Open Hearing: Hearing on the Hack of U.S. Networks by a Foreign Adversary

[Senate Hearing 117-79] [From the U.S. Government Publishing Office] S. Hrg. 117-79 OPEN HEARING: HACK OF U.S. NETWORKS BY A FOREIGN ADVERSARY ======================================================================= HEARING BEFORE THE SELECT COMMITTEE ON INTELLIGENCE OF THE UNITED STATES SENATE ONE HUNDRED SEVENTEENTH CONGRESS FIRST SESSION __________ TUESDAY, FEBRUARY 23, 2021 __________ Printed for the use of the Select Committee on Intelligence [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.govinfo.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 45-485 PDF WASHINGTON : 2022 ----------------------------------------------------------------------------------- SELECT COMMITTEE ON INTELLIGENCE [Established by S. Res. 400, 94th Cong., 2d Sess.] MARK R. WARNER, Virginia, Chairman MARCO RUBIO, Florida, Vice Chairman DIANNE FEINSTEIN, California RICHARD BURR, North Carolina RON WYDEN, Oregon JAMES E. RISCH, Idaho MARTIN HEINRICH, New Mexico SUSAN COLLINS, Maine ANGUS KING, Maine ROY BLUNT, Missouri MICHAEL F. BENNET, Colorado TOM COTTON, Arkansas BOB CASEY, Pennsylvania JOHN CORNYN, Texas KIRSTEN E. GILLIBRAND, New York BEN SASSE, Nebraska CHUCK SCHUMER, New York, Ex Officio MITCH McCONNELL, Kentucky, Ex Officio JACK REED, Rhode Island, Ex Officio JAMES INHOFE, Oklahoma, Ex Officio ---------- Michael Casey, Staff Director Brian Walsh, Minority Staff Director Kelsey Stroud Bailey, Chief Clerk C O N T E N T S ---------- FEBRUARY 23, 2021 OPENING STATEMENTS Page Warner, Hon. Mark R., a U.S. Senator from Virginia............... 1 Rubio, Hon. Marco, a U.S. Senator from Florida................... 4 WITNESSES Mandia, Kevin, CEO, FireEye, Inc................................. 6 Prepared statement........................................... 9 Ramakrishna, Sudhakar, CEO, SolarWinds Inc....................... 14 Prepared statement........................................... 16 Smith, Brad, President, Microsoft Corporation.................... 23 Prepared statement........................................... 26 Kurtz, George, Co-Founder and CEO, CrowdStrike................... 41 Prepared statement........................................... 44 SUPPLEMENTAL MATERIAL Responses of Kevin Mandia to Questions for the Record............ 86 Responses of Sudhakar Ramakrishna to Questions for the Record.... 90 Responses of Brad Smith to Questions for the Record.............. 94 Responses of George Kurtz to Questions for the Record............ 107 OPEN HEARING: HACK OF U.S. NETWORKS BY A FOREIGN ADVERSARY ---------- TUESDAY, FEBRUARY 23, 2021 U.S. Senate, Select Committee on Intelligence, Washington, DC. The Committee met, pursuant to notice, at 2:32 p.m., in Room SD-106 in the Dirksen Senate Office Building, Hon. Mark R. Warner (Chairman of the Committee) presiding. Present: Senators Warner, Rubio, Feinstein, Wyden, Heinrich, King, Bennet, Casey (via WebEx), Gillibrand, Burr, Risch, Collins, Blunt, Cotton, Cornyn, and Sasse. OPENING STATEMENT OF HON. MARK R. WARNER, A U.S. SENATOR FROM VIRGINIA Chairman Warner. Good afternoon, everyone. I'd like to call this hearing to order and apologize to our witnesses and others with them. With COVID and a vote just been called, we're going to a little bit be playing this by ear. So I'm going to make my opening statement, ask the Vice Chairman to make his opening statement. We'll be monitoring the vote, which just opened a moment ago. We've got two, so we'll either tag team through this or take a five-minute recess to get us all a chance to go vote on both these items. First, I'd like to take this opportunity to welcome our two new Members, one of which I think at least is on Zoom, Senator Casey, and also Senator Gillibrand, to the Committee. I look forward to working with both of you as Members of the Senate Intelligence Committee in the bipartisan tradition of this Committee. The Intelligence Committee's record of working together in the interests of America's national security has been due, in no small part, to the tireless efforts of our former Chairman, Senator Burr, and our new Vice Chairman, Senator Rubio. So I want to take this opportunity during my first hearing as Chairman, to thank you both for your partnership and friendship. I'm confident that we'll be able to keep working together in a bipartisan way in the 117th Congress. I'd also very much like to welcome our witnesses today: Kevin Mandia, CEO of FireEye; Sudhakar Ramakrishna, President and CEO of SolarWinds; Brad Smith, President of Microsoft Corporation; and, I believe remotely, George Kurtz, President and CEO of CrowdStrike. I would like for the record to note that we also asked a representative from Amazon Web Services to join us today but, unfortunately, they declined. But we will be expecting to get a full update--and we've had one update from our friends at Amazon--but it would be most helpful if in the future they actually attended these hearings. Today's hearing is on the widespread compromise of public and private computer networks in the United States by a foreign adversary, colloquially or commonly called ``the SolarWinds hack.'' While most infections appear to have been caused by a trojanized update of SolarWinds's Orion software, further investigations have revealed additional victims who do not use SolarWinds's tools. It has become clear that there is much more to learn about this incident, its causes, its scope and scale, and where we go from here. This is the second hearing this Committee has held on this topic. Our first was a closed hearing held on the now-infamous January 6th to hear from government officials responding to the SolarWinds incident. It's going to take the combined power of both the public and private sector to understand and respond to what happened. Preliminary indications suggest that the scope and scale of this incident are beyond any that we've confronted as a Nation and its implications are significant. Even though what we've seen so far indicates that this was carried out as an espionage campaign targeting more than 100 or so companies and government agencies, the reality is the hackers responsible have gained access to thousands of companies and the ability to carry out far more destructive operations if they'd wanted to. And I want to repeat that. This intrusion had the possibility of being exponentially worse than what has come to pass so far. The footholds these hackers gained into private networks, including some of the world's largest IT vendors, may provide opportunities for future intrusions for years to come. One of the reasons the SolarWinds hack has been especially concerning is that it was not detected by the multibillion-dollar U.S. Government cybersecurity enterprise or anyone else until the private security firm, FireEye--and I want to again complement our friend, Kevin Mandia, who's appeared before this Committee a number of times--on their own without a requirement to report, actually publicly announced that it had detected a breach of its own network by a nation-state intruder. A very big question looming in my mind is: Had FireEye not detected this compromise in December and chosen on their own to come forward, would we still be in the dark today? As Deputy National Security Adviser, Anne Neuberger, who has been chosen by the President to lead the response in this, and to the SolarWinds hack, said last week, ``The response to this incident from both the public and private sector is going to take a long time.'' All of our witnesses today are involved in some aspect of the private sector response to this incident. I want to hear from them on the progress so far, the challenges we'll need to overcome in order to fully expel these hackers, and how we can prevent supply-chain attacks like this in the future. I'd also like to hear from them about their experiences working with the Federal Government, namely, the Unified Coordination Group, in mitigating this compromise. The SolarWinds hack was a sophisticated and multifaceted operation: a software supply chain operation that took advantage of trusted relationships with software providers in order to break into literally thousands of entities. Combined with the use of this sophisticated authentication exploits, it also leveraged vulnerabilities and major authentication protocols, basically granting the intruder the keys to the kingdom, allowing them to deftly move across both on-premises and cloud-based services, all while avoiding detection. While many aspects of this compromise are unique, the SolarWinds hack has also highlighted a number of lingering issues that we've ignored for too long. This presents us an opportunity for reflection and action. A lot of people are offering solutions, including mandatory reporting requirements, wider use of multi-factor authentication, requiring a software bill of goods, and significantly improving threat information sharing between the government and the private sector. I've got a number of questions, but there are three that I'd like to pose in my opening. One, why shouldn't we have mandatory reporting systems, even if those reporting systems require some liability protection, so we can better understand and better mitigate future attacks? As I pointed out, Senator Collins was way ahead of all of us on this issue, literally years and years ago, when she and Senator Lieberman first put forward legislation that required this critical, mandatory reporting on critical infrastructure. There's an open question, though, on who should receive such report, even if you put that mandatory reporting in place. Do we need something like the National Transportation Safety Board, or other public-private entity that can immediately examine major breaches to see if we have a systemic problem, as we seem to see in this case? I think there's also some truth to the idea that if a tier-one adversary, a foreign nation-state, sends their A team against almost any ordinary company in the world, chances are they're going to get in. But that cannot be an excuse for doing nothing to build defenses and making it harder for them to be successful once inside an enterprise. I'm very interested in hearing from the witnesses what they think our policy response should be, and what solutions they will actually they think will actually improve cybersecurity and incident reporting in the United States. Beyond the immediate aspects of the SolarWinds hack are larger issues that this Committee needs to consider. Do we need to finally come to some agreement on common norms in cyberspace, hopefully, again, on an international basis, that potentially are enforceable, and at least says to our adversaries: If you violate these warm norms, there will be known consequences? For example, we have these norms in other conflicts. We have military conflict that exists, but there's been for some time a norm that you don't knowingly bomb a hospital or bomb an ambulance that's got a Red Cross shield on it. Should we, therefore, consider efforts that subvert patching, which are all about fixing vulnerabilities to be similarly off limits? Once again, I want to thank our witnesses for joining us today, both in person and remotely. I personally talked to nearly all of our witnesses, in some cases multiple times since this incident was first reported. I appreciate their transparency and willingness to be part of this conversation. After our witnesses conclude their remarks, we'll move to a round of five-minute questions based upon order of arrival. As reminder to my colleagues, this incident is not over. So too are the criminal investigations by the FBI. So there might be some questions our witnesses cannot answer. However, I'm confident we'll get those answers at some point as we move forward. I now recognize the Vice Chairman for a statement. OPENING STATEMENT OF HON. MARCO RUBIO, A U.S. SENATOR FROM FLORIDA Vice Chairman Rubio. Thank you, Mr. Chairman, and thanks for convening this hearing. And I'd like to welcome our witnesses from Microsoft, FireEye, SolarWinds, and CrowdStrike who are here to help the Committee's examination of what is the largest cyber-supply chain operation ever detected. So we really do appreciate you being with us. As the Chairman mentioned, we had extended an invitation to Amazon to participate. The operation we'll be discussing today used their infrastructure, at least in part, to be successful. Apparently, they were too busy to discuss that here with us today and I hope they'll reconsider that in the future. This operation involved, as has already been said, the modification of the SolarWinds Orion platform, which is a widely-used software product. It included a malicious backdoor that was downloaded, from my understanding, to up to 18,000 customers between March and June of last year. But the most insidious part of this operation was that it hijacked the very security advice promulgated by computer security professionals to verify and apply patches as they are issued. So there are many concerning aspects to this first-of-its- kind operation, at least at this scale, that has raised significant questions. My understanding is that if FireEye had not investigated an anomalous event within their own network in November of last year, it's possible this would be a continuing and unfettered operation to this day. I think everyone's asking, despite the investment that's been made in cybersecurity collectively between the government and the private sector, how no one detected this activity earlier, as it appears that they have been in the system for close to five to six months before it was detected--maybe even longer; closer to a year. But the bottom-line question is, how did we miss this? And what are we still missing? And what do we need to do to make sure that something like this, using these sorts of tools, never happens again? Second, I think there's great interest in knowing exactly what these actors did. Based on what we know, to include what government has stated publicly, the actor seems to have undertaken follow-on operations against a very small subset of the 18,000 networks to which they potentially had access. So aside from the mechanical aspects of removing a hacker from a network, what do we know about why these actors chose the targets that they did? What actions did they undertake within those networks? And what do we know that we do not know? I always love that question. What do we know that we do not know? In essence, what are the open questions now and in the future about these sorts of tools and how they can be used? Or what do we still have open ended that we are not able to answer at this time? And perhaps most importantly, who has the single comprehensive view of the totality of activity undertaken? That's another thing that everyone has struggled with is who can see the whole field here on this? And third, what is it going to take to rebuild and have confidence in our networks? And speaking with several of you in the days leading up to this, one of the hallmarks of this operation was the great care that was taken by this adversary to use bespoke infrastructure and tradecraft for each victim. Unlike other malware or ransomware, cleanup operations, there is no template here that can be used for remediation. So what's it going to take to have confidence in both government and in the private sector networks again? Fourth, what do we need to do to raise the bar for the cybersecurity of this Nation? Is cyber deterrence an achievable goal? How do we need to enhance cybersecurity information logging and sharing across the spectrum to protect against APTs in the future? And finally, though this is a question for the government rather than the witnesses here today, I think it's important for this Committee to ask itself, and to inform the Members of the Senate, what does the United States Government need to do to respond to this operation? Government officials initially stated this was an intelligence gathering operation. Just recently, however, the White House stated, quote: ``When there is a compromise of this scope and scale, both across government and across the U.S. technology sector to lead to follow-on intrusions, it is more than a single incident of espionage. It is fundamentally of concern for the ability for this to become disruptive.'' End quote. While I share this concern that an operation of this scale, with a disruptive intent, could have caused mass chaos, those are not the facts that are in front of us. Everything we have seen thus far indicates that at some level, this was an intelligence operation and a rather successful one that was ultimately disrupted. While there are a myriad of ways for sovereign states to respond, I caution against the use of certain terms at this time until the facts lead us to the use of terms such as attack and so forth. I've always advocated for standing up to our adversaries. I think that's important. I will continue to advocate for that. But I want to know today what the actor's intent seemed to be and to the extent of the damage before we categorize it. It may very well have reached that level. This Committee and the rest of the Congress should consider what policies we need to pursue to better defend our Nation's critical networks, in order to get a fuller view of the problem. Perhaps we should consider mandating certain types of reporting, as the Chairman already mentioned. As it relates to cyber-attacks, we must improve the information-sharing, of this there is no doubt, between the Federal Government and the private sector. And I look forward to being an active and constructive participant in these debates on these new issues, as I know every Member on this Committee is. And with that, I again, want to welcome you and thank you for the testimony and the insights that you will share with us and the American people. It is important that the public understand the current persistent information conflict that the United States finds itself in against nation-state adversaries like Russia, but also like China and Iran and North Korea. Thank you, Mr. Chairman. Chairman Warner. Thank you, Senator Rubio. I think we're going to go ahead and we'll just tradeoff. I believe the order of the speakers is going to be: FireEye, SolarWinds, Microsoft, and CrowdStrike. So Kevin, if you want to start us off, that'd be great. STATEMENT OF KEVIN MANDIA, CEO, FIREEYE, INC. Mr. Mandia. Thank you, Mr. Chairman, Vice Chairman Rubio, and the rest of the Members of the Senate Intelligence Committee. It is a privilege to be here with the opportunity to speak with you. And as the first witness, I'm going to discuss what happened from a first-hand experience as a stage two victim to this intrusion. I have opinions on who did it. I have opinions on what to