for a little more specific statement. You alluded to the
fact that this is not going to stop without a government
dictate that says: here's what we're going to do. Let me just
ask it this way. Will it stop if they pay no price for what
they do?
Mr. Mandia. No. I think if you don't impose risks or
repercussions we're all--you know I've used this analogy for so
long, you'll get how long I've used it. We're all playing
goalie and we're taking slap shots from Wayne Gretzky. I mean,
the puck's going to get in the net sooner or later. And that's
what's happening in cyber space right now. Folks are taking
slap shots and literally there is no risk or repercussion to
the folks doing it.
So we're all fighting a losing battle over time.
Senator Burr. So Sudhakar, as it relates to SolarWinds, can
you build software today without the risk of what happened?
Mr. Ramakrishna. Thanks for the question, Senator. We've
done extensive analysis with our partners at CrowdStrike and
KPMG of our entire build environment and entire infrastructure.
And we've seen no evidence of the threat actor in our
environment or in our build systems and our products.
We've also learned from this experience and applied them to
what I've been describing as ``secure by design.'' One of the
key tenants of that is to evolve software development life
cycles to secure development life cycles. And related to that,
we've come up with a methodology where source code doesn't get
built in traditional ways and we use parallel build systems
with different people accessing them, with different access
types.
And we correlate the output of them across those three to
significantly reduce the potential for a threat actor to
consistently compromise every one of our build systems at the
same time. That is the level of effort our teams are going
through to build safe and secure solutions. Which I hope will
be a model for others.
Senator Burr. Are these practices that you're sharing with
others in the industry?
Mr. Ramakrishna. We are completely committed to doing it,
and we are doing it as we do it.
Senator Burr. Thank you, Mr. Chairman.
Chairman Warner. I would simply want a quick comment that I
agree with my friend, Senator Burr's comment that a firewall
alone cannot keep out a sophisticated actor. But it doesn't
mean the corollary--and I had conversations with the CEO of
SolarWinds on this--that just because it's a sophisticated
actor then that means that you shouldn't do good cyber hygiene.
Mr. Ramakrishna. Absolutely.
Chairman Warner. It is not an either/or.
Senator Burr. No, I agree with you totally. I think what
we're hearing--and maybe we're just not saying it right--is
that even with the best cyber hygiene, even with the best
protocols in place because of how good and persistent and how
much money a nation-state has like Russia, we're susceptible
Mr. Ramakrishna. Yes.
Senator Burr. You know the puck is going to get in the
goal, as Kevin said, and if we've missed anything and you've
got something that assures us the puck won't get in the goal,
then here or privately share what it is so that we can begin to
pursue and flesh out that type of policy.
Chairman Warner. But the problem is we may not know the
puck was even in the goal. But if you've got good cyber-
hygiene, chances are you will discover the puck at some point.
We'll continue that hockey analogy. Now as we move to our next
new Committee Member, Senator Gillibrand. Welcome to the
Committee and your first Intelligence Committee questions.
Senator Gillibrand. Thank you, Mr. Chairman.
I want to follow-up on knowing whether you've had the puck
go into the goal. One of you said that the hack that shut down
CrowdStrike and other defense software--and it affected them
before they could start working. So why do these programs--why
was there no alarm, and how were they shut down?
And related, why were there no alarms in the SolarWinds and
anti-virus software logs which should have shown the unusual
behavior, access, or other traces of unauthorized access?
Mr. Kurtz. Yeah, so this is George. Maybe I can take that.
There were probably multiple, dozen software technologies that
were targeted to actually be shut down. In our particular case,
you can think about the camera. You know if someone came up to
a camera and smashed the camera you'd actually see what they
did. And our particular software has a level of monitoring
where if someone tries to tamper with it we would actually be
able to see that.
And in fact, you'd actually have to reboot the system. As
Kevin mentioned, pretty persistent where it waited and kind of
did things you know over a number of days.
Senator Gillibrand. But there was nothing? There was no
alarm? Even the after the 11 days?
Mr. Kurtz. Well once you have admin access on a particular
system, if you're shutting it down you know you can pretty much
do anything you want on it. And that's just a function of how
the operating system works. And what we focus on, and I talked
about this in my written testimony, is no silent failure. And
we've designed our system that even if there is a failure
somewhere along which we call the kill chain, this attack
sequence, we're still going to detect something down the road.
And I think this is really important when I talked about
threat hunting. You may not catch the initial stage of the
attack, but you're looking to catch it along the way, and
you're looking to do that with speed. If someone's going to rob
a bank there's only so many ways to rob a bank. You've got to
get there; you got to get the money; you have to get out.
Right? What car they drive, what weapon they use, how they do
it doesn't really matter.
So as long as you can identify the chain of activity, which
is really important, you can stop these breaches. And that's
why we stopped over 75,000 breaches just last year. So it's
obviously a challenging problem but that's why when we look at
this, it's really about risk mitigation; using multiple
technologies and having visibility across your network.
Senator Gillibrand. Alright. Mr. Smith, I think you said on
``60 Minutes'' that there were more than 1,000 developers
working on writing this malicious code. Why do you know that or
how do you know that? And with a group that big, if it is based
in Russia, how come we didn't detect it or see it before?
