Top cybersecurity executives urged the Senate Intelligence Committee on Tuesday to help create a system that allows confidential information sharing and create a centralized point of contact. The executives spoke during the first public hearing following the historic nation-state attack on SolarWinds.
Private sector companies and critical infrastructure providers have been reluctant to come forward and report attacks, however enacting new disclosure requirements on the private sector would enable rapid intelligence sharing and response to future attacks, according to Brad Smith, president of Microsoft.
"We need to replace this silence with a clear, consistent obligation for private sector organizations to disclose when they are impacted by confirmed, significant incidents," Smith said in prepared testimony.
Amid the calls for public disclosure, Amazon came under bipartisan fire as Senators confirmed AWS representatives were invited to participate in the hearing, but declined to show up. AWS, whose role in the nation-state attack has been unconfirmed for months, "hosted most of the secondary command and control nodes," said Sen. Richard Burr, R-NC.
Senators were urged to help create a more streamlined and responsive sharing of threat intelligence, because the myriad of law enforcement and intelligence agencies involved with cybersecurity has resulted in critical delays in companies being notified of impact from the SolarWinds attack.
"Rather than merely notifying victims long after their information has been stolen, a small group of first responders could prevent or mitigate the impact of cyber incidents through sharing contextual, actionable information quickly and confidentially," Kevin Mandia, CEO of FireEye said in prepared testimony.
SolarWinds was attacked by a nation-state actor that between March and June of 2020 injected malware into the company's Orion network monitoring platform, which thousands of companies use to monitor their computer systems, according to CEO Sudhakar Ramakrishna. The attack lasted for months until FireEye was able to detect implants of malicious code in the SolarWinds platform during FireEye's investigation of the theft of its Red Team hacking tools.
Ramakrishna said nation-state attacks should be considered a potential threat for the future that goes well beyond his company.
"We believe that the entire software industry should be concerned about the nation state attack as the methodologies and approaches from the threat actor used can be replicated to impact software and hardware products from any company, and these are not just SolarWinds specific vulnerabilities," he said in prepared testimony.
Ramakrishna called for industrywide standards that build upon the Defense Department's Cybersecurity Maturity Model Certification, which requires federal contractors to meet certain security benchmarks before they can qualify for defense contracts.
Officials from the Cyberspace Solarium Commission said the hearings shed light on a number of recommendations that it previously made to enhance the need for rapid communication and information sharing.
"Specifically the U.S. government needs to establish and host an effective information sharing infrastructure, which includes a joint (public/private) analytical center," Mark Montgomery, executive director of the CSC said in an email. "Additionally we need to have clear federal guidance on breach notification and incident reporting requirements in the private sector."
He said there also emphasized the need to build a better collaborative system between the government and the most critical systems in the private sector.
Amid all the calls for change between the government and private sector, Crowdstrike specifically called for Microsoft to enact major security enhancements in its technology.
The threat actor took advantage of "systemic weaknesses in the Windows authentication architecture," according to preparared testimony from George Kurtz, president, CEO and co-founder of Crowdstrike.
The threat actor was able to move laterally within the network and between the network and the cloud by creating false credentials, impersonating legitimate users and bypassing multifactor authentication, Kurtz said.
Enterprises need to actively hunt for threats instead of using passive detection methods, respond immediately when problems are identified and also embrace machine-learning and artificial intelligence, he added.
If Microsoft addressed authentication limitations in Active Directory and Azure Active Directory, or shifted to an entirely new methodology "a considerable threat vector would be completely eliminated from one of the world's most widely used authentication platforms," Kurtz testified in prepared remarks.
Private sector cybersecurity experts said the threat to the entire industry goes well beyond SolarWinds customers and requires major improvements in cyber hygiene, use of multifactor authentication, password protocols and enforcement of access controls.
"As this is the most sophisticated cyberattack we've ever seen, the supply side vector of it is extremely difficult to mitigate," Sean Deuby, director of services at Semperis said via email. "However on-premises credential attacks have had answers for years. Almost invariably, corporate credentials are the weakest link in overall security strategy."
Amazon did not return a request for comment.