Hearing Type: 
Date & Time: 
Tuesday, February 23, 2021 - 2:30pm
Dirksen 106

Full Transcript

[Senate Hearing 117-79]
[From the U.S. Government Publishing Office]

                                                       S. Hrg. 117-79

                         OPEN HEARING: HACK OF



                               BEFORE THE


                                 OF THE

                          UNITED STATES SENATE


                             FIRST SESSION


                       TUESDAY, FEBRUARY 23, 2021


      Printed for the use of the Select Committee on Intelligence

        Available via the World Wide Web: http://www.govinfo.gov

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
45-485 PDF                 WASHINGTON : 2022                     

           [Established by S. Res. 400, 94th Cong., 2d Sess.]

                   MARK R. WARNER, Virginia, Chairman
                  MARCO RUBIO, Florida, Vice Chairman

DIANNE FEINSTEIN, California         RICHARD BURR, North Carolina
RON WYDEN, Oregon                    JAMES E. RISCH, Idaho
ANGUS KING, Maine                    ROY BLUNT, Missouri
MICHAEL F. BENNET, Colorado          TOM COTTON, Arkansas
BOB CASEY, Pennsylvania              JOHN CORNYN, Texas

                  CHUCK SCHUMER, New York, Ex Officio
                 MITCH McCONNELL, Kentucky, Ex Officio
                  JACK REED, Rhode Island, Ex Officio
                   JAMES INHOFE, Oklahoma, Ex Officio
                     Michael Casey, Staff Director
                  Brian Walsh, Minority Staff Director
                   Kelsey Stroud Bailey, Chief Clerk
                            C O N T E N T S


                           FEBRUARY 23, 2021

                           OPENING STATEMENTS


Warner, Hon. Mark R., a U.S. Senator from Virginia...............     1
Rubio, Hon. Marco, a U.S. Senator from Florida...................     4


Mandia, Kevin, CEO, FireEye, Inc.................................     6
    Prepared statement...........................................     9
Ramakrishna, Sudhakar, CEO, SolarWinds Inc.......................    14
    Prepared statement...........................................    16
Smith, Brad, President, Microsoft Corporation....................    23
    Prepared statement...........................................    26
Kurtz, George, Co-Founder and CEO, CrowdStrike...................    41
    Prepared statement...........................................    44

                         SUPPLEMENTAL MATERIAL

Responses of Kevin Mandia to Questions for the Record............    86
Responses of Sudhakar Ramakrishna to Questions for the Record....    90
Responses of Brad Smith to Questions for the Record..............    94
Responses of George Kurtz to Questions for the Record............   107

                         OPEN HEARING: HACK OF


                       TUESDAY, FEBRUARY 23, 2021

                                       U.S. Senate,
                          Select Committee on Intelligence,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:32 p.m., in 
Room SD-106 in the Dirksen Senate Office Building, Hon. Mark R. 
Warner (Chairman of the Committee) presiding.
    Present: Senators Warner, Rubio, Feinstein, Wyden, 
Heinrich, King, Bennet, Casey (via WebEx), Gillibrand, Burr, 
Risch, Collins, Blunt, Cotton, Cornyn, and Sasse.


