Tech exec to Congress: Supply chain hack took 1,000 engineers
Brad Smith, president of Microsoft, told a panel of senators on Tuesday that his company estimates the cybersecurity breach of nine federal agencies and 100 private companies likely took “at least a thousand” skilled and capable people to pull off.
“At Microsoft as we worked with customers that had been impacted by this, we stepped back and just analyzed all of the engineering steps that we had seen and we asked ourselves how many engineers do we believed had worked on this collective effort and the answer we came to was at least a thousand,” Smith told the Senate Select Committee on Intelligence. “I should say at least a thousand very skilled, capable engineers. So we haven’t seen this kind of sophistication matched with this kind of scale,” he added.
The scope and scale Smith described is keeping with the attribution being made by public sector and private sector officials that the hack, which leveraged flaws in IT management software from SolarWinds and products from other vendors to inject malware into computer networks, was perpetrated by Russia.
“We went through all the forensics. It is not very consistent with cyber espionage from China, North Korea or Iran, and is most consistent with cyber espionage and behaviors we’ve seen out of Russia,” Kevin Mandia, CEO of FireEye, said at the Feb. 23 hearing.
George Kurtz, president and CEO of Crowdstrike, added that while his company could not corroborate an attribution to Russia, he has not seen evidence to contradict it.
Mandia, Smith, Kurtz and Sudhakar Ramakrishna, CEO of SolarWinds, testified today to the panel on intelligence about the impacts of the hack of nine federal agencies and 100 private companies.
The committee’s chairman, Sen. Mark Warner (D-Va.), said the panel invited an official from Amazon Web Services to testify but the company declined.
The White House has continued to say the campaign is “likely Russian in origin,” but is waiting to complete a formal investigation before using more specific language. FireEye, which is credited with discovering the initial breach, has been more cautious, saying that the hack was likely the work of a state or state-sponsored actor.
Gregory Touhill, the federal government’s first chief information security officer and a retired Air Force brigadier general, told FCW in January that formal attribution requires a level of proof that can stand up in court.
“When it comes to attribution, what the intelligence and law enforcement community has to do is …literally trace it all the way back to the root,” he said. Public and private investigators have to gather evidence that “will hold up in court. That’s the realm that [FireEye] and others are dealing with. Those who don’t have to prove it in court can say whatever they want.”
In addition to the issue of attribution, multiple senators quizzed the technology executives about stepping up requirements for breach reporting and whether companies would need liability protections to take on that obligation.
“The time has come to go in that direction,” Smith said in response to a question from Sen. John Cornyn (R-Texas). “We should notify a part of the U.S. government that would be responsible for aggregating threat intelligence and making sure it is put to good use.”
Mandia agreed with Smith’s comments and added that the information shared would need to be confidential because of how quickly circumstances change in the aftermath of an attack.
The Washington Post reported on Tuesday that the White House is planning to sanction Russia in response for the hack, among other things. The Post’s reporting also added NASA and the Federal Aviation Administration as part of the list of agencies compromised.
Ramakrishna said Monday during an event hosted by a Washington think tank that he feels his company has an “obligation” to speak publicly about the breach because “this is not a one company issue.”
He and other technology executives will speak to House lawmakers later this week about the effects the breach has had on the public and private sector.
Both Ramakrishna and Mandia said this week that in addition to adding malicious code to the SolarWinds Orion IT management software, the hacking campaign also inserted innocuous code into Orion in October 2019 to test whether their method of injecting code worked without attracting attention.
This article first appeared on FCW, a Defense Systems partner site.
Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.