do about it. But in the next four minutes, I don't have enough time to get through all that. So I look forward to your questions. I just want to give you a little background on FireEye. Responding to breaches is what we do for a living. We have a whole bunch of Quincy-type people that do forensics 2,000 hours a year. And people hire us to figure out what happened and what to do about it when they have a security breach. We responded to over 1,000 breaches in 2020. It was a tough year for chief information security officers. And as I sit here right now testifying to you, we're responding to over 150 computer security breaches. In short, this is what we do for a living. And what we're going to tell you today, we tell you with high confidence and high fidelity on the intent of the attackers and what they did. So now I want to present kind of the anatomy of this attack. You know, we're referring to it as the SolarWinds campaign. But it's a little bit broader than that. Whoever this threat actor is--and we all pretty much know who it is--this has been a multi-decade campaign for them. They just so happened to, in 2020, create a backdoor SolarWinds implant. So the first part of this ongoing saga, stage one of this campaign, was you had to compromise SolarWinds. And the attackers did something there that was unique in that they didn't modify the source code there, they modified the build process, which to me means this is a more portable attack than just at SolarWinds. When you modify the build process, you're doing the last step of what happens before code becomes production for your buyers and customers, which just shows this is a very sophisticated attacker. And once they did that stage one compromise of SolarWinds, we didn't find the implant till December 2020. And it had been out there, if you look at a timeframe perspective, from March 2020 and there was an update in June 2020, as well. But the attacker did something interesting when you get the timing. They did a dry run in October 2019, where they put innocuous code into the SolarWinds build just to make sure the result of their intrusion was making it into the SolarWinds platform production environment. I want to explain how we found this implant because there's no magic wand to say where's the next implant? When we were compromised, we were set up to do that investigation. It's what we do. We put almost 100 people on this investigation. Almost all of them had 10,000 hours there, so to speak, 10,000 hours of doing investigations, and we unearthed every clue we could possibly find. And we still didn't know. So how did the attacker break in? So we had to do extra work. And at some point in time, after exhausting every investigative lead, the only thing left was--the earliest evidence of compromised was a SolarWinds server. And we had to tear it apart. And what I mean by that is we had to decompile it. Specifically, there were 18,000 files in the update, 3,500 executable files. We had over a million lines of assembly code. For those of you that haven't looked at assembly, you don't want to. It's something that you have to have specialized expertise to review, understand, piece apart, and we found the proverbial needle in the haystack--an implant. But how do we get there? Thousands of hours of humans investigating everything else. And that's one of the reasons I share that as you wonder why people missed it. This was not the first place you'd look; this was the last place you'd look for an intrusion. Over 17,000 companies were compromised by that implant. So stage one was to compromise SolarWinds, get an implant in, and indiscriminately went to the 17,000 folks that downloaded it. That means the attackers had a menu of 17,000 different companies. Stage two of this attack was the companies that these attackers intended to do additional action on and I want to talk about what they did during stage two victims. I want to say, stage one, the attacker hasn't done anything more than crack open the window into a company. But they haven't gone into the house to rob anything yet. Stage two, they go into the house to rob it. When we look at the stage two threat actor, or stage two victims, this is where Microsoft's top-down viewpoint from their Cloud, where there's a lot of activity, comes up with approximately 60 victim organizations. And we read that the government is aware of about 100 organizations. For us being a stage two, we had first-hand account of what they do. The attackers came in through the SolarWinds implant. And the very first thing they did is went for your keys, your tokens. Basically, they stole your identity architecture so they could access your networks the same way your people did. And that's why this attack was hard to find because these attackers, from day one, they had a backdoor. Imagine almost a secret door in your house and the first thing that happens when it comes to that secret door is all your keys are right there. They just grab them, and now they can get into any locks you have in your house the same way your people do. And I think, during a pandemic, where everybody's working from home, it's way harder to detect an attack like this, where the only indicator of compromise was just somebody logging in as one of your employees. And there's nothing else far-fetched about that. Right after they got our valid credentials, our two-factor authentication mechanisms bypassed, they went to our O365 environment. And whether it was O365, or something else, I've had enough experience over my 25 years of responding to breaches to know this group targets specific people, almost like they have collection requirements. So there they targeted emails and documents. So stage two was: get credentials so you could log in; get the keys to the safety deposit boxes; stage the next step. Step two of that was access email, access documents with said keys. And then the third thing was dependent on who you were, and what you did, and what industry you are as a victim. But it's primarily what I put in the other category: steal source code, steal software. In the case of FireEye, take some of our red teaming tools that we use to assess people's security programs. Bottom line: exceptionally hard to detect. And when I got my first briefing on this and reviewed the facts on day one, everything about this aligned to a threat actor, who, it is my opinion, was more concerned about operational security than mission accomplished. And that the minute you could detect these folks and stop them breaking through the door, they sort of evaporated like ghosts until their next operation. So with that, on behalf of FireEye, I'd like to thank all of you for the opportunity to set the stage for the other witnesses. I'm very excited to work with all of you, and to my fellow witnesses and others in the private sector as well as the public sector to advance our Nation in defending ourselves in cyberspace. And I look forward to taking your questions. [The prepared statement of Mr. Mandia follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Chairman Warner. Thank you, Kevin. Sudhakar? STATEMENT OF SUDHAKAR RAMAKRISHNA, CEO, SOLARWINDS INC. Mr. Ramakrishna. Chairman Warner, Vice Chairman Rubio, and Members of the Committee, on behalf of SolarWinds' employees, partners, and customers in the U.S. and around the world, I would first like to say thank you for inviting us to this hearing. By way of background, I'm Sudhakar Ramakrishna, and I joined SolarWinds on January 4th of this year. Prior to SolarWinds, I was with a company called PulseSecure for over five years, and previously held executive roles at other technology companies. In my roles, I've been involved with cyber incidents and have seen firsthand the challenges they present, as well as the opportunities they create for learnings and improvements. While our products and customers were the subject of this unfortunate and reckless operation, we take our obligation very seriously, to work tirelessly to understand it better to help our customers, and to be transparent with our learnings with our industry colleagues and the government. SolarWinds started in 1999 in Oklahoma as a provider of network tools and to this date, we have remained true to our mission of helping IT professionals solve their problems and manage their networks, now through more than 90 products. Today, we remain a U.S.-headquartered company, with over 3,000 employees working extremely hard to deliver customer success. When we learned of these attacks, our very first priority, and that remains true today, was the safety and protection of our customers. Our teams worked incredibly hard and tirelessly to provide remediations within about 72 hours of knowing about these attacks. We also acted very quickly to disclose these events to the authorities, while providing remediations and starting our investigations of what do we learn about this, who may have done it, and what exactly happened in the process of insertion into our Orion platform? We believe the Orion platform was specifically targeted in this nation-state operation to create a backdoor into the IT environments of select customers, as my colleague Kevin noted, as well. The threat actor did this by adding malicious code, which we call ``Sunburst,'' to versions released between March and June 2020. In other words, a three-month window was when the code with the malicious Sunburst code was deployed. I will note that this code has been removed and is no longer an ongoing threat to the Orion platform. Additionally, after extensive investigations, we have not found Sunburst in our more than 70 non-Orion products. Perhaps the most significant finding to date in our investigation is what the threat actor used to inject Sunburst into other Orion platforms. This injected tool, which we call ``Sunspot,'' was stealthily inserted into the automated build processes of Orion and was designed to work behind the scenes. Sunspot, which we discovered, poses a grave risk of automated supply chain attacks through many software development companies, since the software processes that SolarWinds uses is common across the industry. As part of our commitment to transparency, collaboration, and timely communications, we immediately informed our government partners and published our findings with the intention that other software companies in the industry could potentially use the tool to detect possible current and future supply chain attacks within their software build processes. We understand the gravity of the situation and are applying our learnings of Sunspot and Sunburst and sharing this work more broadly. Internally, we call these initiatives ``secure by design.'' And it's premised on zero-trust principles and developing a best-in-class secure software development model to ensure our customers can have the utmost confidence in our solutions. We have published these details regarding our efforts in various blog posts. But in summary, they are focused on three primary areas: The first is further securing our internal infrastructure. The second is ensuring and expanding the security of our build environments. And third, ensuring the security and integrity of the products we deliver. Given our unique experience, we are committed to not only leading the way with respect to secure software development, but to share our learnings with the industry. While numerous experts have commented on the difficulties that these nation- state operations present to any company, we are embracing our responsibility to being an active participant in helping prevent these types of attacks. Everyone at SolarWinds is committed to doing so. And we value the trust and confidence our customers place in us. Thank you again for your leadership in this very important matter. We appreciate the opportunity to share our experiences and our learnings. And I look forward to your questions. [The prepared statement of Mr. Ramakrishna follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Vice Chairman Rubio. Thank you. And for the Members who haven't yet voted, I guess everybody's voted because everybody's almost gone here. So, Mr. Smith, thank you for being here. We appreciate it. STATEMENT OF BRAD SMITH, PRESIDENT, MICROSOFT CORPORATION Mr. Smith. Well thank you, Vice Chairman Rubio, and a huge thank you to Chairman Warner for bringing us all together to discuss what is obviously such an important issue to the country, and indeed to the world. And I also just want to say thank you to Kevin and Sudhakar. It took the leadership, and I'll say even the courage, of companies like FireEye and SolarWinds to step forward and share information. And it is only through this kind of sharing of information that we will get stronger to address this. I think Kevin and Sudhakar have done an excellent job of describing what happened. So I don't want to retrace the steps that they so ably took. Let me talk about two other things. First, what does this mean? And second, what should we do? Well, roughly 90 days or so since we first heard about this from Kevin's firm, from FireEye, I think we can step back and start to think about what it means. First, we're dealing with a very sophisticated adversary. And Vice Chairman Rubio, I think your words of wisdom, of caution, about avoiding certain labels are well put. But I do think we can say this: at this stage, we've seen substantial evidence that points to the Russian Foreign Intelligence Agency and we have found no evidence that leads us anywhere else. So we'll wait for the rest of the formal steps to be taken by the government and others. But there's not a lot of suspense at this moment in terms of what we're talking about. It's very, very clear that this agency is very, very sophisticated. And as Kevin noted, that has been true for a long time. That is not new. But I think two other things are new. The first is the scale of this attack, or hack, or penetration, or whatever we should call it. At Microsoft, as we worked with customers that had been impacted by this, we stepped back and just analyzed all of the engineering steps that we had seen. And we asked ourselves how many engineers did we believe had worked on this collective effort? And the answer we came to was at least 1,000. I should say at least 1,000 very skilled, capable engineers. So we haven't seen this kind of sophistication matched with this kind of scale. But there's one other factor that I do believe puts this in a different category from what we have seen. And I think even with a thoughtful consideration, it is appropriate to conclude even now: this was an act of recklessness, in my opinion. Why? Well, in part, I think Chairman Warner put it very well. The world relies on the patching and updating of software. We rely on it for everything. We rely on it not only for the safety and health of our computers, we rely on it for our physical infrastructure, for hospitals, and roads, and airports, because they all run on software. To disrupt, to damage, to tamper with that kind of software updating process is, in my opinion, to tamper with what is in effect the digital equivalent of our public health service. It puts the entire world at greater risk. And it was done I think one must acknowledge in a very indiscriminate way: to seek to plant malware and distribute it to 18,000 organizations around the world is in truth an act without clear analogy or precedent. We've seen this done in Ukraine, but we haven't seen it done quite like this. It's a little bit like a burglar who wants to break into a single apartment but manages to turn off the alarm system for every home and every building in the entire city. Everybody's safety is put at risk. And that is what we're grappling with here. So what do we do? I think we have to start by acknowledging and recognizing we need to do a lot. We all need to do a lot. We need to do a lot ourselves, and we need to do a lot together. Certainly, as Sudhakar was mentioning, we need to focus on the integrity, the protection of software build systems. The International Data Corporation estimates that there will be half a billion--500 million software apps--created in the next three or four years. That's half a billion build systems. And it's not just software companies; it's banks, it's hospitals, it's governments. It's everyone that creates software. There are new steps that we will need to take to better secure and protect against the kind of attack that we saw here. Second, I think we have a lot of work still to do, certainly across the United States, when it comes to the modernization of our IT infrastructure and to the application of IT best practices. At Microsoft, we can only see this attack among our customers when it got to their use of their cloud services and all of the attacks that took place, took place on premise. Meaning a server that was in a server room or a closet somewhere. And it points to the fact that until we modernize and move more people to the cloud, we're going to be operating with less visibility than we should. Third, we do need to enhance the sharing of threat intelligence. That's the term in the cybersecurity community for information about attacks that people are seeing. And our basic challenge today is that that information too often exists in silos. It exists in silos in the government, exists in different companies. It doesn't come together. Fourth, I think because of that need, it is time not only to talk about, but to also find a way to take action to impose in an appropriate manner some kind of notification obligation on entities in the private sector. And so of course you know, it's not a typical step when somebody comes and says, ``place a new law on me, put it on ourselves, put it on our customers,'' but I think it's the only way we're going to protect the country. And I think it's the only way we're going to protect the world. And finally, I do believe it is time--it's maybe even overdue time--for us to look at the rules of the road, the norms and laws, that if not every government is prepared to follow, at least the United States and our likeminded allies are prepared to step up and defend. And among other things, to say that this kind of tampering indiscriminately and disproportionately with a software supply chain needs to be off-limits. And there needs to be attribution and there needs to be accountability, as officials in the White House are now considering. Finally, I'll close by addressing one question that Vice Chairman Rubio, I think you posed. Who knows the entirety of what happened here? One entity knows. It was the attacker. The attacker knows everything they did. And right now the attacker is the only one that knows everything they did. We have pieces. We have pieces at Microsoft, SolarWinds, FireEye, CrowdStrike others, we all have