    Chairman Warner. Good afternoon, everyone. I'd like to call 
this hearing to order and apologize to our witnesses and others 
with them. With COVID and a vote just been called, we're going 
to a little bit be playing this by ear. So I'm going to make my 
opening statement, ask the Vice Chairman to make his opening 
statement. We'll be monitoring the vote, which just opened a 
moment ago. We've got two, so we'll either tag team through 
this or take a five-minute recess to get us all a chance to go 
vote on both these items.
    First, I'd like to take this opportunity to welcome our two 
new Members, one of which I think at least is on Zoom, Senator 
Casey, and also Senator Gillibrand, to the Committee. I look 
forward to working with both of you as Members of the Senate 
Intelligence Committee in the bipartisan tradition of this 
    The Intelligence Committee's record of working together in 
the interests of America's national security has been due, in 
no small part, to the tireless efforts of our former Chairman, 
Senator Burr, and our new Vice Chairman, Senator Rubio. So I 
want to take this opportunity during my first hearing as 
Chairman, to thank you both for your partnership and 
friendship. I'm confident that we'll be able to keep working 
together in a bipartisan way in the 117th Congress.
    I'd also very much like to welcome our witnesses today: 
Kevin Mandia, CEO of FireEye; Sudhakar Ramakrishna, President 
and CEO of SolarWinds; Brad Smith, President of Microsoft 
Corporation; and, I believe remotely, George Kurtz, President 
and CEO of CrowdStrike. I would like for the record to note 
that we also asked a representative from Amazon Web Services to 
join us today but, unfortunately, they declined. But we will be 
expecting to get a full update--and we've had one update from 
our friends at Amazon--but it would be most helpful if in the 
future they actually attended these hearings.
    Today's hearing is on the widespread compromise of public 
and private computer networks in the United States by a foreign 
adversary, colloquially or commonly called ``the SolarWinds 
hack.'' While most infections appear to have been caused by a 
trojanized update of SolarWinds's Orion software, further 
investigations have revealed additional victims who do not use 
SolarWinds's tools. It has become clear that there is much more 
to learn about this incident, its causes, its scope and scale, 
and where we go from here.
    This is the second hearing this Committee has held on this 
topic. Our first was a closed hearing held on the now-infamous 
January 6th to hear from government officials responding to the 
SolarWinds incident. It's going to take the combined power of 
both the public and private sector to understand and respond to 
what happened. Preliminary indications suggest that the scope 
and scale of this incident are beyond any that we've confronted 
as a Nation and its implications are significant.
    Even though what we've seen so far indicates that this was 
carried out as an espionage campaign targeting more than 100 or 
so companies and government agencies, the reality is the 
hackers responsible have gained access to thousands of 
companies and the ability to carry out far more destructive 
operations if they'd wanted to. And I want to repeat that. This 
intrusion had the possibility of being exponentially worse than 
what has come to pass so far.
    The footholds these hackers gained into private networks, 
including some of the world's largest IT vendors, may provide 
opportunities for future intrusions for years to come. One of 
the reasons the SolarWinds hack has been especially concerning 
is that it was not detected by the multibillion-dollar U.S. 
Government cybersecurity enterprise or anyone else until the 
private security firm, FireEye--and I want to again complement 
our friend, Kevin Mandia, who's appeared before this Committee 
a number of times--on their own without a requirement to 
report, actually publicly announced that it had detected a 
breach of its own network by a nation-state intruder.
    A very big question looming in my mind is: Had FireEye not 
detected this compromise in December and chosen on their own to 
come forward, would we still be in the dark today? As Deputy 
National Security Adviser, Anne Neuberger, who has been chosen 
by the President to lead the response in this, and to the 
SolarWinds hack, said last week, ``The response to this 
incident from both the public and private sector is going to 
take a long time.''
    All of our witnesses today are involved in some aspect of 
the private sector response to this incident. I want to hear 
from them on the progress so far, the challenges we'll need to 
overcome in order to fully expel these hackers, and how we can 
prevent supply-chain attacks like this in the future. I'd also 
like to hear from them about their experiences working with the 
Federal Government, namely, the Unified Coordination Group, in 
mitigating this compromise.
    The SolarWinds hack was a sophisticated and multifaceted 
operation: a software supply chain operation that took 
advantage of trusted relationships with software providers in 
order to break into literally thousands of entities. Combined 
with the use of this sophisticated authentication exploits, it 
also leveraged vulnerabilities and major authentication 
protocols, basically granting the intruder the keys to the 
kingdom, allowing them to deftly move across both on-premises 
and cloud-based services, all while avoiding detection.
    While many aspects of this compromise are unique, the 
SolarWinds hack has also highlighted a number of lingering 
issues that we've ignored for too long. This presents us an 
opportunity for reflection and action. A lot of people are 
offering solutions, including mandatory reporting requirements, 
wider use of multi-factor authentication, requiring a software 
bill of goods, and significantly improving threat information 
sharing between the government and the private sector.
    I've got a number of questions, but there are three that 
I'd like to pose in my opening.
    One, why shouldn't we have mandatory reporting systems, 
even if those reporting systems require some liability 
protection, so we can better understand and better mitigate 
future attacks? As I pointed out, Senator Collins was way ahead 
of all of us on this issue, literally years and years ago, when 
she and Senator Lieberman first put forward legislation that 
required this critical, mandatory reporting on critical 
    There's an open question, though, on who should receive 
such report, even if you put that mandatory reporting in place. 
Do we need something like the National Transportation Safety 
Board, or other public-private entity that can immediately 
examine major breaches to see if we have a systemic problem, as 
we seem to see in this case? I think there's also some truth to 
the idea that if a tier-one adversary, a foreign nation-state, 
sends their A team against almost any ordinary company in the 
world, chances are they're going to get in. But that cannot be 
an excuse for doing nothing to build defenses and making it 
harder for them to be successful once inside an enterprise. I'm 
very interested in hearing from the witnesses what they think 
our policy response should be, and what solutions they will 
actually they think will actually improve cybersecurity and 
incident reporting in the United States.
    Beyond the immediate aspects of the SolarWinds hack are 
larger issues that this Committee needs to consider. Do we need 
to finally come to some agreement on common norms in 
cyberspace, hopefully, again, on an international basis, that 
potentially are enforceable, and at least says to our 
adversaries: If you violate these warm norms, there will be 
known consequences? For example, we have these norms in other 
conflicts. We have military conflict that exists, but there's 
been for some time a norm that you don't knowingly bomb a 
hospital or bomb an ambulance that's got a Red Cross shield on 
it. Should we, therefore, consider efforts that subvert 
patching, which are all about fixing vulnerabilities to be 
similarly off limits?
    Once again, I want to thank our witnesses for joining us 
today, both in person and remotely. I personally talked to 
nearly all of our witnesses, in some cases multiple times since 
this incident was first reported. I appreciate their 
transparency and willingness to be part of this conversation.
    After our witnesses conclude their remarks, we'll move to a 
round of five-minute questions based upon order of arrival. As 
reminder to my colleagues, this incident is not over. So too 
are the criminal investigations by the FBI. So there might be 
some questions our witnesses cannot answer. However, I'm 
confident we'll get those answers at some point as we move 
forward. I now recognize the Vice Chairman for a statement.