Mr. Smith. Well there was a lot more than a single piece of
malicious code that was written. And so one of the things we
analyze: what was done from an engineering perspective on each
of these second stage attacks that Kevin was talking about
before. And in essence what we saw was a very elaborate and
patient and persistent set of work. They entered. Then, as they
were in through that back door, they in effect opened a window.
They then swept up behind themselves. They closed the back
door. They used that window. They identified accounts. They
were able for the most part to really rely on stealing
passwords and accessing credentials, especially where
credentials were not well secured, meaning they weren't stored
on a hardware dongle or they weren't stored in the cloud. But
they were able to get people's passwords. They were then very
persistent in using that at what we call elevated network
privilege to work across a network.
And we just were able to look at our estimate of how much
work went into each of these individual attacks, how many
attacks there appear to be in total, and we asked our
engineering teams: these threat hunters that you were hearing
about before--what do you think is on the other side of this?
And that was their estimate. And we have asked around with
others: does this estimate seem off base? And no one has
suggested it is.
Senator Gillibrand. Let me ask Mr. Ramakrishna a final
question. So the Wall Street Journal reported that there was as
many as a third of the victims were accessed by means other
than SolarWinds. However, those access vectors, including TTPs
and infrastructure, have not been made public. Why is that and
do you expect to release the full details of the other access
vectors? And what other ways did the cyber actors use to gain
access to victims?
Mr. Ramakrishna. Senator that's a very good question. We,
as a manufacturer or producer of IT management tools, do not
have the security capabilities to be able to investigate other
threat vectors. And that's where the colleagues at this witness
table with me will be able to help us and the broader industry
identify those threat vectors. On our part, what we have
committed to doing and continue to do is sharing everything
that we are finding.
And the significant discovery that I mentioned about
Sunspot is one key element of eliminating threat vectors. As we
learn some new vectors ourselves at SolarWinds, we are
committed to sharing those. But I think the broader security
industry will take the mantle on that.
Senator Gillibrand. Thank you, Mr. Chairman.
Chairman Warner. Thank you.
Senator Collins.
Senator Collins. Thank you, Mr. Chairman.
Mr. Chairman, let me echo the concerns that Senator Cornyn
and you have raised about Amazon not being present. I think
they have an obligation to cooperate with this inquiry and I
hope they will voluntarily do so. If they don't, I think we
should look at next steps.
I also want to thank both of you for mentioning legislation
that Senator Joe Lieberman and I authored and brought to the
Senate floor back in 2012, which was defeated largely due to
the lobbying efforts of a large business group. And the irony
is that this grit business group, at the time that they were
lobbying against mandatory reporting, was itself being hacked,
which I found out about from the FBI later. I take no pleasure
in that. I think that shows how widespread this problem is.
I want to follow-up on two issues. One is the issue of
reporting. Mr. Mandia, we know from the White House report and
from our own briefings that the hackers did gain access to at
least nine Federal agency networks. Yet the U.S. Government
learned of this cyber-attack through FireEye. So, in your
judgment is it reasonable for us to assume that our government
probably would still be in the dark about the Russians or
whoever the hackers were--likely the Russians--being on our
systems if it were not for your voluntary disclosure?
Mr. Mandia. I think over time I believe we would have
uncovered this. I think there's a lot of activity that out of
context nobody could put their finger on the larger problem.
The minute we found the implant and the minute we disclosed
what had happened, it connected a lot of dots for a lot of
folks. All I can tell you is when I spoke to the government
about this basically as it was unfolding for us nobody was
surprised as to what I was telling them.
So I think we could sense there was behavior on certain
networks that wasn't right. But we couldn't find the cause
until we put it all together.
Senator Collins. But none of those agencies had taken
actions until you contacted them. Is that accurate?
Mr. Mandia. I don't know what actions they may or may not
have taken.
Senator Collins. The second issue that I want to talk about
is our critical infrastructure: 85 percent of the critical
infrastructure in this country is owned by the private sector,
and that's one reason that I think mandatory reporting is so
critical. We have only to look at what happened in Texas from
natural causes to imagine the damage that could be done by a
cyberattack.
Now it's my understanding that our government has assessed
that this operation was focused on stealing information rather
than taking down networks. But how difficult--and I would like
to ask the entire panel this--how difficult would it have been
for the hackers to disrupt these networks if they wanted to?
Why don't we start with you, Mr. Mandia, and just go down
the panel.
Mr. Mandia. Two comments, Ma'am, very quickly on that.
Disruption would have been easier than what they did. They had
focused, disciplined data theft. It's easier to just delete
everything in a blunt force trauma and see what happens, which
other actors have done. But what I've observed this group do--
and I think this is an important detail--a lot of times when
you break into a network you get what's called the domain admin
account. And just use that to grab everything.
It's the keys to everything. It's the master key in the
hotel. What this group actually did is they wanted to break
into room 404. They got a room key that only worked for room
404. Then they got the room key for 407. They actually did more
work than what it would have taken to go destructive. But
obviously, they had the access required and the capability
required should they have wanted to be destructive to have done
so.
Senator Collins. Thank you.
