SolarWinds CEO Sudhakar Ramakrishna took a conciliatory tone toward US senators on Tuesday as he acknowledged his company’s role in unwittingly facilitating a devastating security breach of at least nine federal agencies and dozens of private businesses in a suspected Russian spying campaign.
Calling the security breach an “unfortunate and reckless operation,” Ramakrishna said SolarWinds takes seriously its obligation to better understand the attack and to prevent it from happening again. He also said more recent software updates by SolarWinds have addressed the flaw.
“We are embracing our responsibility to be an active participant in helping to prevent these types of attacks,” he said. “Everyone at SolarWinds is committed to doing so, and we value the trust and confidence our customers place in us.”
Investigators are still trying to piece together what information the hackers may have accessed, and how deeply they may have penetrated federal systems. But US officials have seen enough to conclude that attackers likely linked to Russia were engaged in a highly targeted intelligence-gathering operation that is virtually unprecedented in its scope and sophistication. The Justice Department has disclosed that up to 3% of its Microsoft email accounts were accessed in the breach.
In his testimony before the Senate Intelligence Committee Tuesday, Microsoft President Brad Smith went further, specifically naming Russia’s foreign intelligence service as the culprit.
“At this stage, we’ve seen substantial evidence that points to the Russian foreign intelligence agency and we have found no evidence that leads us anywhere else,” he told lawmakers. “We’ll wait for the rest of the formal steps to be taken by the government and others, but there’s not a lot of suspense at this moment in terms of what we’re talking about.”
The Biden administration is preparing sanctions and other retaliatory measures aimed at Russia over the hacking campaign, a US official familiar with the plans told CNN. Discussions about the response are still ongoing but could come within a matter of weeks, the official added, noting that the package will likely include sanctions and a cyber component. In outlining its response, the official said, the United States will argue that the breach goes beyond an isolated case of espionage and the response is being considered within the broader context Russia’s malign activities that have prompted condemnation from the Biden administration.
Gathering answers about the incident may now be the country’s best hope for preventing another such attack, especially as law enforcement agencies begin to probe other aspects of the spying campaign. US officials have repeatedly warned that SolarWinds was not the hackers’ only avenue for accessing victim networks; other vulnerabilities and attack methods unrelated to the company’s software are also known to have been used, though how widely is unclear.
Ramakrishna later added that the type of supply-chain attack that compromised SolarWinds is possible in “any software development process, which is the reason why we believe dubbing it solely as the ‘SolarWinds hack’ is doing injustice to the broader software community and giving us a false sense of security, possibly.”
FireEye CEO Kevin Mandia is also testifying Tuesday before the committee.
On Friday, SolarWinds, Microsoft and FireEye are expected to testify again — this time in a joint hearing before the House committees on Oversight and Homeland Security.
The scheduling of congressional hearings reflects the alarm that many lawmakers have expressed since learning of the hacking campaign. Some, such as Sens. Mark Warner and Marco Rubio, have written in recent weeks to the Biden administration urging a more coordinated response. Others, including members of the Cyberspace Solarium Commission, a congressionally led expert panel on cybersecurity, wrote to the White House with urgent policy recommendations in wake of the hack, calling for the Biden administration to appoint a national cyber director as outlined in the most recent defense authorization law.
Amid the mounting pressure, the Biden administration this month announced Anne Neuberger, a veteran US cybersecurity official, as the White House lead on cybersecurity. Last week, Neuberger told reporters she has been in constant contact with officials on Capitol Hill, and US national security adviser Jake Sullivan has told CNN’s Christiane Amanpour that the US will hold accountable those responsible in “short order.”
But other aspects of the administration’s response only now appear to be getting underway. CISA — the Department of Homeland Security’s cyber and infrastructure security agency — is still headed by an acting executive director, Brandon Wales, following a decision by then-President Donald Trump to fire the agency’s chief, Christopher Krebs, after Krebs’ insistence that the 2020 elections were conducted securely.
On Monday, CISA announced three new appointees, including a deputy director and an executive assistant director for cybersecurity and for infrastructure, respectively.
As CISA restores its ranks, lawmakers could ask Tuesday’s witnesses to describe their interactions with government investigators, in a bid to assess the nation’s cyber-readiness.
Speaking Monday at an event held by the Center for Strategic and International Studies, SolarWinds’ Ramakrishna said his dialogues with the US government have been “broadly constructive” but that officials are constrained in terms of what information they can share with the private sector. And the number of agencies involved can make responding to cyber threats more challenging.
“Having a simpler structure of communication and information with a single entity would be hugely beneficial, in my opinion,” he said.
As for SolarWinds, the company has begun making changes to its approach to software development, in a bid to prevent another compromise.
One step the company is taking, Ramakrishna said, is creating “parallel build systems” where the same software updates are constructed by different teams. That redundancy could help uncover future attempts by hackers to compromise the software development process.
“What that’ll do is, having different environments, different people accessing them and different techniques to build our software, and then cross-correlating the output of those three, will essentially reduce the opportunity for a threat actor to do damage to our build systems,” Ramakrishna said. “That’s going to be an involved process, but we believe that is what is required … to be more safe and secure going forward.”