slices. People in the U.S. Government. But we need to bring those slices together. And until we do, we'll be living and working and defending on an uneven playing field. That is not a recipe for success. But let's also acknowledge one other thing: we know more than we did 100 days ago. We are better informed, we are smarter, and we can turn that knowledge into a resolve and action. That's what we need to do. That's what I hope the Congress can do. That's what I think the country and our allies need to do. If we use what we have learned, we can better protect our future. Thank you. [The prepared statement of Mr. Smith follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Vice Chairman Rubio. Thank you. And finally Mr. Kurtz, I believe, is on virtual? Mr. Kurtz. Yes. Vice Chairman Rubio: All right. Excellent. STATEMENT OF GEORGE KURTZ, CO-FOUNDER AND CEO, CROWDSTRIKE Mr. Kurtz. Thank you. Good afternoon, Chairman Warner, Ranking Member Rubio, and Members of the Committee, thank you for the opportunity to testify today. During my three-decade career in cybersecurity, I have seen first-hand the evolution of adversary techniques and have been at the forefront of developing the solutions to thwart them. By the time I co-authored the original edition of ``Hacking Exposed'' in 1999, which later became the No. 1 selling book in security, it was clear that organizations consistently failed to adequately defend themselves. When I co-founded CrowdStrike in 2011, it was based on a conviction that the then-dominant approaches to security were no match for adaptive and well-resourced adversaries. We set out to elevate the industry's focus from stopping malware to preventing breaches regardless of their source. My testimony today is based on my prior and current experiences protecting thousands of organizations across the globe. I will begin by discussing our high-level findings in the supply chain compromise and what lessons we might take away from it. In mid-December, SolarWinds engaged our professional services team to perform incident response. Although we had not worked with SolarWinds prior to this engagement, nor had they used our software in the past, our teams collaborated effectively to investigate the breach, enhance their security posture, and share actionable intelligence with the entire security community. With their encouragement, we continue to coordinate and share findings with customers, industry partners, and Federal agencies as appropriate. Today, I would like to highlight a few significant capabilities this particular threat actor exhibited. Notably, the threat actor took advantage of systemic weaknesses in the Windows authentication architecture, allowing it to move laterally within the network as well as between the network and the Cloud by creating false credentials, impersonating legitimate users, and bypassing multi-factor authentication. The threat actor modified code within the development pipeline immediately prior to the software build, the final stage before source code becomes software. The threat actor leveraged unique IP addresses for commanding and controlling infrastructure for each of its victims, complicating investigations into the scope of the campaign, but used common encryption methods and scrubbing techniques to avoid leaving behind unique indicators. The threat actor was selective in activating the backdoors it implanted, purposefully selecting its victims from the wider universe of those who were vulnerable. With respect to attribution, CrowdStrike refers to this activity cluster behind these events using the name ``StellarParticle.'' We are aware that the U.S. Government has stated this threat actor is likely of Russian origin. While we currently are unable to corroborate that finding, we have no information to suggest it is incorrect. Regardless of attribution, there are a number of takeaways from these events. This campaign, in particular, emphasized the need to improve two important security disciplines: those involving supply chains and those involving security development. StellarParticle is just the latest demonstration of supply chain attacks as a threat factor. This follows a number of previous high-impact campaigns where the origins of attack are at the vendor level. With respect to software development, in addition to ensuring secure coding practices and adequate code review, organizations must protect the development platforms and code repositories at least as well as their enterprise environment. Next, I would like to extend our considerations beyond this particular campaign, and address six essential cybersecurity concepts and emerging technologies. The first is threat hunting. We know that the adversaries periodically breach even very well-defended enterprises. Properly trained and resourced defenders can find these bad guys and thwart their goals. The second concept is speed. Every second counts to stop threat actors from achieving their objectives. Third is the power of machine learning prevention. The core state-of-the-art cybersecurity solution is the ability to defeat novel threats. Machine learning and artificial intelligence are essential. Fourth is the need to enhance identity protection and authentication. As organizations further embrace Cloud services and work-from-anywhere models, enterprise boundaries have continued to erode. This trend increases the risk of relying upon traditional authentication methods and further weakens legacy security technologies. One of the most sophisticated aspects of the StellarParticle campaign was how skillful the threat actor took advantage of architectural limitations in Microsoft's Active Directory Federation service. The Golden SAML attack allowed them to jump from customer on-premise environments and into Cloud and cloud applications, effectively bypassing multi- factor authentication. This specific attack factor was documented in 2017 and operates at Cloud-scale version of similar identity-based attacks I originally wrote about in 1999. Moving to the fifth concept, let's touch upon principles of zero trust. Instead of authenticating to a network or device once and having ready access to everything that's connected, users must re-authenticate or otherwise establish permission for each new device, or resource they wish to access. This reduces or prevents lateral movement and privilege escalation. Finally, I will touch upon something known as XDR, which stands for `èxtended detection and response.'' Security teams demand contextual awareness and visibility from across their entire environments, including within Cloud and ephemeral workloads. As this Committee will appreciate, XDR generates intelligence from what otherwise may be no more than information overload. Each of these concepts applied equally to all organizations and regardless of size is a must. The last point is critical. Often, adversaries specifically target smaller organizations as a means to a greater end. This is part of the supply chain problem. We are proud that a number of security companies, including CrowdStrike, are committed to offering comprehensive, easy-to-use solutions and managed security services to organizations of all sizes with varied budgets. We also appreciate the need for improvements to government cybersecurity. Some of the most talented people in the field have worked, or currently work, in government organizations. Unfortunately, in many instances, our government colleagues are hobbled by legacy technologies, programs, complex procurement processes, or compliance obligations that detract from their core security work. I realized that I've described a set of enormous challenges today. But I would like to close in a positive note. With CrowdStrike's visibility into trillions of security events across thousands of customers globally, I'm encouraged by the silent victories the security community experiences every second of every day. Defenders face an endless, evolving threat. But I remain optimistic that working together, we can prevail. I hope my testimony today has offered some guidance on how we can accomplish that shared goal. CrowdStrike has its sleeves rolled up and is ready to continue to work with this Committee and the greater security community to achieve success. I would like to thank the Committee for inviting me to testify today and for its leadership. I look forward to answering your questions. Thank you. [The prepared statement of Mr. Kurtz follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Vice Chairman Rubio. Thank you. Let me just begin, Mr. Kurtz, by saying you've shown tremendous operational security behavior there. That backdrop you have in that video, you could be anywhere in the world. [Laughter] There's no way we could tell where you are just looking at that. I'm going to get that backdrop. That's awesome. So let me ask you and Mr. Mandia the same question. So let me just say, you know, everyone is familiar--I think the general public is familiar--with cyber-attacks and hacks. And the general guidance everyone is given is, you know, don't put some simple password like ``1234.'' They're easy to guess. Because we've seen, you know, they can guess it. There's all kinds of things out there that are also to be able to be cracked by them. Then there's the infamous--or the well-known--phishing email. You get an email, you click on it, and they're in your system. These are all hardware-type, sort of brute-force intrusions. For folks at home, who may watch this later or trying to understand what the big deal about all this, this involves the other thing we're told that we need to do all the time, which is constantly upgrade your software. Every time you get a software update, put it in because it's got new security features. So these guys get into that software update and you're basically in. It's almost like bringing them into your system under the guise of protecting you. And that's what we're dealing with here today. And this has been a known vulnerability; something that people knew was a theoretical possibility. My understanding is this is the first time we've ever seen it at this scale or scope. And you'll correct me in your answer if I'm wrong. The question I would have for all of you, but really for Mr. Mandia and Mr. Kurtz, is this a sophisticated technique? This is not something that someone could do out of the basement of their home. Or is this something that could eventually we could see it become widespread? What level of sophistication do you need to embed yourself in the software upgrade that ultimately winds up in someone's system? Mr. Mandia. You know, I'll jump on that first. And this was a planned attack. This is not something done in somebody's basement. There is somebody that thought about this. My gut is this attack started somewhere where somebody said, `Ìf we wanted to compromise these entities, where's the supply chain?'' They probably had a list of five to ten companies. SolarWinds was one of them. And they figured out who can we get into? How do we do the implant? When they got into SolarWinds, they didn't just rush right to the implant. They wanted to make sure they could inject code first in the build process. That was in October `19. Then four to five months later, they have an implant. In that four to five months, they designed an implant that masqueraded to look like SolarWinds traffic. It was hard to pick up on the network. It had things in it in the malware, and you know malware--a lot of times you hear that word, you just shut down. And what's he going to say next? Well, this is what this malware did. It slept for the first 11 days after it was installed. So that if somebody did detect its beacon going out, they wouldn't be able to associate a beacon from the SolarWinds machine to the update they did randomly 11 days sooner. Another thing it did is it looked for nearly 50 different products and shut them down when it ran. So people are like, why didn't anybody detect this implant? It's because when it executed, it looked to see if CrowdStrike's agent was on the endpoint, if FireEyes agent was on the endpoint, if Windows Defender was on the endpoint, and it shut it off. You don't make a backdoor as a bad guy as a regular user. You make one as the root user, a system-level backdoor. Senator Rubio, there's no doubt in my mind this was planned. It was an operation. There was a lot of people involved. And the question really is: where's the next one? And when are we going to find it? Vice Chairman Rubio. Mr. Kurtz, I'm guessing you probably agree with that assessment. So this is all without little doubt a nation-state actor. It would take that level of sophistication, is that right? Do both of you agree with that? Mr. Mandia. I do. Mr. Kurtz. Yes. Vice Chairman Rubio. Who? Who is that nation-state actor? Have you seen indications in it that tell you this is who we believe it is? Mr. Mandia. George, you want to go first on that one? Mr. Kurtz. Well, when we look at the adversaries across various nation-state actors, obviously, there's a level of sophistication and tradecraft. And as I pointed out in my testimony, the tradecraft and operational security was superb. One of the things that we typically look for are things like markings within tool chains. And what we saw, in particular with the back door and the build process, was something we call ``code washing.'' And that was actually removing these tool chains to these fingerprints that Kevin indicated that our company and his company keep on file, right? So we know who the bad guys are and how they operate. In this particular case, these tool chains and the infrastructure is very unique. What that means is they took particular care to actually conceal their identity. And at the highest level, we've attributed, as I said in my written and verbal testimony, to a particular a cluster of activity. I know the government has talked about Russia as being one of the threat actors. You know, from our perspective, we have nothing further to add to either confirm or deny that; but what I can tell you, it is absolutely a sophisticated nation-state actor. And as Kevin said, this took a lot of work. A lot of planning went into this. And we think about how difficult software is to build. Each one of my esteemed panelists are in the software business. We know how hard it is to build software, to get software working. And the idea to actually inject something and have it all work without errors, and without anyone actually seeing it is, again, superb tradecraft and something you have to look at and say it's very novel in its approach. So I'll turn it back to Kevin and Brad, they probably have some further thoughts on the attribution piece. But as I mentioned, a sophisticated actor that we continue to track. Mr. Mandia. And one thing unique to this case is when you do the evidence on 1,000 cases a year and something doesn't fall into a grouping, that's odd. That's peculiar. And then when you go back 17 years of cases and digital fingerprints, and it still doesn't fall into it. You start doing process of elimination. You talk. You know, when we found the IP addresses used to attack FireEye, we did go to partners like Microsoft, we went to the U.S. Government--what I call ``ring zero.'' You go to the intel agencies. Nobody had seen them in use before. I'll just sum up my comments this way. We went through all the forensics. It is not very consistent with cyber espionage from China, North Korea, or Iran. And it is most consistent with cyber espionage and behaviors we've seen out of Russia. Chairman Warner. Appreciate those answers. I do think we've had the previous Administration acknowledge likely Russian. We've had testimony of the people in front of us. We've had the current Administration acknowledge this source as well. I think the sooner we make even more fulsome attribution, the better because we need to call out our adversary--know we know who did it--and plan an appropriate response. And I agree with Senator Rubio: we don't even have our language down entirely. Sometimes we know we know what espionage is; we know what a denial of service attack would be at the other end of the spectrum. Where this fits is, I think, one ongoing question. But I think we've oftentimes talked about this as ``the SolarWinds hack.'' But there are other vectors. In my understanding, the Wall Street Journal has reported that as many as 30 percent of the victims were not accessed through SolarWinds but by other means--and maybe this is best for FireEye and CrowdStrike. And obviously, Microsoft would have a view as well. Why aren't we getting more details about the other vectors that the adversary has entered? The other platforms that may have been utilized? Again, I think this is reflective of the point that since we are totally waiting on willing participants, we could still be uninformed because other major enterprises could be victims as well but had not chosen to come forward. So how can we get a better handle on the non- SolarWinds component of this attack? Mr. Mandia. I can tell you this is--we're doing Stage Two investigations right now for our customers. And the number one other way we're seeing these attackers break in is what's called ``password spraying.'' They're just popping passphrases that they got from some breach over here and they're recognized. If you think about it, all of us probably have Amazon accounts; we have Microsoft accounts; we have Google-- whatever we're using. We have an email account and a passphrase that we may use to access a whole bunch of applications. Some of those third-party breaches make our user ID and passphrase aware to the threat actor and then they try it on your corporate networks. So these aren't when I say password spraying, I almost feel like, sir, they know some of these passphrases by the time they show up and knock on your door. So you know, we have 3,300 employees at FireEye, I have to believe that some of them use their FireEye.com email to access dozens, if not more, of the apps on the internet. If any of those vendors get compromised and their passphrase is compromised and they use the same passphrase for Amazon.com as FireEye.com, we may have a problem. So that's another attack that they use. And here's the reality: this group has zero-day capability, most likely. They're going to--how they get initial foothold to them network will continue to change. But the way you know it's them is when they come back in, they target the same things, the same people, the same emails, similar documents, like they have collection requirements. Chairman Warner. To my question, Brad and George, if you want to add to this. Again, we've talked about this as a SolarWinds hack, but there are other vectors that they entered. And, but for the fact that you came forward, both SolarWinds and Microsoft came forward, there may be other very large enterprises that have not been as forward leaning that may mean this vulnerability still exists. Mr. Smith. Yes. I would say, Mr. Chairman, a couple of things. First, absolutely. There are more attack vectors and we may never know exactly what the right number is. I think the first question you're in effect asking is well, why? And I would analogize to this: you know, this is like finding someone in the building and now you have to figure out how they got in. And you know, in our case at Microsoft, we identified 60 customers where we figured out that they had obtained, once they got in, typically, the password to somebody, an IT administrator who could get them into, say, something like Office 365. But in each instance, they got in on premise, so it wasn't in our server or our service. And so we need to work with somebody else to get to the bottom. Chairman Warner. But doesn't that mean, though, that this is not demonstrating a unique vulnerability that's in Microsoft enterprise? Mr. Smith. Oh absolutely. Chairman Warner.