Washington D.C. (Feb. 26, 2021)—Today, Rep. Carolyn B. Maloney, Chairwoman of the Committee on Oversight and Reform, and Rep. Bennie G. Thompson, Chairman of the Committee on Homeland Security, held a joint hearing examining recent cybersecurity incidents affecting government and private sector networks, including the supply chain attack targeting SolarWinds Orion Software and other cyberattacks.
At the start of today’s hearing, Chairwoman Maloney released a 23-page presentation from former SolarWinds employee Ian Thornton-Trump, highlighting the need for private sector accountability for their role in the attack.
Members heard testimony from Sudhakar Ramakrishna, President and Chief Executive Officer of SolarWinds Corporation; Kevin B. Thompson, Former Chief Executive Officer of SolarWinds Corporation; Kevin Mandia, Chief Executive Officer of FireEye, Inc.; and Brad Smith, President of Microsoft Corporation.
Members and witnesses discussed the urgent need to improve cybersecurity in both the private and public sector, including the need for increased information-sharing with the private sector, new reporting requirements on cyber threat indicators or instructions, and common-sense procurement rules that do not harm the U.S. Government.
- Chairwoman Maloney announced that the Oversight Committee will examine procurement in light of the SolarWinds attack, noting: “We must demand better cybersecurity practices from our suppliers, as well as increased information-sharing with the private sector.”
- Chairman Thompson made the point that: “Our collective failure to make cybersecurity a central component of our national security – and invest in it accordingly – contributed to the success of the campaign and the difficulty we face in understanding its impact.”
- As FireEye CEO Kevin Mandia emphasized to Rep. Norton, we still don't know the scope of the attack—and we may never know. It will take time to see the full scope of the attack. As he stated, “The bottom line: We may never know the full range and extent of damage, and we may never know the full range and extent as to how the stolen information is benefitting an adversary.”
- Rep. Rashida Tlaib questioned SolarWinds executives about former employees who described the company’s lax security practices, stating that “they viewed a major breach as inevitable.” Rep. Tlaib asked SolarWinds executives about an incident reported in the press that some of SolarWinds’ servers were protected with passwords such as “solarwinds123”. Mr. Thompson testified: “that related to a mistake an intern made, and they violated our password policies.” He added that the intern had posted the password in an internal account. “As soon as it was identified and brought to the attention of my security team, they took that down.”
- When asked by Rep. Katie Porter about the same incident, Mr. Ramakrishna testified: “I believe that was a password that an intern used on one of his…servers back in 2017 which was reported to our security team and it was immediately removed.”
- Rep. Torres and our witnesses discussed what the federal government could do to detect breaches, including the importance of private-public partnership to protect critical infrastructure. As Mr. Mandia stated, “all the fingerprints of this attack were inside the nation. So you have to expect that the government’s going to detect some things, the private sector’s going to detect some things,” so one entity needs to be able to connect all the threads.