- Lawmakers drilled down on the security practices that allowed the SolarWinds attack to go undetected for about nine months, during a joint Committee on Oversight and Reform and Homeland Security hearing in the House of Representatives on Friday.
SolarWinds executives were questioned about reports of internal warnings on lax security practices, including the use of the phrase "solarwinds123" as a password. Former CEO Kevin Thompson — who made a joint virtual appearance at the hearing with current CEO Sudhakar Ramakrishna — blamed the security lapse on a former intern.
Microsoft, which helped investigate and block the nation-state attack, said it discovered and notified 60 on-premises customers that they had malware only after the attackers maneuvered their way into the cloud infrastructure.
Top executives from SolarWinds, Microsoft and FireEye testified in a safely distanced return to Capitol Hill, with the executives and most lawmakers appearing virtually. Most of the executives previously testified before the Senate Intelligence Committee, along with CrowdStrike, on Tuesday.
Thompson, who stepped down at the end of 2020 after being CEO for 10 years, was asked by Rep. Rashida Tlaib, D-MI, about a Bloomberg report that a couple of former SolarWinds employees viewed the threat of a major breach as "inevitable."
One of the employees, Ian Thornton-Trump, warned SolarWinds in 2017 about security risks but found executives were "unwilling to make the corrections," Tlaib said. Thornton-Trump later become CISO at Cyjax.
"I believe that we've taken the security of our customers, of our company, of our products seriously my entire tenure," Thompson said.
Thompson said SolarWinds, starting in 2016, spent more than the industry average on security and also hired a chief technology officer, a chief information officer and later a vice president of security.
Tlaib also questioned Thompson about a report in which Palo Alto Networks flagged an intrusion attempt in October 2020. He passed the request onto Ramakrishna, who explained that SolarWinds was a customer of Palo Alto, which flagged the incident and notified SolarWinds in October, but at the time did not realize the full scope of what they saw.
Palo Alto, in a blogpost related to the SolarWinds attack, said its security operations center detected a DNS request from its SolarWinds server for the avsvmcloud[.]com domain on Sept. 29, 2020, followed by a similar request on Oct. 5.
The executives also scrutinized how other companies in the industry responded to the security compromise. Ramakrishna and Smith outlined concerns about rival technology companies failing to come forward with disclosures about the attack and urged the government to create a mechanism to share their own intelligence publicly.
"What I mean is you, have three companies here today because we have chosen to share information," Smith said in response to a question from Rep. Katie Porter. "At Microsoft we have published 32 blogs about what we observed and what we have seen."
By contrast, he pointed out, Amazon and Google have collectively published one blog.
Amazon last week was blasted by lawmakers for not showing up at the Senate hearing despite an invitation. Cybersecurity Dive obtained a copy of a letter from Amazon to lawmakers, where it declined to appear, saying it was not a SolarWinds customer and was not compromised. Amazon also claimed in the letter that it notified the FBI and provided "detailed briefings" to Congress.
Google did not return a request for comment. The company previously posted a blog from Phil Venables, the CISO at Google Cloud, claiming its systems were not affected by the SolarWinds attack.
Industry experts say the technology industry may need better incentives to make security a higher priority.
"The market has never incentivized companies to prioritize security over profit," Kiersten Todt, managing director at the Cyber Readiness Institute told Cybersecurity Dive via email. "As long as that is the case, companies will not become secure components of global supply chains."