--or Microsoft Cloud? But there may be other brand-name players that may have been penetrated that have not been as forthcoming who are leaving policymakers and potentially customers in the dark. Is that true or not true? Mr. Smith. It is absolutely true. I think it means two things. One is yes, there's a variety of services. And there are a lot of ways in. I also would just pick up on one of the things that Kevin said, because he used a phrase that is familiar to all of us in the cybersecurity community but probably not to, say, somebody who is watching this hearing from home--this notion of a ``password spray.'' Yes, I think in recent years, we've all sort of learned that people may try to figure out our own individual password. A password spray is when you use a single password, and you apply it to a lot of accounts. For example, if I were to go back to where I grew up near Green Bay, Wisconsin and have 1,000 email addresses from people in Green Bay, and I just applied the password ``gopackgo,'' I'll bet dollars to doughnuts, there's a Green Bay Packers fan who's using that password. In fact, I'll bet there's more than one. And if I find ten of those, 1,000, then I'm in and I can go from there. So it just points to a variety of tactics. From the most sophisticated really, when you're talking about disrupting a supply chain, to the very broad that point to just a lot of factors. We all need to keep learning about how to secure our own email and other accounts. Chairman Warner. Well, I'm going to move to Senator Cornyn. But it does beg the question that Senator Rubio and I both asked about when a large enterprise like Amazon is invited they ought to be participating. There are other brand name known IT and software and cloud services that may have been vulnerable to this kind of incident as well, and their public and active participation, we're going to make sure that takes place. Senator Cornyn. Senator Cornyn. Thank you, Mr. Chairman. And thanks to each of you for testifying here today. I share the concern that has been expressed that Amazon Web Services declined to participate. I think that's a big mistake. It denies us a more complete picture that we might otherwise have. And I hope they will reconsider and cooperate with the Committee going forward. Mr. Ramakrishna, thank you for talking with me yesterday. And since you're headquartered in Austin, Texas, I took particular note of that fact and appreciate that conversation. I think one of the things we discussed is something that Chairman Warner brought up and that is, even though SolarWinds is the focus of what we're discussing here today, this is not unique to SolarWinds. Correct? Mr. Ramakrishna. Senator Cornyn, thank you for that question. You're absolutely right. I'll elaborate on the question that Senator Warner asked and tie the two comments together here. Supply-chain attacks are happening as we speak today, independent of solo events. There was a report just two days ago about a French company being hacked and it was dubbed as a supply-chain attack. As we discovered what we call Sunspot--the code, the injected tool--and as we evaluated it, it is blindingly obvious that that can be applied to any software development process, which is the reason why we believe that dubbing it simply as a solo-events hack is doing injustice to the broader software community and giving us a false sense of security, possibly, which is the reason why that--even though we are taking corrective steps and learning from this experience--we consider it our obligation to be a very active participant in this endeavor to make us all more safe and secure by promptly outlining our findings and communicating them with both our government authorities as well as the industry. Senator Cornyn. Our time is limited today and I hope at some point we can talk about the attribution and the putting the Russian intelligence services or whoever is responsible here at risk because right now it seems to me that we are doing a very bad job, generally speaking, of punishing the people who are perpetrating these attacks. But let me just ask you, at different times, I know there's been legislation offered. Senator Collins and I discussed some that she had introduced previously with Joe Lieberman, our friend the former senator. It seems to me that there should be an obligation of some sort, on the part of a victim of a cyberattack like this, to share what they know, what they've learned, with the appropriate authorities. And I can only imagine the chills that run up and down some people's backs when I say that. I think about liability concerns, other reputational risks, and the like. But if we're going to get our arms around this at all, it seems to me we need to know a lot more than we know under the current practices in terms of the obligation of the victims to step forward. Before I asked you about that and what that would look like with perhaps with some sort of liability protection associated with it. I will tell you that I'm a Member of the Judiciary Committee, as Senator Feinstein is. And we actually have designated seats on the Intelligence Committee from certain authorizing committees like the Judiciary Committee. And Mr. Smith, from your experience testifying there, usually when we're talking about data breaches, people want to talk about the company that allowed the data breach, how could we sue them? And which is an entirely different perspective than I think we need to have--a more complete approach to this and one that does not treat the victim as the offender, but one that works more cooperatively. So what about some sort of mandatory disclosure obligation that maybe would be coupled with some sort of liability protection? I know in the intelligence field in the past, phone companies that have cooperated with certain collection have gotten liability protection as part of part of that. Mr. Smith, do you have a view on that? Mr. Smith. Yes, I do. I think the time has come to go in that direction. I think Senator Collins was either ahead of her time or the rest of us were behind our time. But either way, I think we can find a way to move forward this year. I could perhaps use the word notification rather than disclosure. We should notify someone. We should notify. I think a part of the U.S. Government that would be responsible for aggregating threat intelligence and making sure that it is put to good use to protect the country, and for that matter people outside the country. I think we need to decide upon whom it should be that that duty should fall on. It should certainly fall on those of us in the tech sector who are in the business of providing enterprise and other services. I think it's not a bad idea to consider some kind of liability protection. It will make people more comfortable with doing this. This is about moving information fast to the right place so it can be put to good use. Senator Cornyn. Mr. Chairman, can I ask the other witnesses if they have a different view or additional views on that topic? Mr. Mandia. No, I agree with it. And coming down to another level of specificity to me, notification needs to be confidential or you don't give organizations the capability to prepare for those liabilities. And so we like the idea of you can notify with threat intelligence that's actionable, you get speed from that if it's confidential because you can have threat data today and your arms around the incident three months from now. And it's just too big of a gap to have a disclosure law, and we're getting the intel three months to five months too late. So I like the idea of confidential threat intelligence sharing to whatever agency has the means to push that out to places, then disclosures that were a legal requirement to inform those who are impacted. And you don't know that day one. In FireEye's case, we were sharing intel really fast. And we did not know what we had lost in our breach yet, but we knew there was something different about it. So I just think that's an extra detail. Get the intel out there quickly if it's confidential. Senator Cornyn. Mr. Chairman, my time is expired so I'll yield back. Chairman Warner. I think this is a subject that we're going to come back around to and there are models out there. I don't think our traditional reporting mechanisms necessarily work. So the National Transportation Safety Board or others. Senator Wyden's up next. Senator Wyden. Thank you, Mr. Chairman. The impression that the American people might get from this hearing is that the hackers are such formidable adversaries that there was nothing that the American government or our biggest tech companies could have done to protect themselves. My view is that message leads to privacy-violating laws and billions of more taxpayer funds for cybersecurity. Now, it might be embarrassing, but the first order of business has to be identifying where well-known cybersecurity measures could have mitigated the damage caused by the breach. For example, there are concrete ways for the government to improve its ability to identify hackers without resorting to warrantless monitoring of the domestic internet. So my first question is about properly configured firewalls. Now the initial malware in SolarWinds' Orion software was basically harmless. It was only after that malware called home that the hackers took control and this is consistent with what the Internal Revenue Service told me, which is while the IRS installed Orion, their server was not connected to the internet. And so the malware couldn't communicate with the hackers. So this raises the question of why other agencies didn't take steps to stop the malware from calling home. So my question will be for Mr. Ramakrishna, and I indicated to your folks I was going to ask this. You stated that the backdoor only worked if Orion had access to the Internet, which was not required for Orion to operate. In your view, shouldn't government agencies using Orion have installed it on servers that were either completely disconnected from the internet or were behind firewalls that blocked access to the outside world? Mr. Ramakrishna. Thanks for the question, Senator Wyden. It is true that the Orion platform software does not need connectivity to the internet for it to perform its regular duties, which could be network monitoring, system monitoring, application monitoring on-premises of our customers. Senator Wyden. It just seems to me--what I'm asking about is network security 101 and any responsible organization wouldn't allow software with this level of access to internal systems to connect to the outside world, then you basically said almost the same thing. My question then, for all of you: is the idea that organizations should use firewalls to control what parts of their networks are connected to the outside world is not exactly brand new. NSA recommends that organizations only allow traffic that is required for operational tasks, all other traffic ought to be denied. And NIST, the standards and technology group, recommends that firewall policy should be based on blocking all inbound and outbound traffic, with exceptions made for desired traffic. So I would like to go down the row and ask each one of you for a yes or no answer. Whether you agree that the firewall advice would really offer a measure of protection, from the NSA and NIST? Just yes or no. And if I don't have my glasses on, maybe I can't see all the name tags, but let's just go down the row. Mr. Mandia. And I'm going to give you the `ìt depends.'' The bottom line is this. We do over 600 red teams a year; a firewall has never stopped one of them. You know, a firewall is like having a gate guard outside of New York City apartment building and they can recognize if you live there or not and some attackers are perfectly disguised as someone who lives in the building and walks right by the gate guard. In theory, it's a sound thing. But it's academic in practice. It is operationally cumbersome. Senator Wyden. I don't want to use up all my time. Mr. Mandia. Nope. Senator Wyden. We'll say that your response to NSA and the National Institute of Standards, `ìt depends.'' Let's just go down the row. Mr. Ramakrishna. So my answer, Senator, is yes to standards such as NIST 800-53 and others that define specific guidelines and rules. Senator Wyden. Very good. Mr. Smith. I'm squarely in the `ìt depends'' camp. Senator Wyden. Okay. Mr. Smith. For the same reasons that Kevin is. Senator Wyden. Okay, I think we have one other person, don't we? Mr. Kurtz. Yes. And I would say firewalls help but are insufficient. And, as Kevin said, and I would agree with him, there isn't a breach that we've investigated that the company didn't have a firewall or even legacy antivirus. So when you look at the capabilities of a firewall, they're needed. But certainly they're not the be-all and end-all. And generally, they're a speed bump on the information superhighway for the bad guys. Senator Wyden. I'm going to close and my colleagues are all waiting. The bottom line for me is that multiple agencies were still breached under your watch by hackers exploiting techniques that experts had warned about for years. So in the days ahead, it's going to be critical that you give this Committee assurances that spending billions of dollars more after there weren't steps to prevent a disaster attack, disastrous attacks, that experts had been warning about was a good investment. So that discussion is something we'll have to continue. Thank you, Mr. Chairman. Chairman Warner. Is Senator Cotton on the web? Senator Cotton. Yes, I am here. So thank you, Mr. Chairman. Gentlemen, thank you for your appearance today. I want to start, Mr. Smith, with you. Microsoft has said some of its source code was stolen. Does that present future security risks? And if so, what are you doing to mitigate it at Microsoft? Mr. Smith. Well, the short story is, our security system does not depend on the secrecy of our source code. I mean, we live in a world where probably there's more source code by tech companies published in open-source form than there is that's not published. And at Microsoft, our source code is accessible to every Microsoft employee. It's not considered to be a particular secret, and our entire threat and security model is based on the premise that there will be times when people will have access to source code. Do we like the fact that this actor saw it? Absolutely not. But we do not believe that it undermines or threatens our ability to keep our customers or ourselves secure. We will, by the way, as we always do, to answer the rest of your question, Senator, we'll ask ourselves, what do we change? It's not apparent to me that I need to have access to our source code. It's not apparent to me that our Senate lobbyists need to have access to our source code. So we may have fewer people that have access to source code in the future, but it's really not at all the heart or center of what we're focused on here. Senator Cotton. Okay. Mr. Ramakrishna, approximately 30 percent of the victims of the attack were not using SolarWinds software. What do you think that tells us about the nature of the attack and what victims were targeted and how they were targeted? Mr. Ramakrishna. Senator Cotton, thanks for the question. This is referring to the Wall Street Journal report, I believe. Thirty percent is an approximation. As best as we know, there are many different types of attacks and different types of threat vectors. We are not a security company per se. So we wouldn't have detailed information about those types of threat vectors. But what I can share is the discoveries that we have made with Sunspot can apply to any supply chain out there, and it's quite possible that there are active supply chain attacks ongoing right now, some of which we may know about, some of which are yet to be discovered. Senator Cotton. Mr. Mandia or Mr. Kurtz, would you like to respond as well? Mr. Mandia. George, go ahead. Mr. Kurtz. Well you know, again, when you look at the supply chain of attacks here, it is very difficult obviously to identify these things. And when we look at the adversary's capabilities, and we look at what was actually done, as we talked about earlier, it's not an easy problem to solve. And you know, from my perspective, it's one that we have to come together, we have to continue to share intelligence and information. And we have to realize that there are many other techniques and actors that are out there. And when you look at the overall landscape you know, 30 percent weren't from SolarWinds. This isn't a surprise. Over the last year, we stopped 75,000 breaches that are in process, and probably a quarter of them were nation-states. So this happens every day from every nation-state actor, every e- crime actor, and their variety of tools and different techniques and tasking orders that are out there. So it's an ongoing effort and I wish there was a silver bullet. There isn't. But I think a big part of this is exposing the techniques and just how prevalent these attacks are to the American people. So that we can do something about it. And we can come together as a group, both in the technology field as well as in government. Mr. Mandia. And Senator Cotton, this is Kevin Mandia speaking. To me, the attacker did the SolarWinds implant. They've already moved on to whatever's next. We've got to go find it. This attacker, you know, maybe their pencil's down for a few months. But the reality is, they're going to come back. They're going to be an ever-present offense that we have to play defense against, and how they break in will always evolve. And all we can do is close the window and close the security gap better