The Cybersecurity 202: SolarWinds hearing puts the company’s new CEO in the hot seat

Ramakrishna is looking to reframe the conversation: Notes shared with The Cybersecurity 202 show he plans to highlight that SolarWinds was not the only company exploited – and that this hack could have happened to any software company. 

Ramakrishna will share what the company has learned from the experience and is doing now to better protect customers.  While Ramakrishna only started the role after the incident was discovered, he will likely have to account for reports of lax security practices at the company leading up to the attack.

Other executives will join him in calling for better partnerships between the private and public sector. FireEye chief executive Kevin Mandia, Microsoft President Brad Smith and CrowdStrike chief executive and president George Kurtz will also appear before the panel today. 

Smith, per written testimony, will say that “too many cyberattack victims keep information to themselves. We will not solve this problem through silence. It’s imperative for the nation that we encourage and sometimes even require better information-sharing about cyberattacks.”

Congress will probe executives for insights into how the federal government and private sector are working together to mitigate the attack – and how to prevent similar breaches. 

“Preliminary indications suggest that the scope and scale of this incident are beyond any that we’ve confronted as a nation, and its implications are significant,” Senate Intelligence Committee Chair Mark R. Warner (D-Va.) will say in his opening statement. “The footholds these hackers gained into private networks — including of some of the world’s largest IT vendors — may provide opportunities for future intrusions for years to come.”

The hearing comes as the U.S. intelligence community continues its investigation into the massive breach, a process that national security adviser for cyber and emerging technology Anne Neuberger recently said could take months. The hacking campaign went unnoticed until cybersecurity firm FireEye first uncovered the SolarWinds breach after discovering a breach its own networks.

“A very big question looming in my mind is: had FireEye not detected this compromise in December … would we still be in the dark today?” Warner will say.

There are a number of ideas about how to improve information sharing between the private sector and the government. Ramakrishna at a Center for Strategic and International Studies called for a more effective a federal clearinghouse for the government and private sector to share information. Other experts have raised the idea of a a private-public entity to immediately examine hacks, modeled after the National Transportation Safety Board.

Warner, who has raised the prospect of new data breach legislation, will question companies about the efficacy of a possible mandatory reporting system alongside greater liability protections for companies that disclose incidents. 

The need for cyber global norms came up in a recent House Homeland Security hearing on SolarWinds and has been emphasized by Biden administration.

“We don’t bomb ambulances in war; should we consider efforts to subvert patching, which after all is about fixing vulnerabilities, to be similarly off limits?” Warner asks in his opening remarks.

Smith, who has called the SolarWinds hack a reckoning for better global cybersecurity cooperation to stave off nation-state attacks, could provide unique insights on this front. Microsoft has been organizing the private sector around the issue with its Cybersecurity Tech Accord, a pledge signed by more than 145 technology companies committing to opposing cyberattacks against innocent civilians and organizations.

Expect more hearings to follow.

The hearing is the first of two featuring the executives this week. The House Homeland Security and Oversight Committees will hear from the companies on Friday. 

Chairs of the Senate Homeland Security and Governmental Affairs Committee and the House Armed Services Committee cybersecurity subcommittee have also expressed interest in hosting hearings on the hacking campaign. The release of the Biden administration’s investigation into the attack, which is not expected for weeks, will also usher in a fresh wave of hearings.

The Cybersecurity and Infrastructure Security Agency and said in a news release that “CISA will urgently evaluate and implement additional capabilities including potential new grant programs that will enable critical security investments.” Homeland Security Secretary Alejandro Mayorkas has pledged to build on CISA’s efforts by reiterating its importance and increasing information sharing with domestic and foreign partners.

House Homeland Security Committee Chairman Bennie G. Thompson (D-Miss.) and Rep. Yvette D. Clarke (D-N.Y.), the chairwoman of the committee’s cyber panel, praised the move, saying in a statement that “we are encouraged to see Secretary Mayorkas taking the cyber threats to state and local networks seriously and look forward to working with him on this important issue, particularly as we prepare to reintroduce the State and Local Cybersecurity Improvement Act.”