Mr. Ramakrishna. Senator Collins, I would agree with that
based on my studies and research of other similar breaches in
other countries, such as in Ukraine.
Senator Collins. Thank you. Mr. Smith.
Mr. Smith. I would agree as well. And I'd just highlight a
couple of aspects that I think are important. First, especially
when we're talking about publicly owned critical infrastructure
in this country, a lot of it is too old. It needs to be
modernized. And I'll just point to one example was some of our
work with a state agency responsible for public health.
When our consultants went in to work with them they found
that the manual for the software was more than 20 years old,
meaning the software itself was more than 20 years old. So and
that's why you see these ransomware attacks which need to
connect with this. They so often target municipalities, we've
seen Baltimore, we've seen New Orleans. They target hospitals.
So that that is in critical need of improvement. I do think
the other thing that is really worth thinking about more
broadly for the whole Committee is I don't think we can secure
the country without investing in more cybersecurity people for
the country. There's really a critical shortage nationwide of
cyber security professionals and I think we can put our
community and technical colleges to work in part to get more
people into public agencies, into small businesses and others.
We are doing a lot to try to publish information. At
Microsoft we have published 31 blogs since we learned about
SolarWinds you know from FireEye. But there's just not enough
people in many places to read them and act on them.
Senator Collins. Thank you. I know my time has expired.
Maybe Mr. Kurtz could respond for the record.
Chairman Warner. Okay. And I don't.
Mr. Kurtz. Sure, thank you.
Chairman Warner. I'd just simply mention as well, Senator
Collins, you appropriately pointed out the failure to report on
the private sector side. There's no obligation on the public
sector side.
Senator Collins. Right. Well part of the problem is that
there should be this exchange.
Chairman Warner. Yep.
Senator Collins. Of information that's not occurring now on
either side.
Chairman Warner. Absolutely. Senator Blunt.
Senator Blunt. Thank you, Chairman. Mr. Mandia, did you
feel when you found this problem in your system did you think
there was a legal obligation to report it to anybody?
Mr. Mandia. Yeah, we had third party counsel involved. We
did not have a legal requirement at least based on the legal
advice that I got to disclose at the time that we did. So we
did so based on we're a security company, we work to a higher
order. Yeah, it's all built on trust. And you got to report.
Senator Blunt. And Mr. Ramakrishna, what did you think
there was a legal obligation to report this when you found out
about it to the government or anybody else?
Mr. Ramakrishna. Senator, I was not with the company when
this particular incident happened.
Senator Blunt. Got it.
Mr. Ramakrishna. So I will take it on record and come back
to you with exactly what happened at that point in time.
Senator Blunt. And Mr. Smith, from your testimony I think
it was point four in the things we should do though there was
some element of it in point three. It's your view that there
should be a requirement now that these kinds of things be
reported. Is that right?
Mr. Smith. Yes. And I think we should build on the
conversation we had here. But you know, we too concluded we had
no legal obligation to report. But I think we had a duty
nonetheless first of all to each customer, second of all to the
U.S. Government and third of all to the public which is why we
published those 31 blogs.
Senator Blunt. So do you think we should create a legal
obligation for you to report if you're aware of a problem like
this?
Mr. Smith. I do. I think we need to be thoughtful, tailor
it, make it confidential. But we will not secure this country
without that kind of sharing of information.
Senator Blunt. So on that topic and we'll just stay with
you and then work our way back down. On that topic, you know
these companies. All four of the people represented here have
great expertise and great resources which I'm sure you've used
a lot of to figure out how they got there, if you figured that
out, how long they've been there. How would we expect a normal
person that does business with your companies to be able to do
that on their own? And maybe, Mr. Smith, that goes to your view
we need more cyber expertise.
But how would we expect a regular company, unlike these
companies at the table today, to have any sense whether anybody
was in their system or not?
Mr. Smith. Well the first thing I would say is I think it's
a decision for you to make as to whom you want this obligation
to apply. You know certainly it should apply to tech companies.
Should it apply to every customer of a tech company? I think
that is a separate question. Second, of course people cannot
report something they're not aware of. Our customers who use
our cloud services know when we are able to detect that they
are being breached in the cloud or they're being attacked
because we tell them. And so we let them know.
Now ironically one of the episodes we've learned from this
time was in some instances we called people on the phone and we
said we're from Microsoft and we want you to know you're being
attacked and they're like yeah, right and they hung up. They
didn't believe that this big company was calling this small
business. But that is our job, our responsibility I think--to
help our customers. And we can provide information to the
government, or in certain instances others could as well.
Are you going to ask every small business to do that? It's
probably not necessary for this purpose.
Senator Blunt. Yeah. I think if we move forward on that
discussion some helpful thoughts from all of you about when
that obligation to report. If you've called a customer and said
you've been hacked, is there an obligation you should have then
to report? We could work on that.
Mr. Mandia, how long do you think this had been in your
system whenever you found it? And I know it was the two
telephone verification seeing that extra verifier in there that
was the tip off.
Mr. Mandia. Right.
Senator Blunt. How long do you think it had been there?