next time. Senator Cotton. Okay, then one final question. I think I'll direct this toward Mr. Mandia and Mr. Kurtz again. To what extent do we think this was designed toward what we might call ``collection'' in the intelligence world; simply trying to collect information to learn more about America's intentions, plans, capabilities, or what you might call a ``covert action'' in the intelligence world, say, sabotage of public utilities or military applications or so far, so forth? Or could it be both? Mr. Mandia. Yes, George, I'll jump first. Just because we got to see what they did first-hand when they broke in us. The reality is this. They were very focused. They had specific individuals that they targeted, they had keyword searches that they did when they broke in. So this was not a group that operated like a tank through a cornfield. They had a plan, they had collection requirements, and to some extent, I would say they were disciplined and focused on those collection requirements. Not efficient with tradition to just grab whatever they could grab. Mr. Kurtz. And just to add what Kevin says, I think it's important to realize that as technology companies, we all leverage big data. The adversary does as well. And while they're collecting this information, they're also storing it, they're indexing it, and they have the ability to go back to it. So if a new order comes in--a new, specific order to target a company, target a government organization--they can look for that access, they can look at what's already been collected, they could leverage that. The second piece of this is in the early days it was network exploration. Then it turned into data exfiltration. And then it turned into data destruction and an impact, right? So certainly, when you have this level of access, you can collect data. If you start impacting systems, it's a pretty good way to get caught. So could it be turned into that? Absolutely. But in general, what we've seen is collection, and that simply goes into the big machine, the big apparatus to be used again for further missions. Chairman Warner. Senator Bennet. Senator Bennet. Thank you. Thank you all for being here today. Thank you, Mr. Chairman, for holding this hearing. I wanted to get some clarification along the same lines as Senator Cotton, actually. Mr. Mandia, maybe I'll start with you just for people at home who don't understand how, you know, what they've read is this is a SolarWinds---- Mr. Mandia. Right. Senator Bennet [continuing]. investigation. That's what they imagine what we're dealing with here. That's clearly not the case, based on what we saw in the Wall Street Journal report with only 30 percent of the folks who somehow got pulled into this who had no SolarWinds---- Mr. Mandia. Right. Senator Bennet [continuing]. connection. Help us understand what that means in terms of the ongoing nature of this. You know, when you say they put their pencils down, have they really put their pencils down? Or are they out there working their pencils and we just can't see it because we don't know? You started out at the beginning saying maybe they went through a list of, like, five to ten vendors and said these are the likely ways in and we'll pick this one. But clearly they picked other ways in as well. So I'm just trying to get a sense of the full scope of how. Mr. Mandia. Yes. And you know when I said pencils down, I mean they were so successful on this breach they probably got a few days off because they collected so much information. Senator Bennet. Right. So they're waving the flag. Mr. Mandia. Basically, right now, there's such vigilance in the security community they're not going to spoiler their latest technique right now. We're all looking for it. So they're pencils down for the next great implant. Senator Bennet. Right Mr. Mandia. I would be if I were them. Every intrusion starts with initial access. How an attacker gets that varies. When we say the ``SolarWinds implant,'' that was the initial access for a campaign this group did from March of last year until about December of last year when we started detecting it. But this group's been around for a decade or more. Different people go in and out of that group probably. We're probably responding to the kids of the people I responded to in the 90's when this group was active. So the bottom line, how they gain a foothold in a victim network, SolarWinds was a way. They will always have other ways. This is a group that hacks for a living. And then when they break in, what they do after they break in really doesn't change that much. They target specific people, primarily folks, at least in our case, that did work with the government. They target government projects. They target things that are responsive to key words. We respond to a lot of threat groups that when they break in, you can tell they broke in to make money or they broke in and there's a manual review where somebody's literally going through every file alphabetically on a desktop. These folks have economy of movement. If they broke into your machine, Sir, they string search it, they find responsive documents, they get out of Dodge. They have an economy that shows they're professional. And that doesn't change. So if they broke in yesterday via SolarWinds and we patched that and fixed it like we have, tomorrow they're going to have something else. And they're going to try to come back through whatever doorway they can find. Senator Bennet. And tomorrow they might be looking for something else, too. Mr. Mandia. The good news is usually they aren't. But you're exactly right. The collection requirements could change. We've identified this group because they'd break into a company. And then we'd get them out. And if they got back in, they're after the same sort of things and that's one of the indicators; it's still them. So their tools and tactics can change but a lot of what they target does not. Senator Bennet. And I'm happy for anybody to jump in if you'd like to. But with the rest of my time--there was some discussion earlier--sorry, we were in and out going to votes and things--about reasons they might not want to actually destroy data or destroy systems because they might get detected if they do that. Whereas if they stay in there and they don't mess around with stuff--. But if they wanted to really do mayhem in our systems, what would that look like? What does our worst nightmare look like? Mr. Smith? Mr. Smith. Well I'd offer a few quick thoughts. First building on your answering your prior question and then answering this one. I would just add that in addition to targets in the United States we have identified targets in Mexico, Canada, the U.K., Belgium, Spain, Israel, and the UAE. So it was broader and international in scope. Second, 82 percent of the 60 target victims that we identified were outside government. So I think there's an aspect to your question well: who else were they targeting and why? And I would say that there are at least two other reasons that we would surmise, two motives if you will. Sometimes if you're going after a government agency that has very good security practices in place, you might look for a third party that might have an individual who was given password and network access to, say, the government's network. And you might hope that that third party organization-- maybe it was a computer service provider, maybe it was an accounting or consulting firm, maybe it was a think tank that was working on a contract--you would hope that maybe they had lesser security in place and that's why you would start there. It's a vehicle to get somewhere else. And then I do think at times they target tech companies in part to understand how technology works. But frankly it's perhaps in the category of counter-intelligence. Every day we are looking--you heard the reference to threat hunting--we are looking for evidence of this organization engaged in attacks. I think they want to know what we know about them and what their methods are. But then I do think your other question is so important, because at the end of the day, what do you do once you're inside? Do you just collect information? Or do you wreak havoc? Well, this agency typically collects information. But we know exactly what havoc looks like. All you have to do is look at a day in June in 2017 when another part of the Russian government used exactly the same technique. A supply-chain disruption with a Ukrainian accounting software program. That, too, was an update. It turned off, damaged, 10 percent of that country's computers. ATMs stopped working. Grocery stores stopped the capacity to take credit cards. Television news stations went off the air. That is what havoc looks like and that is what we need to be prepared to defend against as well. Chairman Warner. We're going to move to Senator Heinrich. What Mr. Smith just referenced was what we refer to as NotPetya---- Mr. Smith. NotPetya. Chairman Warner [continuing]. but was that the potential existed at--even this attack. Senator Heinrich. Senator Heinrich. Thank you, Chairman. So if I have this right, a nation-state actor that is in all likelihood the Russians, used U.S. software and then command and control servers in U.S. data centers to conduct this attack. And I think the fact that this attack was launched from within the U.S. is potentially a really important part of this story. Advanced persistent threat actors know that the NSA is prohibited from surveilling domestic computer networks. So it makes sense for them to circumvent U.S. surveillance whenever possible. For any of you: do you believe that the adversary launched the attack from U.S. servers in a deliberate effort to avoid surveillance? Mr. Smith. I think it was sort of an I.Q. test. We can't know exactly what they thought but it looks like they passed the I.Q. test. They figured out that it would be more effective and less likely to be detected if it was launched from a U.S. data center. Senator Heinrich. Anyone else want to add to that or in agreement? Mr. Ramakrishna. No, I think I would agree. Mr. Mandia. I agree with those statements. Mr. Kurtz. Yeah. Senator Heinrich. For Mr. Smith, while the focus continues to be on how the private sector shares information with the government, we also want to ensure that the government is doing enough to share information with the private sector. Mr. Smith, you expressed concerns in a blog following the SolarWinds attack about the Federal Government's insistence on restricting through its contracts our ability to let even one part of the Federal Government know that the other part has been attacked. Can you elaborate a little bit about this comment? And in what ways could the Cybersecurity Information Sharing Act of 2015 be improved to ensure that that is possible? Mr. Smith. Yeah, it was, I have to admit, one of the things I found surprising and a bit frustrating for us. Because the first thing we do when we identify a customer who's been attacked is we let them know. We notify each and every customer. It was immediately apparent to us that it was important not just to let an individual department or agency of the U.S. Government know but to make sure that there was some central part of the government that would have this information about the government as a whole. And what we found was that our contracts prohibited us from telling any other part of the U.S. Government. So we would basically go to each agency and say can you please tell so and so in this other place? And the good news is, people did. They acted quickly. But it does not strike me as the type of practice that makes a lot of sense for the future. So there is an opportunity for reform. Senator Heinrich. Probably not the most efficient way to make sure information travels quickly. Mr. Smith. It doesn't seem like it's consistent with the year 2021 and technology. Senator Heinrich. Mr. Mandia. In your statement for the record you said that victims of crime are the first to know when they've been violated. But in a case like this, only a few government agencies and a handful of security or other private companies are in a position to be the first to know. I agree that doesn't seem right. You suggested that a small group of cyber first responders could prevent or mitigate the impact of cyber incidents through sharing information quickly and confidentially. That's a very intriguing idea. Can you describe how you think that would work? Mr. Mandia. You bet. There's got to be a way for folks who are responding to breaches to share data quickly to protect the Nation, protect industries. And that would require (A) defining what is a first responder. And I think it's pretty simple. If you're trying to figure out what happened to unauthorized or unlawful access to a network, you're a first responder. And if you do that for other companies beside yourself, you're a first responder. And first responders should have an obligation to share threat intelligence to some government agencies so that, without worrying about liabilities and disclosures, we're getting intel into people's hands to figure out what to do about it. Right now the unfortunate reality is, a lot of times when you share threat intel, it's just a public disclosure. And it makes people weary to do so and we slow down the process. So that's what I mean by that. I could articulate more. But first responders know who they are. And I think it's easy to define. We have many laws that define certain categories like Internet provider. We need to know. If you're a first responder, you're obligated to get threat intel into the bucket so we can protect the Nation. Senator Heinrich. No, I think that's very helpful. When you detected this activity were you obligated to tell the U.S. Government? Why or why not? And was that obligation legal or moral? Mr. Mandia. We notified the government customers we had before we went public with the breach. And we found out later based on contractual reviews who we had to notify or not. But the reality is the minute we had a breach, I was talking to what I call ring zero. The intelligence community, law enforcement--you don't want to get email when you don't know if your email's secure. So the reality is, I would say on the record, I think we told every government customer we had that we had a problem, period, before we even went public. Senator Heinrich. Thank you. Chairman Warner. Senator Heinrich, both the points that this was launched from domestic servers and the lack of information sharing were really important points. And now one of our new Members joining us remotely, Senator Casey. Your first intelligence questions. Senator Casey. Mr. Chairman, thanks very much. And thanks for the welcome to the Committee. And I appreciate the testimony of our witnesses. I wanted to start with the role of the Federal Government here. And maybe we'll just go down the panel starting with Mr. Mandia to give us an assessment of the Federal Government's response to date. And then I'll move to a second question regarding what we do going forward. So Mr. Mandia, why don't we start with you? Mr. Mandia. Without a doubt, the number one thing the Federal Government can do that the private sector cannot do is impose risk and repercussions to the adversaries. Period. So we've got to have some kind of public doctrine to Mr. Smith's idea of rules of the road. We've got to communicate where there's a red line. I know we think it's a tough thing to define, and we admire the problem, but we've got to come up with what's tolerable, not tolerable, communicate it so we don't see a gradual escalation. But to impose risk and repercussions is the purview of the government. And the second biggest thing is the attribution. The government's in the best place to get attribution the most right. So those two things without--, and by the way, there is no risk of repercussions if you don't know who did it. So those are the two things that I'd firmly place into--the government is best suited to do that. And I'll leave it to some of the other witnesses on the government's role and how to safeguard the private sector and work with the private sector, because I know we have a lot of great ideas. Mr. Ramakrishna. Senator, I'll keep it quick. And the suggestion I would make is to leverage some of the recommendations in the Solarium Commission report and have a single entity in the government, that public sector entity where all private sector entities can go and communicate with and communicate to and have the responsibility of that agency to then disseminate it to every relevant party. To date, we feel like we have to communicate with multiple agencies and sometimes that doesn't help us from a speed and agility perspective. Mr. Smith. Let me if I could point to two successes that I think are worth building on. First, I think it's really notable that the NSA in December published a circular that described in technical detail the nature of the attack, how people could identify whether they were victimized by it, and how they could protect themselves from it. And I think that it was extremely well done from a technical and cyber-security perspective and it was published to the world. And I think that the NSA and the U.S. Government did the world a great service. And that's the kind of thing that we should aspire to have our government do in the future. Second, last week I thought Anne Neuberger at the White House in a press conference took a similarly critical step. She shared to all of us information that frankly none of us had; namely, that the government had identified roughly 100 private companies and nine Federal agencies that had been impacted by this incident. And that tells me that there is now at work real efforts to consolidate this information across the different parts of the government. So that's encouraging. She's also indicated that her work is far from done. They're focused on next steps that need to be taken in a variety of ways. But I do think this is a very important moment. The government can speak authoritatively about the nature of attacks and how to protect ourselves, and the government can speak authoritatively about the scope that has happened. Mr. Kurtz. I would also just like to jump on this. I would also say that CISA's done a lot of work here--a lot of great work. Has put out some, I think, interesting information, indicators, some scripts that helped the public. And while we're talking about the government and we're talking about corporations, there's a whole host of smaller entities that are out there that have no real way to protect themselves. So I think, to Kevin's point, as a first responder--which we are, which he is and others--it's important that we have a single source that we can go to. We're doing incident response not only for big companies