US lawmakers on Tuesday are set to grill the CEO of the IT software company that unwittingly facilitated a devastating security breach of at least nine federal agencies and dozens of private businesses in a suspected Russian spying campaign.
The testimony by SolarWinds CEO Sudhakar Ramakrishna will be the company’s first public accounting to Congress of what went wrong when it unknowingly distributed software updates containing malicious code to thousands of customers, including the Departments of Commerce, Defense and State, among others.
He will likely be pressured to explain what steps the company is taking to ensure it is never compromised that way again.
Investigators are still trying to piece together what information the hackers may have accessed, and how deeply they may have penetrated federal systems. But US officials have seen enough to conclude that attackers likely linked to Russia were engaged in a highly targeted intelligence-gathering operation that is virtually unprecedented in its scope and sophistication. The Justice Department has disclosed that up to 3% of its Microsoft email accounts were accessed in the breach.
Gathering answers about the incident may now be the country’s best hope for preventing another such attack, especially as law enforcement agencies begin to probe other aspects of the spying campaign. US officials have repeatedly warned that SolarWinds was not the hackers’ only avenue for accessing victim networks; other vulnerabilities and attack methods unrelated to the company’s software are also known to have been used, though how widely is unclear.
Much of the investigative work thus far has been performed by private companies with forensic expertise. Senior figures from three of the leading firms on the hunt, Microsoft and the cybersecurity firms CrowdStrike and FireEye, will also be testifying Tuesday alongside the SolarWinds CEO before the Senate Intelligence Committee.
On Friday, SolarWinds, Microsoft and FireEye are expected to testify again — this time in a joint hearing before the House committees on Oversight and Homeland Security.
The scheduling of congressional hearings reflects the alarm that many lawmakers have expressed since learning of the hacking campaign. Some, such as Sens. Mark Warner and Marco Rubio, have written in recent weeks to the Biden administration urging a more coordinated response. Others, including members of the Cyberspace Solarium Commission, a congressionally led expert panel on cybersecurity, wrote to the White House with urgent policy recommendations in wake of the hack, calling for the Biden administration to appoint a national cyber director as outlined in the most recent defense authorization law.
Amid the mounting pressure, the Biden administration this month announced Anne Neuberger, a veteran US cybersecurity official, as the White House lead on cybersecurity. Last week, Neuberger told reporters she has been in constant contact with officials on Capitol Hill, and US national security adviser Jake Sullivan has told CNN’s Christiane Amanpour that the US will hold accountable those responsible in “short order.”
But other aspects of the administration’s response only now appear to be getting underway. CISA — the Department of Homeland Security’s cyber and infrastructure security agency — is still headed by an acting executive director, Brandon Wales, following a decision by then-President Donald Trump to fire the agency’s chief, Christopher Krebs, after Krebs’ insistence that the 2020 elections were conducted securely.
On Monday, CISA announced three new appointees, including a deputy director and an executive assistant director for cybersecurity and for infrastructure, respectively.
As CISA restores its ranks, lawmakers could ask Tuesday’s witnesses to describe their interactions with government investigators, in a bid to assess the nation’s cyber-readiness.
Speaking Monday at an event held by the Center for Strategic and International Studies, SolarWinds’ Ramakrishna said his dialogues with the US government have been “broadly constructive” but that officials are constrained in terms of what information they can share with the private sector. And the number of agencies involved can make responding to cyber threats more challenging.
“Having a simpler structure of communication and information with a single entity would be hugely beneficial, in my opinion,” he said.
As for SolarWinds, the company has begun making changes to its approach to software development, in a bid to prevent another compromise.
One step the company is taking, Ramakrishna said, is creating “parallel build systems” where the same software updates are constructed by different teams. That redundancy could help uncover future attempts by hackers to compromise the software development process.
“What that’ll do is, having different environments, different people accessing them and different techniques to build our software, and then cross-correlating the output of those three, will essentially reduce the opportunity for a threat actor to do damage to our build systems,” Ramakrishna said. “That’s going to be an involved process, but we believe that is what is required … to be more safe and secure going forward.”