Mr. Mandia. Well a couple ways to answer that. Bottom line
it was a couple months from initial access but the attacker
wasn't alive every single day. I think, in other words, they
were on our system for maybe three hours in one day, a week
would go by, couple hours on another day. We weren't a full-
time job for the intruders that broke into us. Because they had
broken into 60 plus other organizations if not 100. So we did
get their attention and there's several days of activities
before we detected them.
But over time it was several months.
Senator Blunt. And of course you'd contend that very few
companies would be better prepared than yours to find out.
Mr. Mandia. Right.
Senator Blunt. If somebody's in your system because that's
what you do.
Mr. Mandia. Right.
Senator Blunt. Mr. Kurtz, you mentioned on the bank robbery
example I think it was something like you get there, you get
in, you get the money, you get out. It seems to me that in this
intrusion they weren't all that interested in getting out. What
do you think that means? That they would get there and just
hang around, as Mr. Mandia said, and do something and a week
later might look and do something else?
What kind of hacker is that? What are they positioning
themselves to do? Clearly not to shut down your system at that
moment. But why do you think they were persistent in this, what
I think, is a relatively different way than we might have
anticipated?
Mr. Kurtz. Well this is indicative of a nation-state actor
and it's in their interest to maintain persistence. If they
were collecting data, they want to continue to collect
information over a period of time. If the campaign as was
pointed out this is the way it works, right? You've got
different mission objectives and campaigns. If the campaign is
over, they certainly would want to remove their tool so they
weren't found by companies like CrowdStrike and FireEye and
Microsoft and others.
So it's in their best interest to maintain the persistence
because you never know what they're going to need. And one of
the things that I really want to point out and how this works
in practice is that when you get into a system when an
adversary gets in they don't necessarily know what they're
going to find. And then they find some interesting tools, they
find some emails that may lead them to another company they can
compromise.
And it's a massive spider web of interrelated entities and
information that they have to collect. And when you draw that
out, if you can imagine a crime scene where you kind of put
everything on the bulletin board and you start connecting the
dots between the actors, that's what it's like for the victims.
And from one company to the next company to the next company to
a government agency, they can all be connected together with
some of these campaigns.
And there's no reason for them to get out unless that
campaign is over. And certainly unless they want to remove that
malware and their tools which typical which we've seen in this
particular case cause they didn't want anyone else to find
them.
Chairman Warner. Senator King.
Senator Blunt. Thank you. Thank you, Mr. Chairman.
Senator King. Thank you, Mr. Chairman. Excellent, excellent
hearing. A lot of important points. A couple just I want to
emphasize. Mr. Mandia, I'll give you another analogy to use as
well as Wayne Gretzky, and that is if all we ever did was lock
our windows and robbers never had to worry about going to jail,
there'd be a lot more robbers. I think deterrence is one of the
most important parts of a national strategy and frankly it's
one that really hasn't been very well developed in this
country. And as you pointed out I think it has to be declared.
It has to be public. The adversary has to know what the
capabilities are and that costs will be imposed. That leads me
to a second point that I think Brad Smith mentioned but we
didn't really develop. And that is the importance of
internationalizing this problem and that is working with our
allies because we're not the only ones. I think you mentioned
there was an attack on a French company by this same group.
And to the extent that we have the international community
and the establishment of some kind of international norms, red
lines, guardrails, whatever you want to call them then things
like sanctions are much more effective. I want the hackers to
not be able to go to Monte Carlo as well as Miami. So
deterrence is key. And the international piece of it is also
important.
And then the final thing that I think has come out today
very clearly is the importance of some kind of joint
collaborative environment where there can be an easy and quick
and efficient flow of information. Liability protection may be
necessary. Anonymizing the data may be necessary. But some kind
of mandatory breach notification is also part of this package.
All of these bills, all of these ideas by the way are part
of the work that we're going to be doing on the solarium this
year and I look forward to working with the Members of this
Committee on things like the collaborative environment, breach
notification, the international aspect of it.
Let me ask a specific question. Mr. Mandia, do we need a
central Federal attribution office? It strikes me that
attribution the FBI has a piece of it, the NSA has a piece of
it, maybe the CIA, and whomever somewhere else. Attribution is
key. You can't do deterrence, you can't respond unless you have
attribution.
Should there be a central attribution department, if you
will, that could act quickly and do attribution more
efficiently than is the case today?
Mr. Mandia. Well I can say this, sir. I don't know if it
needs to be a single committee or single agency. But
attribution is critical and all that you know any time I get to
advise a head of state it's very simple. If you don't know who
did it, you can't do anything about it. So I would argue it's
one of the most critical issues we have to solve as a Nation is
we got to know who did every breach.
I think that those data points will automatically come from
multiple agencies with multiple missions and areas of
responsibility. And then bring it to domestic challenges like
the SolarWinds breach and all the liabilities hitting
companies. It is helpful and maybe it's CISA, maybe it's the
FBI, but it is helpful that most organizations recognize that
we are expected to defend ourselves from the drive by shootings
on the information highway.
But we shouldn't have to defend ourselves from the SVR. I
mean that doesn't seem like a benchmark that this Nation should
set for every small to medium sized company out there that you
need to defend yourself from a foreign intelligence service
trying to hack you. So I would say this. Categorical
attribution for these companies that do disclose is very
helpful for those companies. So in other words, if there was
public attribution that said SolarWinds was compromised by a
nation-state, good enough.