and governments but for many small companies. We need to be able to share this information as quickly as we can without impacting the customer themselves. Senator Casey. Mr. Kurtz, I'll end with you, just with one follow-up. When you go through what I think were six proposals or recommendations, what do you think is the most urgent, at least as it relates to the Federal Government? Mr. Kurtz. Well I think there's probably a couple things. But certainly threat hunting is one of the biggest areas. And as we've talked about before, it's a sophisticated actor. With enough time and effort, they're going to go get into somewhere. And we always make the distinction between an incident and a breach. There isn't a major company or a government on this planet that hasn't had an incident, and they will continue to have incidents. But you want to be able to identify those very quickly so they don't turn into breaches. And these are like sentries that are looking for the bad guys. They're looking for these indicators, they're looking for these back doors. And it's a tall task. I pointed out things like machine learning and artificial intelligence. All of my fellow witnesses are working on these sort of techniques as well as us. And that's a big part of a go-forward strategy. Figure out what's there, use the technology to our advantage. Senator Casey. Thanks, Mr. Chairman. Chairman Warner. Thank you, Bob. Senator Burr. Senator Burr. Thanks very much. Let me thank all of our panelists today for your willingness to be here and, more importantly, for your knowledge in this. I've got to reflect for just a minute and I'm going to do it even though Senator Wyden left, because I strongly disagree with what he implied. He implied that because NSA and this-- said that proper hygiene is a firewall that should be something that should be mandated and everybody should use it and that would solve our problem. And the three of you that deal specifically in searching out intrusions said no, no, no. No. It's helpful, but it doesn't solve it. And to suggest that in the day of COVID that you've got a choice between washing your hands, hand sanitizer, and masks, but if you choose just to wash your hand and not do the other two, you're never going to get COVID. It's ludicrous. And I want the record to show that what the response from those who track these was listen, this is sophisticated. They're way past this. So yeah, that's a good thing for companies to adhere to. But don't think that that's going to solve it with the adversaries we're up against right now. I want to turn to George just real quick, and I want to go on Senator Heinrich's question. In the SolarWinds attack, Amazon Web Services hosted most of the secondary command and control nodes. And all of AWS's infrastructure was inside the United States. Now I feel like having a cyber-attack deja vu here, whether it's Russian hack of DNC in 2016, the North Korea and Sony hack, or current supply chain hacks, we constantly see foreign actors exploiting domestic infrastructure for the command and control to hide the nefarious traffic in legitimate traffic. Here's the problem. Given the legal restrictions on the intelligence community, we don't have the ability to surveil the domestic infrastructure. So what should the U.S. Government role be in identifying these types of attacks? Mr. Kurtz. Well I think it's working with providers like AWS, working with folks like Microsoft, working with others, CrowdStrike and FireEye and others. Because when you look at this particular attack, why did they use U.S. infrastructure? Because they just wanted to blend in. Right? And I can tell you there's a ton of attacks that we look at that use foreign infrastructure, that use bulletproof hosting, which is you know the ability to anonymize and pay for hosting and infrastructure. And we know who they are and we tend to look for those bad actors. Right? So if you can use infrastructure that looks legitimate no matter whose infrastructure it is, you're going to blend in and make it harder. And this particular attack was insidious just the way it communicated and the protocols it used. It looked like legitimate traffic going to infrastructure that you know is normal. But that's why it's important, when you think about these attacks, to have visibility. I talked about threat hunting, to have visibility on the end points, because that's at the tip of the spear. And these network access devices are just speed bumps, as I talked about earlier. What's actually happening is on the end point. What's actually happening is beaconing out. And you have to have visibility. And you have to collaboratively work with the private sector and the public sector together. And I think that's the only way we're going to solve it. Senator Burr. Kevin, I want to turn to you and I want to ask for a little more specific statement. You alluded to the fact that this is not going to stop without a government dictate that says: here's what we're going to do. Let me just ask it this way. Will it stop if they pay no price for what they do? Mr. Mandia. No. I think if you don't impose risks or repercussions we're all--you know I've used this analogy for so long, you'll get how long I've used it. We're all playing goalie and we're taking slap shots from Wayne Gretzky. I mean, the puck's going to get in the net sooner or later. And that's what's happening in cyber space right now. Folks are taking slap shots and literally there is no risk or repercussion to the folks doing it. So we're all fighting a losing battle over time. Senator Burr. So Sudhakar, as it relates to SolarWinds, can you build software today without the risk of what happened? Mr. Ramakrishna. Thanks for the question, Senator. We've done extensive analysis with our partners at CrowdStrike and KPMG of our entire build environment and entire infrastructure. And we've seen no evidence of the threat actor in our environment or in our build systems and our products. We've also learned from this experience and applied them to what I've been describing as ``secure by design.'' One of the key tenants of that is to evolve software development life cycles to secure development life cycles. And related to that, we've come up with a methodology where source code doesn't get built in traditional ways and we use parallel build systems with different people accessing them, with different access types. And we correlate the output of them across those three to significantly reduce the potential for a threat actor to consistently compromise every one of our build systems at the same time. That is the level of effort our teams are going through to build safe and secure solutions. Which I hope will be a model for others. Senator Burr. Are these practices that you're sharing with others in the industry? Mr. Ramakrishna. We are completely committed to doing it, and we are doing it as we do it. Senator Burr. Thank you, Mr. Chairman. Chairman Warner. I would simply want a quick comment that I agree with my friend, Senator Burr's comment that a firewall alone cannot keep out a sophisticated actor. But it doesn't mean the corollary--and I had conversations with the CEO of SolarWinds on this--that just because it's a sophisticated actor then that means that you shouldn't do good cyber hygiene. Mr. Ramakrishna. Absolutely. Chairman Warner. It is not an either/or. Senator Burr. No, I agree with you totally. I think what we're hearing--and maybe we're just not saying it right--is that even with the best cyber hygiene, even with the best protocols in place because of how good and persistent and how much money a nation-state has like Russia, we're susceptible Mr. Ramakrishna. Yes. Senator Burr. You know the puck is going to get in the goal, as Kevin said, and if we've missed anything and you've got something that assures us the puck won't get in the goal, then here or privately share what it is so that we can begin to pursue and flesh out that type of policy. Chairman Warner. But the problem is we may not know the puck was even in the goal. But if you've got good cyber- hygiene, chances are you will discover the puck at some point. We'll continue that hockey analogy. Now as we move to our next new Committee Member, Senator Gillibrand. Welcome to the Committee and your first Intelligence Committee questions. Senator Gillibrand. Thank you, Mr. Chairman. I want to follow-up on knowing whether you've had the puck go into the goal. One of you said that the hack that shut down CrowdStrike and other defense software--and it affected them before they could start working. So why do these programs--why was there no alarm, and how were they shut down? And related, why were there no alarms in the SolarWinds and anti-virus software logs which should have shown the unusual behavior, access, or other traces of unauthorized access? Mr. Kurtz. Yeah, so this is George. Maybe I can take that. There were probably multiple, dozen software technologies that were targeted to actually be shut down. In our particular case, you can think about the camera. You know if someone came up to a camera and smashed the camera you'd actually see what they did. And our particular software has a level of monitoring where if someone tries to tamper with it we would actually be able to see that. And in fact, you'd actually have to reboot the system. As Kevin mentioned, pretty persistent where it waited and kind of did things you know over a number of days. Senator Gillibrand. But there was nothing? There was no alarm? Even the after the 11 days? Mr. Kurtz. Well once you have admin access on a particular system, if you're shutting it down you know you can pretty much do anything you want on it. And that's just a function of how the operating system works. And what we focus on, and I talked about this in my written testimony, is no silent failure. And we've designed our system that even if there is a failure somewhere along which we call the kill chain, this attack sequence, we're still going to detect something down the road. And I think this is really important when I talked about threat hunting. You may not catch the initial stage of the attack, but you're looking to catch it along the way, and you're looking to do that with speed. If someone's going to rob a bank there's only so many ways to rob a bank. You've got to get there; you got to get the money; you have to get out. Right? What car they drive, what weapon they use, how they do it doesn't really matter. So as long as you can identify the chain of activity, which is really important, you can stop these breaches. And that's why we stopped over 75,000 breaches just last year. So it's obviously a challenging problem but that's why when we look at this, it's really about risk mitigation; using multiple technologies and having visibility across your network. Senator Gillibrand. Alright. Mr. Smith, I think you said on ``60 Minutes'' that there were more than 1,000 developers working on writing this malicious code. Why do you know that or how do you know that? And with a group that big, if it is based in Russia, how come we didn't detect it or see it before? Mr. Smith. Well there was a lot more than a single piece of malicious code that was written. And so one of the things we analyze: what was done from an engineering perspective on each of these second stage attacks that Kevin was talking about before. And in essence what we saw was a very elaborate and patient and persistent set of work. They entered. Then, as they were in through that back door, they in effect opened a window. They then swept up behind themselves. They closed the back door. They used that window. They identified accounts. They were able for the most part to really rely on stealing passwords and accessing credentials, especially where credentials were not well secured, meaning they weren't stored on a hardware dongle or they weren't stored in the cloud. But they were able to get people's passwords. They were then very persistent in using that at what we call elevated network privilege to work across a network. And we just were able to look at our estimate of how much work went into each of these individual attacks, how many attacks there appear to be in total, and we asked our engineering teams: these threat hunters that you were hearing about before--what do you think is on the other side of this? And that was their estimate. And we have asked around with others: does this estimate seem off base? And no one has suggested it is. Senator Gillibrand. Let me ask Mr. Ramakrishna a final question. So the Wall Street Journal reported that there was as many as a third of the victims were accessed by means other than SolarWinds. However, those access vectors, including TTPs and infrastructure, have not been made public. Why is that and do you expect to release the full details of the other access vectors? And what other ways did the cyber actors use to gain access to victims? Mr. Ramakrishna. Senator that's a very good question. We, as a manufacturer or producer of IT management tools, do not have the security capabilities to be able to investigate other threat vectors. And that's where the colleagues at this witness table with me will be able to help us and the broader industry identify those threat vectors. On our part, what we have committed to doing and continue to do is sharing everything that we are finding. And the significant discovery that I mentioned about Sunspot is one key element of eliminating threat vectors. As we learn some new vectors ourselves at SolarWinds, we are committed to sharing those. But I think the broader security industry will take the mantle on that. Senator Gillibrand. Thank you, Mr. Chairman. Chairman Warner. Thank you. Senator Collins. Senator Collins. Thank you, Mr. Chairman. Mr. Chairman, let me echo the concerns that Senator Cornyn and you have raised about Amazon not being present. I think they have an obligation to cooperate with this inquiry and I hope they will voluntarily do so. If they don't, I think we should look at next steps. I also want to thank both of you for mentioning legislation that Senator Joe Lieberman and I authored and brought to the Senate floor back in 2012, which was defeated largely due to the lobbying efforts of a large business group. And the irony is that this grit business group, at the time that they were lobbying against mandatory reporting, was itself being hacked, which I found out about from the FBI later. I take no pleasure in that. I think that shows how widespread this problem is. I want to follow-up on two issues. One is the issue of reporting. Mr. Mandia, we know from the White House report and from our own briefings that the hackers did gain access to at least nine Federal agency networks. Yet the U.S. Government learned of this cyber-attack through FireEye. So, in your judgment is it reasonable for us to assume that our government probably would still be in the dark about the Russians or whoever the hackers were--likely the Russians--being on our systems if it were not for your voluntary disclosure? Mr. Mandia. I think over time I believe we would have uncovered this. I think there's a lot of activity that out of context nobody could put their finger on the larger problem. The minute we found the implant and the minute we disclosed what had happened, it connected a lot of dots for a lot of folks. All I can tell you is when I spoke to the government about this basically as it was unfolding for us nobody was surprised as to what I was telling them. So I think we could sense there was behavior on certain networks that wasn't right. But we couldn't find the cause until we put it all together. Senator Collins. But none of those agencies had taken actions until you contacted them. Is that accurate? Mr. Mandia. I don't know what actions they may or may not have taken. Senator Collins. The second issue that I want to talk about is our critical infrastructure: 85 percent of the critical infrastructure in this country is owned by the private sector, and that's one reason that I think mandatory reporting is so critical. We have only to look at what happened in Texas from natural causes to imagine the damage that could be done by a cyberattack. Now it's my understanding that our government has assessed that this operation was focused on stealing information rather than taking down networks. But how difficult--and I would like to ask the entire panel this--how difficult would it have been for the hackers to disrupt these networks if they wanted to? Why don't we start with you, Mr. Mandia, and just go down the panel. Mr. Mandia. Two comments, Ma'am, very quickly on that. Disruption would have been easier than what they did. They had focused, disciplined data theft. It's easier to just delete everything in a blunt force trauma and see what happens, which other actors have done. But what I've observed this group do-- and I think this is an important detail--a lot of times when you break into a network you get what's called the domain admin account. And just use that to grab everything. It's the keys to everything. It's the master key in the hotel. What this group actually did is they wanted to break into room 404. They got a room key that only worked for room 404. Then they got the room key for 407. They actually did more work than what it would have taken to go destructive. But obviously, they had the access required and the capability required should they have wanted to be destructive to have done so. Senator Collins. Thank you. Mr. Ramakrishna. Senator Collins, I would agree with that based on my studies and research of other similar breaches in other countries, such as in Ukraine. Senator Collins. Thank you. Mr. Smith. Mr. Smith. I would agree as well. And I'd just highlight a couple of aspects that I think are important. First, especially when we're talking about publicly owned critical infrastructure in this country, a lot of it is too old. It needs to be modernized. And I'll just point to one example was some of our work with a state agency responsible for public health. When our consultants went in to work with them they found that the manual for the software was more than 20 years old, meaning the software itself was more than 20 years old. So and that's why you see these ransomware attacks which need to connect with this. They so often target municipalities, we've seen Baltimore, we've seen New Orleans. They target hospitals. So that that is in critical need of improvement. I do think the other thing that is really worth thinking about more broadly for the whole Committee is I don't think we can secure the country without investing in more cybersecurity people for the country. There's really a critical shortage nationwide of cyber security professionals and I think we can put our community and technical