On Thursday, Mayorkas plans to issue calls to action to build a diverse cyber workforce and use partnerships with public and private organizations to battle ransomware. According to the news release, Mayorkas plans to “participate in several additional engagements in the coming weeks” to discuss cybersecurity.

A group behind the attack, which is being called “UNC2546,” used multiple unpatched vulnerabilities in Accellion’s file-transfer software to attack Kroger and other Accellion clients, FireEye researchers write. 

Researchers at cybersecurity firm FireEye started noticing the group exploiting Accellion in mid-December 2020, but their motivations were “not immediately apparent,” researchers said in a press release. In January the exploited organizations were hit with extortion emails threatening to leak data if the companies didn’t pay up. Hackers followed through with leaking the data of several victims, FireEye notes.

The company is seeking more than $1.3 billion from Mike Lindell, the CEO of MyPillow, Emma Brown reports. Dominion says that Lindell, a supporter of former president Donald Trump, has contributed to a “viral disinformation campaign” claiming that its voting systems were manipulated to turn the 2020 presidential election against Trump. Lindell said he was “very happy to hear” that Dominion has sued him, saying that “now I can get to the evidence faster. It’s going to be amazing.” He added that he plans to continue to release films about alleged election fraud.

The country’s national security and defense council said that “addresses belonging to certain Russian traffic networks” were the source of an attack last week that sought to overwhelm networks belonging to Ukrainian government agencies. The council, which said that the cyberattack was “massive,” said it used a “new mechanism” of infecting government systems and getting them to attack government networks, at which point Internet providers find and block infected servers, rendering them inaccessible. 

A Ukrainian security service spokesman said that the attack interrupted the operations of the agency’s website. Russia has a long history of cyberattacks against Ukraine, including a notorious 2017 campaign that wiped out Ukrainian organizations including banks, electricity firms and other criticism infrastructure.

An upcoming iOS 14.5 software update is expected to include the feature, which will make it harder for hackers to access phones without interaction by their users, Motherboard’s Lorenzo Franceschi-Bicchierai and Joseph Cox report. Those types of cyberattacks have been used by hackers working for the United Arab Emirates to target activists, diplomats and world leaders, as well as journalists.

Apple’s move has been celebrated by activists. Sarah Aoun, Chief Technologist at the Open Technology Fund:

More news in hacks, leaks and breaches:

• Jake Braun, the executive director of the University of Chicago’s Cyber Policy Initiative, has been tapped to be a senior adviser to the Department of Homeland Security’s Management Directorate, Politico’s Eric Geller reports.
• The Cybersecurity and Infrastructure Security Agency announced that three appointees — Nitin Natarajan, Eric Goldstein and David Mussington — have joined the agency. Their appointments were previously reported.

• Microsoft President Brad Smith and former Google CEO Eric Schmidt testify at a Senate Armed Services Committee hearing on emerging technology today at 9:30 a.m.
• The U.S. Chamber of Commerce hosts an event on cyber norms today at 10 a.m.
• Former DARPA director Victoria Coleman, former acting deputy defense secretary Christine Fox and American Enterprise Institute resident fellow Klon Kitchen testify at a House Armed Services Committee cyber panel hearing today at 11 a.m.
• Former Cybersecurity and Infrastructure Security Agency director Chris Krebs speaks at Check Point’s CPX 360 virtual conference today.
• The Senate Intelligence Committee holds a hearing on President Biden’s nomination of William J. Burns, a former U.S. ambassador to Russia and top State Department official, to lead the CIA on Wednesday at 10 a.m.
• The House Foreign Affairs Committee marks up legislation including the Cyber Diplomacy Act, which would set up a State Department bureau to oversee the economic and security aspects of cybersecurity policy, on Thursday at 10 a.m.

Chris Painter, the State Department’s former cyber coordinator, celebrated a meaningful birthday:

Politico reporter Eric Geller: