X

Congress confronts US cybersecurity weaknesses in wake of SolarWinds hacking campaign

Entrenched problems in cybersecurity contributed to the massive breach, lawmakers and tech execs say before the House Oversight and Homeland Security committees.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Rae Hodge Former senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
Laura Hautala
Rae Hodge
3 min read
Padlock on smartphone on laptop keyboard

US lawmakers and company heads discussed the problems that led to the hacking campaign that compromised SolarWinds software possible at hearings Wednesday and Friday.

Angela Lang/CNET

The biggest problems in cybersecurity contributed to the ongoing hacking campaign that weaponized a product update from IT software company SolarWinds, lawmakers and witnesses said at a hearing Friday before the House Oversight and Homeland Securities committees. Whether it's a lack of cybersecurity personnel, poor communication between private companies and the federal government, or the absence of global standards for acceptable espionage hacking, longstanding issues all came into play.

Solutions have long been in the works, but they weren't enough to stop a suspected Russian hacking group from accessing systems at nine federal government agencies and about 100 private companies. At the hearing, current SolarWinds CEO Sudhakar Ramakrishna and prior CEO Kevin B. Thompson testified alongside Microsoft President Brad Smith and FireEye CEO Kevin Mandia about the factors that made the hack possible.

The hacking group showed it could take advantage of myriad weaknesses in US cybersecurity, said Rep. John Katko, a Republican from New York. Worse, they didn't fear any consequences for their actions, he said. "They're winning the modern day arms race, and we need to step up."

The hacking campaign was complex, with attackers poisoning an update to SolarWinds' Orion products with malicious software. Thousands of entities downloaded the tainted update, and hackers then focused in on select targets for further intrusion. However, as lawmakers discussed at a Senate Intelligence Committee on Wednesday, the hackers also abused services from other companies, not just SolarWinds, to hack about 30% of their targets.

While past major breaches at the Office of Personnel Management, Equifax and the Democratic National Committee prompted some changes, there are still significant weaknesses in the systems that protect US systems. Further changes could come in several forms.

Smith and Mandia both expressed support for a requirement that companies share information about intrusions on their systems with the federal government. Currently, the Cybersecurity and Infrastructure Security Agency fields many such reports, and lawmakers advocated for better flow of information to the rest of the government. Additionally, SolarWinds' Ramakrishna said the company wants to share what it's learned with other companies, potentially leading to better systems for safeguarding software updates.

See also: Best VPN service of 2021

Ramakrishna also emphasized the need to quickly shore up protocols for clear lines of communications between government agencies and tech companies for faster security responses, especially when a sophisticated attacker strikes. "In this case, they behaved like Transformer toys in many ways, constantly morphing and changing their tactics and procedures on us," Ramakrishna said.

Smith echoed Ramakrishna's call, highlighting the hurdles that he said slowed Microsoft's efforts to alert agencies to the SolarWinds hacks.

"The government contracts impose restrictions on Microsoft and other government contractors in this kind of situation," Smith said. "We found that we could only inform the agency that was the victim itself, and we had to ask them to go talk to another person or individual or part of the government."

Asked about future prevention efforts, Smith said the government should establish better "rules of the road," including passing legislation that would level consequences on hacks of this scale. 

"If you catch somebody who is engaged in an offense, you need to hold them accountable, and you need a variety of ways to do that," Smith told the panel. 

Consequences may come for the alleged hackers soon, as the administration of President Joe Biden is reportedly considering sanctions against the people suspected of the attack. But there's no sign that an agreement is imminent in the international community for what counts as an out-of-bounds hack from an espionage agency.