colleges to work in part to get more people into public agencies, into small businesses and others. We are doing a lot to try to publish information. At Microsoft we have published 31 blogs since we learned about SolarWinds you know from FireEye. But there's just not enough people in many places to read them and act on them. Senator Collins. Thank you. I know my time has expired. Maybe Mr. Kurtz could respond for the record. Chairman Warner. Okay. And I don't. Mr. Kurtz. Sure, thank you. Chairman Warner. I'd just simply mention as well, Senator Collins, you appropriately pointed out the failure to report on the private sector side. There's no obligation on the public sector side. Senator Collins. Right. Well part of the problem is that there should be this exchange. Chairman Warner. Yep. Senator Collins. Of information that's not occurring now on either side. Chairman Warner. Absolutely. Senator Blunt. Senator Blunt. Thank you, Chairman. Mr. Mandia, did you feel when you found this problem in your system did you think there was a legal obligation to report it to anybody? Mr. Mandia. Yeah, we had third party counsel involved. We did not have a legal requirement at least based on the legal advice that I got to disclose at the time that we did. So we did so based on we're a security company, we work to a higher order. Yeah, it's all built on trust. And you got to report. Senator Blunt. And Mr. Ramakrishna, what did you think there was a legal obligation to report this when you found out about it to the government or anybody else? Mr. Ramakrishna. Senator, I was not with the company when this particular incident happened. Senator Blunt. Got it. Mr. Ramakrishna. So I will take it on record and come back to you with exactly what happened at that point in time. Senator Blunt. And Mr. Smith, from your testimony I think it was point four in the things we should do though there was some element of it in point three. It's your view that there should be a requirement now that these kinds of things be reported. Is that right? Mr. Smith. Yes. And I think we should build on the conversation we had here. But you know, we too concluded we had no legal obligation to report. But I think we had a duty nonetheless first of all to each customer, second of all to the U.S. Government and third of all to the public which is why we published those 31 blogs. Senator Blunt. So do you think we should create a legal obligation for you to report if you're aware of a problem like this? Mr. Smith. I do. I think we need to be thoughtful, tailor it, make it confidential. But we will not secure this country without that kind of sharing of information. Senator Blunt. So on that topic and we'll just stay with you and then work our way back down. On that topic, you know these companies. All four of the people represented here have great expertise and great resources which I'm sure you've used a lot of to figure out how they got there, if you figured that out, how long they've been there. How would we expect a normal person that does business with your companies to be able to do that on their own? And maybe, Mr. Smith, that goes to your view we need more cyber expertise. But how would we expect a regular company, unlike these companies at the table today, to have any sense whether anybody was in their system or not? Mr. Smith. Well the first thing I would say is I think it's a decision for you to make as to whom you want this obligation to apply. You know certainly it should apply to tech companies. Should it apply to every customer of a tech company? I think that is a separate question. Second, of course people cannot report something they're not aware of. Our customers who use our cloud services know when we are able to detect that they are being breached in the cloud or they're being attacked because we tell them. And so we let them know. Now ironically one of the episodes we've learned from this time was in some instances we called people on the phone and we said we're from Microsoft and we want you to know you're being attacked and they're like yeah, right and they hung up. They didn't believe that this big company was calling this small business. But that is our job, our responsibility I think--to help our customers. And we can provide information to the government, or in certain instances others could as well. Are you going to ask every small business to do that? It's probably not necessary for this purpose. Senator Blunt. Yeah. I think if we move forward on that discussion some helpful thoughts from all of you about when that obligation to report. If you've called a customer and said you've been hacked, is there an obligation you should have then to report? We could work on that. Mr. Mandia, how long do you think this had been in your system whenever you found it? And I know it was the two telephone verification seeing that extra verifier in there that was the tip off. Mr. Mandia. Right. Senator Blunt. How long do you think it had been there? Mr. Mandia. Well a couple ways to answer that. Bottom line it was a couple months from initial access but the attacker wasn't alive every single day. I think, in other words, they were on our system for maybe three hours in one day, a week would go by, couple hours on another day. We weren't a full- time job for the intruders that broke into us. Because they had broken into 60 plus other organizations if not 100. So we did get their attention and there's several days of activities before we detected them. But over time it was several months. Senator Blunt. And of course you'd contend that very few companies would be better prepared than yours to find out. Mr. Mandia. Right. Senator Blunt. If somebody's in your system because that's what you do. Mr. Mandia. Right. Senator Blunt. Mr. Kurtz, you mentioned on the bank robbery example I think it was something like you get there, you get in, you get the money, you get out. It seems to me that in this intrusion they weren't all that interested in getting out. What do you think that means? That they would get there and just hang around, as Mr. Mandia said, and do something and a week later might look and do something else? What kind of hacker is that? What are they positioning themselves to do? Clearly not to shut down your system at that moment. But why do you think they were persistent in this, what I think, is a relatively different way than we might have anticipated? Mr. Kurtz. Well this is indicative of a nation-state actor and it's in their interest to maintain persistence. If they were collecting data, they want to continue to collect information over a period of time. If the campaign as was pointed out this is the way it works, right? You've got different mission objectives and campaigns. If the campaign is over, they certainly would want to remove their tool so they weren't found by companies like CrowdStrike and FireEye and Microsoft and others. So it's in their best interest to maintain the persistence because you never know what they're going to need. And one of the things that I really want to point out and how this works in practice is that when you get into a system when an adversary gets in they don't necessarily know what they're going to find. And then they find some interesting tools, they find some emails that may lead them to another company they can compromise. And it's a massive spider web of interrelated entities and information that they have to collect. And when you draw that out, if you can imagine a crime scene where you kind of put everything on the bulletin board and you start connecting the dots between the actors, that's what it's like for the victims. And from one company to the next company to the next company to a government agency, they can all be connected together with some of these campaigns. And there's no reason for them to get out unless that campaign is over. And certainly unless they want to remove that malware and their tools which typical which we've seen in this particular case cause they didn't want anyone else to find them. Chairman Warner. Senator King. Senator Blunt. Thank you. Thank you, Mr. Chairman. Senator King. Thank you, Mr. Chairman. Excellent, excellent hearing. A lot of important points. A couple just I want to emphasize. Mr. Mandia, I'll give you another analogy to use as well as Wayne Gretzky, and that is if all we ever did was lock our windows and robbers never had to worry about going to jail, there'd be a lot more robbers. I think deterrence is one of the most important parts of a national strategy and frankly it's one that really hasn't been very well developed in this country. And as you pointed out I think it has to be declared. It has to be public. The adversary has to know what the capabilities are and that costs will be imposed. That leads me to a second point that I think Brad Smith mentioned but we didn't really develop. And that is the importance of internationalizing this problem and that is working with our allies because we're not the only ones. I think you mentioned there was an attack on a French company by this same group. And to the extent that we have the international community and the establishment of some kind of international norms, red lines, guardrails, whatever you want to call them then things like sanctions are much more effective. I want the hackers to not be able to go to Monte Carlo as well as Miami. So deterrence is key. And the international piece of it is also important. And then the final thing that I think has come out today very clearly is the importance of some kind of joint collaborative environment where there can be an easy and quick and efficient flow of information. Liability protection may be necessary. Anonymizing the data may be necessary. But some kind of mandatory breach notification is also part of this package. All of these bills, all of these ideas by the way are part of the work that we're going to be doing on the solarium this year and I look forward to working with the Members of this Committee on things like the collaborative environment, breach notification, the international aspect of it. Let me ask a specific question. Mr. Mandia, do we need a central Federal attribution office? It strikes me that attribution the FBI has a piece of it, the NSA has a piece of it, maybe the CIA, and whomever somewhere else. Attribution is key. You can't do deterrence, you can't respond unless you have attribution. Should there be a central attribution department, if you will, that could act quickly and do attribution more efficiently than is the case today? Mr. Mandia. Well I can say this, sir. I don't know if it needs to be a single committee or single agency. But attribution is critical and all that you know any time I get to advise a head of state it's very simple. If you don't know who did it, you can't do anything about it. So I would argue it's one of the most critical issues we have to solve as a Nation is we got to know who did every breach. I think that those data points will automatically come from multiple agencies with multiple missions and areas of responsibility. And then bring it to domestic challenges like the SolarWinds breach and all the liabilities hitting companies. It is helpful and maybe it's CISA, maybe it's the FBI, but it is helpful that most organizations recognize that we are expected to defend ourselves from the drive by shootings on the information highway. But we shouldn't have to defend ourselves from the SVR. I mean that doesn't seem like a benchmark that this Nation should set for every small to medium sized company out there that you need to defend yourself from a foreign intelligence service trying to hack you. So I would say this. Categorical attribution for these companies that do disclose is very helpful for those companies. So in other words, if there was public attribution that said SolarWinds was compromised by a nation-state, good enough. Because it takes the wind out of the sails of all the plaintiff lawsuits that we all get when we get compromised and we tell the world about it. Thank you. Senator King. Thank you. And it seems to me that moving on, we clearly ought to do attribution better. The other piece that's come out today is, and Senator Burr mentioned this, is gaps in our authority. The NSA and the CIA cannot spy on Americans. They cannot watch what's going on in American networks. That sort of leaves the FBI which is really a law enforcement agency as the intelligence agency for domestic cyberattacks. It seems to me that we need to think of how these authorities fit together and what the gaps are to be sure that we have the tools to protect ourselves. Not that we want to spy on Americans, but we also want to be able to protect Americans. Mr. Mandia, your thoughts on that? Mr. Mandia. I do believe there's got to be a way for the U.S. Government when we need to mobilize to understand how we can do it domestically. And the example I've always used, sir, is very simple. If the intelligence community recognizes there's going to be an attack on Wilkes Barre hospital this Friday by the best hacking group on the planet, we'd just start moving the patients out of the hospital. And that seems like we can do better than that as a Nation. We ought to be able to impose the risk profiles that we need to and project our capability domestically when we need to. And right now, I don't see the ability to do that. Chairman Warner. Senator Feinstein. Senator King. Appreciate it. Chairman Warner. Dianne. Senator Feinstein. Oh, excuse me. Thank you very much, Mr. Chairman. I'm looking at this worldwide threat assessment of the United States intelligence community. It was done by Dan Coates, a former colleague of ours when he was Director of National Intelligence. And it's deeply concerning to me because it points out really the seriousness of this thing and the impact of it, the length of time eight months that it went on. Nine Federal departments, over 100 companies, and we don't know what, at least I don't, what the Russians took. And it seems to me to have this kind of situation out there and I've been on this Committee for a long time. And just have a hearing and not do anything about it. And know that we know now that there is this kind of vulnerability available. So let me begin with you, Mr. Mandia. You're a Californian. What do you advise this Senate to do about this? Mr. Mandia. Yeah there's several recommendations. I still believe it is critical we find a way to have a centralized agency that we can report threat intelligence to confidentially and that if you're designated as a first responder in cyber space, whether private or public sector, you report to that agency. That means we get the intelligence into the hands of people that can take actionable steps way faster than disclosure of incidents which just takes too long. To Brad Smith's point and you have those six bullet points. I think it's actually five bullet points. And they're all right. It's what we should do. I'm specifically talking about the threat intelligence sharing. Let's up it a notch. Let's say you have to if you're a first responder. Senator Feinstein. How would you do that? When you say up it a notch, what specifically would you do? Mr. Mandia.--Have legislation that defines who a first responder is. That if you respond to unlawful, unacceptable, or unauthorized access to networks as a business and you see certain things that threat intelligence and we know what it is in the community that needs to be shared with a specific agency. Confidentially shared so that you don't have to know who the victims are because the victims have liabilities that make them delay. They'll do months of investigation before they would disclose everything. But we want to get the intel faster and into the hands of the right people more quickly. I do believe it needs to be a central agency inside the government. You can't go to three or four, you've got to pick one. And that if we're responding, we got to let you know here's what's going on. Senator Feinstein. And this would be private sector as well as government sector? Mr. Mandia. Yes. Senator Feinstein. So it would be a comprehensive bill that essentially would set a kind of operational protocol that has to be followed. Mr. Mandia. It it's similar to operating agreements for all the folks who accept credit card use. The Visa operating agreements. You literally have 24 hours to start sharing information regardless once you know. And it's not based on all the things that you may have lost. You've got to get the intel into the hands of the folks that can start safeguarding the Nation far faster than what we're doing today. Senator Feinstein. Could I ask the other two witnesses to reflect on what Mr. Mandia has said? Mr. Ramakrishna. Senator, I agree with that single agency to report to and the public private partnership. Clearly that is one of our recommendations as well and that will be consistent with the goal of having speed and agility in responding to these types of events. As you noted, some of these have gone for too long and we've lost time in detecting the perpetrators and taking corrective steps. Senator Feinstein. Mr. Mr. Ramakrishna. Additionally, I would recommend in the context of public and private partnerships standards, such as NIST, and procedures, such as CMMC, can be improved with better collaboration, better transparency between private and public to evolve those from what are today compliance based methodologies to focusing on excellence. That is where I think Brad's idea of having a larger pool of STEM based focused education as well as specific cyber security education will come in handy. Senator Feinstein. Thank you. Mr. Ramakrishna. And then the last thing I would say in the context of coming out and identifying breaches and encouraging people even to come out and identifying the breaches there was a concept of liability protection that was discussed. There is significant brand reputation that people are worried about as well. And in the context of this broader work, I'd recommend that we address those as well which are not strictly liability but broader than that. Senator Feinstein. Thank you. Mr. Smith. Mr. Smith. Yeah, I would endorse everything that you just heard. I would add in the areas of rules of the road I think there are three areas that are just clearly ripe for this Committee and others to say are off limits. The patching and updating of software should be off limits, certainly when an and a this disproportionate. Senator Feinstein. Well wait, the patching and off date-- Mr. Smith. And updating. Senator Feinstein. Updating of software. Mr. Smith. Yeah. Yeah that was. Senator Feinstein. Should be off limits to whom? Mr. Smith. For these types of nation-state attacks. That would be the first thing. The second would be cyberattacks