Because it takes the wind out of the sails of all the
plaintiff lawsuits that we all get when we get compromised and
we tell the world about it. Thank you.
Senator King. Thank you. And it seems to me that moving on,
we clearly ought to do attribution better. The other piece
that's come out today is, and Senator Burr mentioned this, is
gaps in our authority. The NSA and the CIA cannot spy on
Americans. They cannot watch what's going on in American
networks. That sort of leaves the FBI which is really a law
enforcement agency as the intelligence agency for domestic
cyberattacks.
It seems to me that we need to think of how these
authorities fit together and what the gaps are to be sure that
we have the tools to protect ourselves. Not that we want to spy
on Americans, but we also want to be able to protect Americans.
Mr. Mandia, your thoughts on that?
Mr. Mandia. I do believe there's got to be a way for the
U.S. Government when we need to mobilize to understand how we
can do it domestically. And the example I've always used, sir,
is very simple. If the intelligence community recognizes
there's going to be an attack on Wilkes Barre hospital this
Friday by the best hacking group on the planet, we'd just start
moving the patients out of the hospital. And that seems like we
can do better than that as a Nation.
We ought to be able to impose the risk profiles that we
need to and project our capability domestically when we need
to. And right now, I don't see the ability to do that.
Chairman Warner. Senator Feinstein.
Senator King. Appreciate it.
Chairman Warner. Dianne.
Senator Feinstein. Oh, excuse me. Thank you very much, Mr.
Chairman. I'm looking at this worldwide threat assessment of
the United States intelligence community. It was done by Dan
Coates, a former colleague of ours when he was Director of
National Intelligence. And it's deeply concerning to me because
it points out really the seriousness of this thing and the
impact of it, the length of time eight months that it went on.
Nine Federal departments, over 100 companies, and we don't
know what, at least I don't, what the Russians took. And it
seems to me to have this kind of situation out there and I've
been on this Committee for a long time. And just have a hearing
and not do anything about it. And know that we know now that
there is this kind of vulnerability available.
So let me begin with you, Mr. Mandia. You're a Californian.
What do you advise this Senate to do about this?
Mr. Mandia. Yeah there's several recommendations. I still
believe it is critical we find a way to have a centralized
agency that we can report threat intelligence to confidentially
and that if you're designated as a first responder in cyber
space, whether private or public sector, you report to that
agency. That means we get the intelligence into the hands of
people that can take actionable steps way faster than
disclosure of incidents which just takes too long.
To Brad Smith's point and you have those six bullet points.
I think it's actually five bullet points. And they're all
right. It's what we should do. I'm specifically talking about
the threat intelligence sharing. Let's up it a notch. Let's say
you have to if you're a first responder.
Senator Feinstein. How would you do that? When you say up
it a notch, what specifically would you do?
Mr. Mandia.--Have legislation that defines who a first
responder is. That if you respond to unlawful, unacceptable, or
unauthorized access to networks as a business and you see
certain things that threat intelligence and we know what it is
in the community that needs to be shared with a specific
agency. Confidentially shared so that you don't have to know
who the victims are because the victims have liabilities that
make them delay.
They'll do months of investigation before they would
disclose everything. But we want to get the intel faster and
into the hands of the right people more quickly. I do believe
it needs to be a central agency inside the government. You
can't go to three or four, you've got to pick one. And that if
we're responding, we got to let you know here's what's going
on.
Senator Feinstein. And this would be private sector as well
as government sector?
Mr. Mandia. Yes.
Senator Feinstein. So it would be a comprehensive bill that
essentially would set a kind of operational protocol that has
to be followed.
Mr. Mandia. It it's similar to operating agreements for all
the folks who accept credit card use. The Visa operating
agreements. You literally have 24 hours to start sharing
information regardless once you know. And it's not based on all
the things that you may have lost. You've got to get the intel
into the hands of the folks that can start safeguarding the
Nation far faster than what we're doing today.
Senator Feinstein. Could I ask the other two witnesses to
reflect on what Mr. Mandia has said?
Mr. Ramakrishna. Senator, I agree with that single agency
to report to and the public private partnership. Clearly that
is one of our recommendations as well and that will be
consistent with the goal of having speed and agility in
responding to these types of events.
As you noted, some of these have gone for too long and
we've lost time in detecting the perpetrators and taking
corrective steps.
Senator Feinstein. Mr.
Mr. Ramakrishna. Additionally, I would recommend in the
context of public and private partnerships standards, such as
NIST, and procedures, such as CMMC, can be improved with better
collaboration, better transparency between private and public
to evolve those from what are today compliance based
methodologies to focusing on excellence.
That is where I think Brad's idea of having a larger pool
of STEM based focused education as well as specific cyber
security education will come in handy.
Senator Feinstein. Thank you.
Mr. Ramakrishna. And then the last thing I would say in the
context of coming out and identifying breaches and encouraging
people even to come out and identifying the breaches there was
a concept of liability protection that was discussed. There is
significant brand reputation that people are worried about as
well. And in the context of this broader work, I'd recommend
that we address those as well which are not strictly liability
but broader than that.
