Microsoft President Brad Smith criticized top rivals Amazon Web Services and Google Friday for not publicly sharing what they know about the SolarWinds attack.
Smith told House of Representatives members that the Redmond, Wash.-based software giant has published 32 blogs describing whatever Microsoft has observed and seen from the SolarWinds attackers during their campaign, while Google has published just one blog and Amazon hasn’t published anything. AWS admitted Thursday the SolarWinds hackers used its Elastic Compute Cloud (EC2) in their attack.
“There are other companies that, to the best of my knowledge, have not even alerted their customers or others that they were a victim of a SolarWinds-based attack,” Smith said Friday. “These are companies where their own infrastructure was used to launch the attack. And somehow, they don’t think it’s part of their responsibility to let these victims know that they’re victims. And that needs to change.”
Sen. Richard Burr, R-N.C., said SolarWinds hackers leveraged AWS cloud hosting to run programs that communicated with and controlled the poisoned code they had installed on victim’s systems. Several U.S. senators slammed AWS Tuesday for refusing to testify at a hearing about the SolarWinds intrusion, with multiple Republicans alluding to the possibility of subpoenaing Amazon representatives.
“I actually think it should start with transparency,” Smith said. “I am here today. I am answering all your questions … I think we’ll all benefit if we create a culture where tech companies are sharing more information.”
AWS could have financial information on how the SolarWinds hackers paid for its services, network traffic data showing whom the hackers interacted with on the internet, and data stored on AWS servers themselves showing what other activity the hackers were engaged in and possibly what other tools they were using, DomainTools Senior Security Researcher Joe Slowik told The Wall Street Journal Thursday.
Google wasn’t mentioned by name by any senators or congresspeople during either Tuesday or Friday’s hearings, but Politico reported Tuesday that Google had on Monday offered lawmakers a list of more than a dozen questions aimed of scrutinizing the security of Microsoft products such as Windows 10, Azure and Office 365. Neither AWS nor Google immediately responded to CRN requests for comment.
Unlike AWS and Google, Smith said Friday that Microsoft lets customers know as soon as the company finds out an adversary has penetrated their network even if the compromise had nothing to do with Microsoft’s service. Microsoft has done this more than 13,000 times over the past two-and-a-half years in response to nation-state attacks, according to Smith.
“You have other companies, some of the largest companies in our industry, that are well-known to have been involved in this, that still have not spoken publicly about what they felt,” Smith said. “There’s no indication that they even informed customers.
Microsoft has notified 60 of its customers that they were compromised by the SolarWinds hackers, and Smith said roughly half of those companies are communications and technology firms. Most of the affected communications and technology customers have not in any way publicly disclosed they were attacked as part of the SolarWinds campaign, according to Smith.
“I’m worried that, to some degree, some other companies – some of our competitors even – just didn’t look very hard,” Smith said. “If you don’t look, you won’t find, and you’ll go to bed every night being blissfully ignorant thinking you don’t have a problem when, in fact, you do.”
Smith said lawmakers should call on the loyalty of American companies to voluntarily step forward and share information. However, it’s becoming clear that isn’t sufficient or doing the job, according to Smith. As a result, Smith said companies in the critical infrastructure business or that are “first responders” to security incidents should have a legal obligation to report what they know.
“Silence is not going to make this country stronger,” Smith said. “And so, I think we have to encourage, and I think, even mandate that certain companies do this kind of reporting … We at Microsoft have been reporting this kind of information, sharing data and publishing blogs without any legal duty to do so.”
SolarWinds CEO Sudhakar Ramakrishna told House members Friday that getting more vendors and customers to speak up about how they were impacted by the intrusion will make it easier to solve this problem. Purely devoting more resources to security isn’t enough unless the government and private sector share the information they have for the collective benefit of all Americans.
“The challenge here is one of potential litigation, and one of, as I describe it, victimizing the victim itself for coming out,” Ramakrishna said. “And those are things that need to be eliminated, or those stigmas need to be eliminated for more of us to come out and speak openly.”
Ric Opal, principal and national GTM and strategic partnerships leader at BDO Digital, a Microsoft Gold Partner, said that he applauds Microsoft for being “transparent” about what occurred in the SolarWinds attack—and also for being “aggressive” in its cybersecurity approach overall.
“They’re leveraging the power of data in order to try to protect us all. And I think they’ve been very forthcoming,” Opal said, pointing to Microsoft’s recent final report on the SolarWinds attack.
“I think they are not only being transparent — it’s not just that Brad Smith is testifying — but everything is actually in writing. You can go download the report,” Opal said. “What I’m seeing [from Microsoft] is a good intent and a willingness to solve the problem. And they’re not going it alone … Everybody has to work together here. And the only way to work together is to put business goals aside and deal with the problem.”
With contributions by CRN Senior Editor Kyle Alspach.