on hospitals and healthcare providers. Vaccine distributors. I mean there's been a ground swell of both concern about what we've seen in the last year and attacks on that sector. And the third is attacks on our electoral infrastructure. On voting, on the tabulation of votes, on voter registration rolls. And I think there's a ready vehicle that's ripe because 75 governments, but not our own, have already signed the Paris Call for Trust and Security in Cyberspace. More than 1,000 private organizations, including my own, has signed that. And I hope this White House and this State Department will act on that. The consensus is there if U.S. leadership can help push it across the finish line. Senator Feinstein. Mr. Mandia, would you just reflect for a moment? Chairman Warner. Can we. Senator Feinstein. Oh, just one question. Chairman Warner. Yeah. We've gone through the five minutes so we're. Senator Feinstein. Okay. Thank you. Chairman Warner. Senator Sasse. Senator Sasse. Thank you, Chairman. And thank you to all four of you for being here. This has been a very constructive hearing. I would just associate myself with the many comments of folks expressing frustration that Amazon isn't here. I think they should be and I think we should pursue whatever is necessary. Hopefully they'll do that voluntarily. I'd also like to underscore a few things that were said along the way by Angus King about some of the deterrence objectives of the Cyber Solarium Commission. He and Mike Gallagher, House Member from Wisconsin, have invested tons of time. I was a commissioner but those two guys co-chaired it. There's a whole bunch of work to be done about breach notification that they've been thinking on in addition to some of the work that Susan Collins has done. Mr. Mandia, I know you answered it multiple times through the course of the last three hours but your summary five minutes ago about the need for a central single repository at the Federal Government for these breach notifications I think was very succinct and compelling, so thank you for that. Mr. Smith, when I came back from voting a little while ago I think I heard you say, I was just walking into the room, that you thought there were a thousand highly trained engineers involved in planning this attack. Did I hear you right? Mr. Smith. That that is our best estimate, yes. Senator Sasse. And could you kind of give us a level set of other attacks or espionage efforts in the past? Like, say the CCP's OPM hack. Do we have any theory of how many people would have been involved in that, trained folks? Mr. Smith. Well, I don't. But you certainly didn't need an engineering group of similar magnitude to steal data. You really need to then think about how to use that data which is probably some combination of engineering and artificial intelligence. And you know, I do think as we scan the horizon around the world, we are seeing variation in tactics. You know we are seeing in one part of the world more of this I'll call it engineering intensive effort to you know penetrate individual organizations with great patience and persistence. And then extract data on an ongoing basis as you would if you are a foreign intelligence agency. You know in another part of the world you're probably seeing you know more collection of very large data sets. And in all probability the way one would make use of those data sets is to aggregate them and use artificial intelligence machine learning you know to start to knit them together and then say use them for disinformation. And so you know as we look at the world, we have espionage threats. We have disinformation threats. And then ultimately we always have the threat we were talking about before of actually damaging a society or a country as we saw in Ukraine. Senator Sasse. Right. Very helpful. Is there any equivalent breaches that you can think of that would have had this scale of human capital involved in planning them? Mr. Smith. I can't think of a similar operation that we have seen that would have similar human scale, no. Senator Sasse. So this is arguably the largest planned cyberattack ever? Mr. Smith. I haven't seen anything larger. I think we were having a good conversation before about what label precisely to attach to this. But it was a very it's the largest and most sophisticated operation of this sort of that we've seen. Senator Sasse. So going back to some of Martin Heinrich's questioning and then Chairman Senator Burr's follow-up on the same thought. It'd be useful for those of us who are not technologists to hear the three of you kind of talk about the difference between the design flaws, not that anybody is particularly responsible inside the U.S. Government for having failed to detect this, because it's a new kind of attack. But design versus execution flaws given Martin's points about the NSA being prohibited from surveilling domestic systems. Who should in our current structure have found this earlier? Again I'm not looking for you to blame cast, I'm looking at us as the Congress to recognize that we have an IC that is not structurally prepared to respond to something like this. When your greatest capabilities are at the NSA and they're prohibited from surveilling the systems where they would detect it, the FBI is chiefly responsible for law enforcement investigations after the fact. Structurally, we're not prepared to defend against this, are we? Mr. Mandia. I guess I'll jump in on that one. There's no question you have to have private and public partnership in it. Period. When you look at critical infrastructure and who's running it. I want to be clear though, why people didn't detect this, the Achilles heel, is because the front door was locked. So the attackers had to break in to SolarWinds, implant something, we still don't know how they broke in to SolarWinds that I'm aware of. And this is probably the last avenue in cyber security. Now we know you've got to worry about supply chain risk and you're going to see the elevation in security there. So the reason everybody didn't detect this right away is over the last 30 years in cyber security you used to be able to drive through the front door. And we kind of closed that and then it became spear fishing and tailored attacks against individuals. And we got really good at that. And now they went to the supply chain. And it was inevitable. We knew they'd get there. Apparently it takes something like this for us to really decide to up the game. Senator Sasse. But if we think about how many questions you've had to answer today about reporting requirements, you also had a sense, Mr. Smith, you said something about the reporting prohibition on you going from one government agency to the next. How long was that delay in our structure? If you had been able to notify everybody once you knew once your four companies knew what you knew how much faster would it have been than it was in the situation where you actually had prohibitions on information sharing intra-USG? Mr. Smith. Well I think in this instance when we spoke to officials in one agency typically within a day I think they spoke to officials in another. So they understood and they were fast moving. I do think that one of the challenges in this space is the nature of all threat intelligence, whether it's cyber-based or physically based, is that it's always about connecting dots. So the more dots you have, the more likely you are to see a pattern and reach a conclusion. And so I think one of the challenges here is that the dots are so spread out, they're in a variety of different private companies and they always will be. And then they're spread out across different parts of the public sector as well. So this notion of aggregating them is key. The one thing that we haven't talked about though that I would add to this is there should be some level of information sharing in an appropriate way back to those of us in the private sector that really are first responders. You know I look at the Microsoft threat intelligence center and we are able to aggregate all of this data across our services. And you heard from CrowdStrike or FireEye and they do similar things. But we too are operating with imperfect information when we don't have access to this knowledge. So that's another key question I think that really merits consideration. Senator Sasse. I'm over time but thank you to all four of you and I'll follow-up with some of you for more as well. Thanks Chairman. Chairman Warner. Well I'm I want to thank all the witnesses but I also want to make sure people have hung in if Senator Blunt, Senator Burr, Senator Rubio I've got one more question but I want to see if Senator Blunt do you have anything else? Senator Blunt. No, sir. Chairman Warner. And do you have Richard? Marco? Vice Chairman Rubio. I mean I think one of the things about this is you know corporations and government we do we trust a number of software vendors now to run programs remotely in the cloud. They even allow them access to our networks to provide updates to help perform better, for safety and so forth. So this is really is not just a national security thing, it really goes at the heart of how we conduct business across multiple sectors. By the way, I would venture to guess that most companies, mid-sized companies and above, have no idea how many different pieces of software they don't know what their own inventory is of what they're running. And so it would be now's probably a good time to have someone in charge of knowing that in case something like this comes up. I have three quick questions. On SolarWinds, I'm not sure I've heard yet, do we do we know what the initial entry point into the network was? Mr. Ramakrishna. Senator, our investigation on how which is initial entry point is still active at this point. We have had a number of hypotheses over the last couple of months working with our investigation partners. We've been able to narrow them down now to about three, which I hope will help us conclude to one. But just the nature of the investigation is we are still sifting through terabytes of data to figure out if we can pinpoint that particular one. Vice Chairman Rubio. So is TeamCity produced by JetBrains any indication they could be one potentially? Mr. Ramakrishna. Senator, TeamCity is a tool used in the build processes by us and many other companies out there. We, to date, have no evidence that it was the backdoor used to get into SolarWinds. Although we haven't eliminated that possibility, we haven't proven it. Vice Chairman Rubio. And for on Microsoft, as far back as 2017 that the forged identity credentialing you were aware of that vulnerability as far back as when were you aware of that and what was done from the point you knew moving forward on the to address that? Mr. Smith. Well the forged identity refers to an industry standard, SAML, a markup language. It's an industry standard that is supported by a wide variety of products including our own. Actually as we investigated this incident, we found that it was relevant in only 15 percent of the cases and in those 15 percent, in every instance you know this tool was used to in effect add access capability only after the actor was in the network, had obtained access with what we call elevated privileges, and was able to move around and then use this. But to answer your question this particular standard, the SAML standard, was created in 2007. So long before 2017 we and many other companies in the industry have been working to move people towards a more modern authentication standard. And there has been one that has been around since 2012. More broadly, independent of what security standard you use for this kind of authentication the thing that we have been advising our customers and the practice that we have been following ourselves is really to do the following. One, move your authentication service into the cloud. Number two, secure all of your devices. We have a service called Intune that does that. Number three, you know, make sure you're using multi-factor authentication. Number four, have what's called least privileged access meaning don't give individuals access to the entire network or to be able to do things that they don't need to do. And number five, use a contemporary or a modern anti-virus or anti-malware service like Windows Defender. And the reality is any organization that did all five of those things, if it was breached it in all likelihood suffered almost no damage. Vice Chairman Rubio. Because it would have been contained or whatever in the individual compartment they entered. Okay. Mr. Smith. Absolutely. Yeah. And these are five practices that the world knows about and this goes back I think to this point that we do need more cyber security professionals to work with more organizations. And obviously it's incumbent on us. We every day we're working to make it easier for our customers to deploy all of this stuff. Vice Chairman Rubio. Yeah, and I think that just touches on the notion that even if you can't prevent the attack or the intrusion you can mitigate its impact if you can do some of these things that you've discussed. Mr. Mandia, this is my last question. We talked about notification. Not disclosure but notification. And this seems to me that and you may have some thoughts on this what is the threshold for that? Is it a major breach? Is it breach? Is it breaches that have indications of nation-state involvement? Mr. Mandia. It's hard. Vice Chairman Rubio. Because I think every day someone's getting pinged by somebody. So what's Mr. Mandia. I agree and you don't want to spread fear, uncertainty, and doubt by folks who can't do a proper investigation or lack the expertise or quite frankly they don't know what really happened but they disclose so fast that they do create an unnecessary fear. That is the hardest part because every disclosures going to have some discretion built into it. And that's why when I'm talking about notification I'm trying to there's public disclosure and legal disclosure. I'm trying to separate that, and Brad Smith did in his testimony very well, to threat intelligence sharing. And I'm more talking about threat intel, get it out there fast, get it out there confidentially so you have the time to figure out the threshold for disclosure. But that's a lot of work because I think it depends on the industry you're in whether you should disclose. I think it there's contract law that'll apply. You should disclose to your customers at least that are impacted. But I still feel disclosure is always going to be based on the impact of a breach which requires investigation. Chairman Warner. Well let me thank all of the panel and George who's online. We actually had well Senator Risch didn't want to ask a question. We had full participation from the Committee and that is a sometimes rare occurrence. I take away four issues that I'd like for the record since it's been a long afternoon. The fact that Smith said this was potentially one of the most serious breaches he's seen. We know that it got into Mr. Ramakrishna's 18,000 customers and while they chose to only exploit 100 plus the fact that this could have been used not for exploitation and ex-filtration of information but could have been turned they were inside as I think Mr. Mandia so eloquently put it could have been exponentially worse and I think we need to recognize the seriousness of that. Number two and I think Senator Rubio was raising this as well that while it was a top tier nation-state with their A team and it may be hard for any individual company or public enterprise to totally block that out, we can't default to security fatalism. We've got to at least raise the cost for our adversaries. And whether the items that Mr. Smith just enumerated in terms of better protections even if they get in we can find them and raise their costs if we think through this. Mr. Smith commented on this but I would like the rest of you for the record to comment on this, this idea around norms and international norms. I use the analogy that in warfare you don't bomb the ambulance. Well should we try to get to a point that you don't bomb the patch? Or that you don't hit the hospital literally? Or the electoral systems? How do we move toward that system of norms? And finally I think there is a real growing sense and I hear this from industry as well that we need some level of at least information sharing around on a mandatory basis. Again, I want to compliment Kevin's company and Kevin personally for coming forward because but for that effort we might still be, this might still be ongoing. And how we think about that what that reporting to or whom it rep we report to mechanism, I think it's going to require some new creation. And while I am very open to some level of liability protection, I'm not interested in a liability protection that excuses the kind of sloppy behavior for example that took place in Equifax where they didn't even do the basic cyber hygiene. That if you report that you should not be free of your responsibility if you have been a sloppy player. So I think there are models. There's FinCEN in the financial sector, there's the National Transportation Safety Board which may be an even better example. I think Mr. Mandia pointed out within the credit card arena there is this information sharing. Some I know have been thinking about the idea that the cloud service providers, the large enterprises, the first responders a la CrowdStrike and FireEye maybe being co-located at some location with parts of the government. Because this notion of getting the information out real time, that's not going to happen with all due respect to the great talents that are at the FBI that's not going to happen when it goes to the FBI and they're just not in the business of information sharing. It frankly is probably not going to happen even though CISA's skills continue to be upgraded. We're going to need to think about a different model and I challenge all of you to come forward with that. I think there's a great deal of appetite bipartisan appetite. I think we realize how serious we were and we potentially dodged a much more serious bullet. And really appreciate all of your participation and it's been constantly mentioned those companies who chose not to participate so far we're going to give them another chance and hopefully they will recognize they have that kind of public service obligation that is reflected by the testimony today. With that the hearing is in adjourned. Thank you. [Whereupon at 12:07 p.m. the hearing was adjourned.] Supplemental Material [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] [all]

Committee Leadership

Tom Cotton

Mark Warner

All Committee Members

Recent Legislation Activity

Hearings & Meetings

Reports & Publications

Committee Resources