Senator Feinstein. Thank you. Mr. Smith.
Mr. Smith. Yeah, I would endorse everything that you just
heard. I would add in the areas of rules of the road I think
there are three areas that are just clearly ripe for this
Committee and others to say are off limits. The patching and
updating of software should be off limits, certainly when an
and a this disproportionate.
Senator Feinstein. Well wait, the patching and off date--
Mr. Smith. And updating.
Senator Feinstein. Updating of software.
Mr. Smith. Yeah. Yeah that was.
Senator Feinstein. Should be off limits to whom?
Mr. Smith. For these types of nation-state attacks. That
would be the first thing. The second would be cyberattacks on
hospitals and healthcare providers. Vaccine distributors. I
mean there's been a ground swell of both concern about what
we've seen in the last year and attacks on that sector. And the
third is attacks on our electoral infrastructure. On voting, on
the tabulation of votes, on voter registration rolls.
And I think there's a ready vehicle that's ripe because 75
governments, but not our own, have already signed the Paris
Call for Trust and Security in Cyberspace. More than 1,000
private organizations, including my own, has signed that. And I
hope this White House and this State Department will act on
that. The consensus is there if U.S. leadership can help push
it across the finish line.
Senator Feinstein. Mr. Mandia, would you just reflect for a
moment?
Chairman Warner. Can we.
Senator Feinstein. Oh, just one question.
Chairman Warner. Yeah. We've gone through the five minutes
so we're.
Senator Feinstein. Okay. Thank you.
Chairman Warner. Senator Sasse.
Senator Sasse. Thank you, Chairman. And thank you to all
four of you for being here. This has been a very constructive
hearing. I would just associate myself with the many comments
of folks expressing frustration that Amazon isn't here. I think
they should be and I think we should pursue whatever is
necessary. Hopefully they'll do that voluntarily.
I'd also like to underscore a few things that were said
along the way by Angus King about some of the deterrence
objectives of the Cyber Solarium Commission. He and Mike
Gallagher, House Member from Wisconsin, have invested tons of
time. I was a commissioner but those two guys co-chaired it.
There's a whole bunch of work to be done about breach
notification that they've been thinking on in addition to some
of the work that Susan Collins has done.
Mr. Mandia, I know you answered it multiple times through
the course of the last three hours but your summary five
minutes ago about the need for a central single repository at
the Federal Government for these breach notifications I think
was very succinct and compelling, so thank you for that.
Mr. Smith, when I came back from voting a little while ago
I think I heard you say, I was just walking into the room, that
you thought there were a thousand highly trained engineers
involved in planning this attack. Did I hear you right?
Mr. Smith. That that is our best estimate, yes.
Senator Sasse. And could you kind of give us a level set of
other attacks or espionage efforts in the past? Like, say the
CCP's OPM hack. Do we have any theory of how many people would
have been involved in that, trained folks?
Mr. Smith. Well, I don't. But you certainly didn't need an
engineering group of similar magnitude to steal data. You
really need to then think about how to use that data which is
probably some combination of engineering and artificial
intelligence. And you know, I do think as we scan the horizon
around the world, we are seeing variation in tactics. You know
we are seeing in one part of the world more of this I'll call
it engineering intensive effort to you know penetrate
individual organizations with great patience and persistence.
And then extract data on an ongoing basis as you would if
you are a foreign intelligence agency. You know in another part
of the world you're probably seeing you know more collection of
very large data sets. And in all probability the way one would
make use of those data sets is to aggregate them and use
artificial intelligence machine learning you know to start to
knit them together and then say use them for disinformation.
And so you know as we look at the world, we have espionage
threats. We have disinformation threats. And then ultimately we
always have the threat we were talking about before of actually
damaging a society or a country as we saw in Ukraine.
Senator Sasse. Right. Very helpful. Is there any equivalent
breaches that you can think of that would have had this scale
of human capital involved in planning them?
Mr. Smith. I can't think of a similar operation that we
have seen that would have similar human scale, no.
Senator Sasse. So this is arguably the largest planned
cyberattack ever?
Mr. Smith. I haven't seen anything larger. I think we were
having a good conversation before about what label precisely to
attach to this. But it was a very it's the largest and most
sophisticated operation of this sort of that we've seen.
Senator Sasse. So going back to some of Martin Heinrich's
questioning and then Chairman Senator Burr's follow-up on the
same thought. It'd be useful for those of us who are not
technologists to hear the three of you kind of talk about the
difference between the design flaws, not that anybody is
particularly responsible inside the U.S. Government for having
failed to detect this, because it's a new kind of attack. But
design versus execution flaws given Martin's points about the
NSA being prohibited from surveilling domestic systems.
Who should in our current structure have found this
earlier? Again I'm not looking for you to blame cast, I'm
looking at us as the Congress to recognize that we have an IC
that is not structurally prepared to respond to something like
this. When your greatest capabilities are at the NSA and
they're prohibited from surveilling the systems where they
would detect it, the FBI is chiefly responsible for law
enforcement investigations after the fact. Structurally, we're
not prepared to defend against this, are we?
Mr. Mandia. I guess I'll jump in on that one. There's no
question you have to have private and public partnership in it.
Period. When you look at critical infrastructure and who's
running it. I want to be clear though, why people didn't detect
this, the Achilles heel, is because the front door was locked.
So the attackers had to break in to SolarWinds, implant
something, we still don't know how they broke in to SolarWinds
that I'm aware of. And this is probably the last avenue in
cyber security.
Now we know you've got to worry about supply chain risk and
you're going to see the elevation in security there. So the
reason everybody didn't detect this right away is over the last
30 years in cyber security you used to be able to drive through
the front door. And we kind of closed that and then it became
spear fishing and tailored attacks against individuals. And we
got really good at that. And now they went to the supply chain.
And it was inevitable. We knew they'd get there. Apparently
it takes something like this for us to really decide to up the
game.
Senator Sasse. But if we think about how many questions
you've had to answer today about reporting requirements, you
also had a sense, Mr. Smith, you said something about the
reporting prohibition on you going from one government agency
to the next. How long was that delay in our structure? If you
had been able to notify everybody once you knew once your four
companies knew what you knew how much faster would it have been
than it was in the situation where you actually had
prohibitions on information sharing intra-USG?
Mr. Smith. Well I think in this instance when we spoke to
officials in one agency typically within a day I think they
spoke to officials in another. So they understood and they were
fast moving. I do think that one of the challenges in this
space is the nature of all threat intelligence, whether it's
cyber-based or physically based, is that it's always about
connecting dots. So the more dots you have, the more likely you
are to see a pattern and reach a conclusion.
And so I think one of the challenges here is that the dots
are so spread out, they're in a variety of different private
companies and they always will be. And then they're spread out
across different parts of the public sector as well. So this
notion of aggregating them is key. The one thing that we
haven't talked about though that I would add to this is there
should be some level of information sharing in an appropriate
way back to those of us in the private sector that really are
first responders.
You know I look at the Microsoft threat intelligence center
and we are able to aggregate all of this data across our
services. And you heard from CrowdStrike or FireEye and they do
similar things. But we too are operating with imperfect
information when we don't have access to this knowledge. So
that's another key question I think that really merits
consideration.
Senator Sasse. I'm over time but thank you to all four of
you and I'll follow-up with some of you for more as well.
Thanks Chairman.
Chairman Warner. Well I'm I want to thank all the witnesses
but I also want to make sure people have hung in if Senator
Blunt, Senator Burr, Senator Rubio I've got one more question
but I want to see if Senator Blunt do you have anything else?
Senator Blunt. No, sir.
Chairman Warner. And do you have Richard? Marco?
Vice Chairman Rubio. I mean I think one of the things about
this is you know corporations and government we do we trust a
number of software vendors now to run programs remotely in the
cloud. They even allow them access to our networks to provide
updates to help perform better, for safety and so forth. So
this is really is not just a national security thing, it really
goes at the heart of how we conduct business across multiple
sectors.
By the way, I would venture to guess that most companies,
mid-sized companies and above, have no idea how many different
pieces of software they don't know what their own inventory is
of what they're running. And so it would be now's probably a
good time to have someone in charge of knowing that in case
something like this comes up.
I have three quick questions. On SolarWinds, I'm not sure
I've heard yet, do we do we know what the initial entry point
into the network was?
Mr. Ramakrishna. Senator, our investigation on how which is
initial entry point is still active at this point. We have had
a number of hypotheses over the last couple of months working
with our investigation partners. We've been able to narrow them
down now to about three, which I hope will help us conclude to
one. But just the nature of the investigation is we are still
sifting through terabytes of data to figure out if we can
pinpoint that particular one.
Vice Chairman Rubio. So is TeamCity produced by JetBrains
any indication they could be one potentially?
Mr. Ramakrishna. Senator, TeamCity is a tool used in the
build processes by us and many other companies out there. We,
to date, have no evidence that it was the backdoor used to get
into SolarWinds. Although we haven't eliminated that
possibility, we haven't proven it.
Vice Chairman Rubio. And for on Microsoft, as far back as
2017 that the forged identity credentialing you were aware of
that vulnerability as far back as when were you aware of that
and what was done from the point you knew moving forward on the
to address that?
Mr. Smith. Well the forged identity refers to an industry
standard, SAML, a markup language. It's an industry standard
that is supported by a wide variety of products including our
own. Actually as we investigated this incident, we found that
it was relevant in only 15 percent of the cases and in those 15
percent, in every instance you know this tool was used to in
effect add access capability only after the actor was in the
network, had obtained access with what we call elevated
privileges, and was able to move around and then use this.
But to answer your question this particular standard, the
SAML standard, was created in 2007. So long before 2017 we and
many other companies in the industry have been working to move
people towards a more modern authentication standard. And there
has been one that has been around since 2012. More broadly,
independent of what security standard you use for this kind of
authentication the thing that we have been advising our
customers and the practice that we have been following
ourselves is really to do the following.
One, move your authentication service into the cloud.
