The private sector should be legally obliged to disclose any major hacks of their systems, says Microsoft’s president and top lawyer Brad Smith.
Speaking at a Senate Intelligence Committee hearing on Tuesday regarding the SolarWinds backdoor, through which suspected Russian agents infiltrated the computers of US government departments and Fortune 500 companies, Smith argued it was “time not only to talk about but to find a way to take action to impose in an appropriate manner some kind of notification obligation on entities in the private sector.”
He noted it was “not a typical step” for a company to ask the United States Congress to “place a new law on ourselves and on our customers, but I think it’s the only way we’re going to protect our country and I think it’s the only way we’re going to protect the world.”
I think it’s the only way we’re going to protect our country and I think it’s the only way we’re going to protect the world
The invitation was certainly unusual but it was notably not challenged by the other panelists at the hearing: the CEO of SolarWinds, and of security experts FireEye – which first spotted and blew the lid off the tampered-with network monitoring software – and CrowdStrike. All of them agreed that there needed to be more information sharing across business and government, although only Smith proposed an actual legal obligation.
The experts were also agreed on a number of other aspects of the hack: that it was carried out by a “very, very sophisticated” team that was undoubtedly state-sponsored. CrowdStrike’s CEO George Kurtz noted the hackers’ “superb tradecraft,” and “very unique” approach. And while only Smith was willing to say categorically that it was Russia, FireEye’s CEO Kevin Mandia noted that following an intensive investigation by his team, which included looking for clues in reams of decompiled code, they had concluded that the hack was “not consistent with China, North Korea or Iran, and was most consistent with Russia.”
They also agreed that the manner of the attack – in which the hackers compromised the build stage of SolarWind's Orion software to hide a backdoor in the product before it was released for users to download and install – was itself problematic. Both Smith and SolarWinds’ CEO Sudhakar Ramakrishna called that approach “reckless” as it not only exposed a vast number of businesses but also undermined people's faith in the critical process of regularly updating and patching software.
Smith argued that it was also time to start identifying and punishing the perpetrators of such hacks, with the White House acknowledging this week that was it was considering naming and punishing Russia for its actions.
Mandia made it clear that the hackers had prioritized not being discovered over other goals, suggesting that the Russian government was also aware that it was crossing a dangerous line.
For instance, the hidden backdoor activates around 11 days after the tainted version of Orion is installed to make it harder to connect any future discovery to a SolarWinds update. They also carried out a test run against SolarWinds systems months before the real hack, and waited to see if their approach would be discovered. And they used different IP addresses for each attack, none of which had been used in any previous sorties.
Once the miscreants entered the network of an organization that had installed the backdoored Orion builds, they would seek out ways to access systems as real employees, minimizing suspicion. They also connected into their victims' networks from Amazon Web Services servers, as traffic to and from that cloud platform tended to look legit.
Well, on the bright side, the SolarWinds Sunburst attack will spur the cybersecurity field to evolve all over againREAD MORE
In other words, it had been a meticulously planned attack. Microsoft’s investigative team concluded that it had taken a team of over 1,000 “very skilled engineers” to pull it off. Mandia said the hack had been “exceptionally hard to detect,” and Smith said the whole attack was in a “different category” to any other previous hacking effort. Yes, Smith doubled down on his earlier 1,000 estimate, meaning either Redmond is way off but sticking to its guns, or that the US intelligence services were caught off-guard by another nation wielding effectively the engineering and operations force of a non-trivial-sized software business.
Smith also said Microsoft had warned 60 of its customers that they were likely compromised by the SolarWinds hackers, who, according to Smith, "may have used up to a dozen different means of getting into victim networks during the past year." It's understood Microsoft's antivirus telemetry picked up signs of intrusion in at least some of those cases.
All of this inevitably led to a discussion about what to do to prevent such future invasions. Everyone agreed that sharing information was essential, and that too much information was currently being held in “silos,” either in government or the private sector. There’s nothing new in this, or in calls for everybody to share more intelligence.
But the reason why businesses don’t like that idea was apparent in the form of SolarWinds’ Ramakrishna who read from a script and offered only bland generalizations, almost certainly because his company faces potential ruin from lawsuits heading his way and the lawyers locked down anything he would say in a public hearing.
That’s why Smith suggested a compulsory disclosure law. How exactly this would work was left open: disclosures could be made to government-level watchdogs in exchange for limited liability protections, for instance. They may not necessarily have to be fully public disclosures, either. He called for "a clear, consistent obligation for private sector organizations to disclose when they’re impacted by confirmed significant incidents."
It was also said that the nature of computer security changes, and that therefore more focus should be put on the software build processes to ensure there has been no tampering with code prior to release, and – in a suggestion liable to induce migraines – that users be required to reauthenticate every time they shifted from one internal or external service or machine to another, to prevent hackers from skipping around inside networks.
The perils of non-disclosure? China 'cloned and used' NSA zero-day exploit for years before it was made publicREAD MORE
Smith couldn't resist pushing his company’s interest, however: he argued that the size and scope of the hack meant that it was more important than ever that everyone move their computing to the cloud. Every hack in this case, he noted, had started with on-premises servers before migrating to Microsoft’s cloud systems. A global shift to the cloud would suit Microsoft down to the ground.
However that pitch for the glory of Microsoft was undermined by CrowdStrike’s Kurtz who pointed out that the spread of the hack was in large part thanks to “systemic weaknesses in Windows,” and pointed to “traditional authentication methods and legacy security technologies” as the biggest problem.
"Should Microsoft address the authentication architecture limitations around Active Directory and Azure Active Directory, or shift to a different methodology entirely, a considerable threat vector would be completely eliminated from one of the world’s most widely used authentication platforms," he said pointedly.
As for insights from the other major tech company that was embroiled in the hack, Amazon Web Services, a representative for the company refused to attend the hearing; something that didn’t sit well and was repeatedly raised by Senators, including the committee’s chair and vice-chair. ®
Editor's note: This article was revised after publication to expand upon Smith's suggestion for a disclosure law.