EXECUTIVE SUMMARY:

On February 26^th, a congressional hearing pertaining to the SolarWinds hack got underway. Executives from a suite of major software companies briefed senators on the latest SolarWinds-related findings and discussed how to prevent similar attacks in the future.

“Preliminary indications suggest that the scope and scale of this incident are beyond any that we’ve confronted as a nation, and its implications are significant,” said Senator Warner (D-VA).

The SolarWinds malware campaign impacted nine federal agencies and roughly 100 private enterprises. Emerging findings show that the hackers leveraged Amazon Web Services in order to disguise their intrusion attempts. Furthermore, new reports indicate that the hackers did not only use the SolarWinds’ supply chain attack to infiltrate targeted systems. Hackers also appear to have weaponized other techniques to access organizations that did not rely on SolarWinds’ software.

For its part, the SolarWinds company is still unraveling how hackers managed to compromise the company.

Bringing SolarWinds into sharper focus

The SolarWinds attack took place on US soil. While the National Security Administration (NSA) may have the agency to surveille international computer networks, it cannot legally surveille domestic ones. This helps to explain why the attack was missed by the NSA.

These regulations and the corresponding administrative failure suggest that the current strategy for identifying large-scale cyber threats may be outdated. Lawmakers are considering new options. In so doing, they need as much information as possible to make the right decisions.

Amazon’s silence

Although invited to attend the hearing, the company declined to send a representative. The hackers used EC2 (Amazon Elastic Compute Cloud). Amazon has reportedly shared AWS-related information with the federal government. However, the company does not wish to make the information public.

Some senators indicated that they may wish to subpoena the company. Amazon’s insights into the SolarWinds attack may prove useful to lawmakers and the public.

“We had extended an invitation to Amazon to participate…I hope they’ll reconsider,” said Senator Marco Rubio (R-FL).

Stealthy by design

In the US, information often sits in silos. The engineers behind the SolarWinds breach may have known about the lack of US public-private cyber security-related information sharing. The “fingerprints” of the attack loosely existed across a variety of different organizations. However, none of those organizations communicated the details to one another, which is an aspect of why the attack quietly persisted for more than a year.

President of Microsoft, Brad Smith, stated that his company believes that entities affected by the attack outside of the US may have been targeted due to the types of projects that they work on. Hackers appear to have been after information pertaining to certain types of activities.

Looking at legislation

As noted earlier, existing legislation around monitoring systems for malware and other cyber threats has fallen short. According to the senate, there may be interest in creating an incentive-based program that encourages public and private reporting of cyber security breaches. Because the majority of breach victims are not legally mandated to report their security incidents, pieces of larger cyber security puzzles may never see the light of day. A cyber reporting clearinghouse could change that.

For more information on the SolarWinds breach, see Cyber Talk’s past SolarWinds coverage, Cyber Talk’s all-you-need-to-know page, or get insights from The Guardian.