Number two, secure all of your devices. We have a service
called Intune that does that. Number three, you know, make sure
you're using multi-factor authentication. Number four, have
what's called least privileged access meaning don't give
individuals access to the entire network or to be able to do
things that they don't need to do. And number five, use a
contemporary or a modern anti-virus or anti-malware service
like Windows Defender.
And the reality is any organization that did all five of
those things, if it was breached it in all likelihood suffered
almost no damage.
Vice Chairman Rubio. Because it would have been contained
or whatever in the individual compartment they entered. Okay.
Mr. Smith. Absolutely. Yeah. And these are five practices
that the world knows about and this goes back I think to this
point that we do need more cyber security professionals to work
with more organizations. And obviously it's incumbent on us. We
every day we're working to make it easier for our customers to
deploy all of this stuff.
Vice Chairman Rubio. Yeah, and I think that just touches on
the notion that even if you can't prevent the attack or the
intrusion you can mitigate its impact if you can do some of
these things that you've discussed. Mr. Mandia, this is my last
question. We talked about notification. Not disclosure but
notification. And this seems to me that and you may have some
thoughts on this what is the threshold for that?
Is it a major breach? Is it breach? Is it breaches that
have indications of nation-state involvement?
Mr. Mandia. It's hard.
Vice Chairman Rubio. Because I think every day someone's
getting pinged by somebody. So what's
Mr. Mandia. I agree and you don't want to spread fear,
uncertainty, and doubt by folks who can't do a proper
investigation or lack the expertise or quite frankly they don't
know what really happened but they disclose so fast that they
do create an unnecessary fear. That is the hardest part because
every disclosures going to have some discretion built into it.
And that's why when I'm talking about notification I'm trying
to there's public disclosure and legal disclosure.
I'm trying to separate that, and Brad Smith did in his
testimony very well, to threat intelligence sharing. And I'm
more talking about threat intel, get it out there fast, get it
out there confidentially so you have the time to figure out the
threshold for disclosure. But that's a lot of work because I
think it depends on the industry you're in whether you should
disclose. I think it there's contract law that'll apply. You
should disclose to your customers at least that are impacted.
But I still feel disclosure is always going to be based on
the impact of a breach which requires investigation.
Chairman Warner. Well let me thank all of the panel and
George who's online. We actually had well Senator Risch didn't
want to ask a question. We had full participation from the
Committee and that is a sometimes rare occurrence. I take away
four issues that I'd like for the record since it's been a long
afternoon.
The fact that Smith said this was potentially one of the
most serious breaches he's seen. We know that it got into Mr.
Ramakrishna's 18,000 customers and while they chose to only
exploit 100 plus the fact that this could have been used not
for exploitation and ex-filtration of information but could
have been turned they were inside as I think Mr. Mandia so
eloquently put it could have been exponentially worse and I
think we need to recognize the seriousness of that.
Number two and I think Senator Rubio was raising this as
well that while it was a top tier nation-state with their A
team and it may be hard for any individual company or public
enterprise to totally block that out, we can't default to
security fatalism. We've got to at least raise the cost for our
adversaries. And whether the items that Mr. Smith just
enumerated in terms of better protections even if they get in
we can find them and raise their costs if we think through
this.
Mr. Smith commented on this but I would like the rest of
you for the record to comment on this, this idea around norms
and international norms. I use the analogy that in warfare you
don't bomb the ambulance. Well should we try to get to a point
that you don't bomb the patch? Or that you don't hit the
hospital literally? Or the electoral systems? How do we move
toward that system of norms?
And finally I think there is a real growing sense and I
hear this from industry as well that we need some level of at
least information sharing around on a mandatory basis. Again, I
want to compliment Kevin's company and Kevin personally for
coming forward because but for that effort we might still be,
this might still be ongoing. And how we think about that what
that reporting to or whom it rep we report to mechanism, I
think it's going to require some new creation.
And while I am very open to some level of liability
protection, I'm not interested in a liability protection that
excuses the kind of sloppy behavior for example that took place
in Equifax where they didn't even do the basic cyber hygiene.
That if you report that you should not be free of your
responsibility if you have been a sloppy player.
So I think there are models. There's FinCEN in the
financial sector, there's the National Transportation Safety
Board which may be an even better example. I think Mr. Mandia
pointed out within the credit card arena there is this
information sharing. Some I know have been thinking about the
idea that the cloud service providers, the large enterprises,
the first responders a la CrowdStrike and FireEye maybe being
co-located at some location with parts of the government.
Because this notion of getting the information out real
time, that's not going to happen with all due respect to the
great talents that are at the FBI that's not going to happen
when it goes to the FBI and they're just not in the business of
information sharing. It frankly is probably not going to happen
even though CISA's skills continue to be upgraded. We're going
to need to think about a different model and I challenge all of
you to come forward with that.
I think there's a great deal of appetite bipartisan
appetite. I think we realize how serious we were and we
potentially dodged a much more serious bullet. And really
appreciate all of your participation and it's been constantly
mentioned those companies who chose not to participate so far
we're going to give them another chance and hopefully they will
recognize they have that kind of public service obligation that
is reflected by the testimony today.
With that the hearing is in adjourned. Thank you.
[Whereupon at 12:07 p.m. the hearing was adjourned.]
Supplemental Material
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]