    Vice Chairman Rubio. Thank you, Mr. Chairman, and thanks 
for convening this hearing. And I'd like to welcome our 
witnesses from Microsoft, FireEye, SolarWinds, and CrowdStrike 
who are here to help the Committee's examination of what is the 
largest cyber-supply chain operation ever detected. So we 
really do appreciate you being with us.
    As the Chairman mentioned, we had extended an invitation to 
Amazon to participate. The operation we'll be discussing today 
used their infrastructure, at least in part, to be successful. 
Apparently, they were too busy to discuss that here with us 
today and I hope they'll reconsider that in the future.
    This operation involved, as has already been said, the 
modification of the SolarWinds Orion platform, which is a 
widely-used software product. It included a malicious backdoor 
that was downloaded, from my understanding, to up to 18,000 
customers between March and June of last year. But the most 
insidious part of this operation was that it hijacked the very 
security advice promulgated by computer security professionals 
to verify and apply patches as they are issued.
    So there are many concerning aspects to this first-of-its-
kind operation, at least at this scale, that has raised 
significant questions. My understanding is that if FireEye had 
not investigated an anomalous event within their own network in 
November of last year, it's possible this would be a continuing 
and unfettered operation to this day.
    I think everyone's asking, despite the investment that's 
been made in cybersecurity collectively between the government 
and the private sector, how no one detected this activity 
earlier, as it appears that they have been in the system for 
close to five to six months before it was detected--maybe even 
longer; closer to a year. But the bottom-line question is, how 
did we miss this? And what are we still missing? And what do we 
need to do to make sure that something like this, using these 
sorts of tools, never happens again?
    Second, I think there's great interest in knowing exactly 
what these actors did. Based on what we know, to include what 
government has stated publicly, the actor seems to have 
undertaken follow-on operations against a very small subset of 
the 18,000 networks to which they potentially had access. So 
aside from the mechanical aspects of removing a hacker from a 
network, what do we know about why these actors chose the 
targets that they did? What actions did they undertake within 
those networks? And what do we know that we do not know? I 
always love that question. What do we know that we do not know? 
In essence, what are the open questions now and in the future 
about these sorts of tools and how they can be used? Or what do 
we still have open ended that we are not able to answer at this 
time? And perhaps most importantly, who has the single 
comprehensive view of the totality of activity undertaken? 
That's another thing that everyone has struggled with is who 
can see the whole field here on this?
    And third, what is it going to take to rebuild and have 
confidence in our networks? And speaking with several of you in 
the days leading up to this, one of the hallmarks of this 
operation was the great care that was taken by this adversary 
to use bespoke infrastructure and tradecraft for each victim. 
Unlike other malware or ransomware, cleanup operations, there 
is no template here that can be used for remediation. So what's 
it going to take to have confidence in both government and in 
the private sector networks again?
    Fourth, what do we need to do to raise the bar for the 
cybersecurity of this Nation? Is cyber deterrence an achievable 
goal? How do we need to enhance cybersecurity information 
logging and sharing across the spectrum to protect against APTs 
in the future?
    And finally, though this is a question for the government 
rather than the witnesses here today, I think it's important 
for this Committee to ask itself, and to inform the Members of 
the Senate, what does the United States Government need to do 
to respond to this operation?
    Government officials initially stated this was an 
intelligence gathering operation. Just recently, however, the 
White House stated, quote: ``When there is a compromise of this 
scope and scale, both across government and across the U.S. 
technology sector to lead to follow-on intrusions, it is more 
than a single incident of espionage. It is fundamentally of 
concern for the ability for this to become disruptive.'' End 
quote. While I share this concern that an operation of this 
scale, with a disruptive intent, could have caused mass chaos, 
those are not the facts that are in front of us. Everything we 
have seen thus far indicates that at some level, this was an 
intelligence operation and a rather successful one that was 
ultimately disrupted.
    While there are a myriad of ways for sovereign states to 
respond, I caution against the use of certain terms at this 
time until the facts lead us to the use of terms such as attack 
and so forth. I've always advocated for standing up to our 
adversaries. I think that's important. I will continue to 
advocate for that. But I want to know today what the actor's 
intent seemed to be and to the extent of the damage before we 
categorize it. It may very well have reached that level.
    This Committee and the rest of the Congress should consider 
what policies we need to pursue to better defend our Nation's 
critical networks, in order to get a fuller view of the 
problem. Perhaps we should consider mandating certain types of 
reporting, as the Chairman already mentioned. As it relates to 
cyber-attacks, we must improve the information-sharing, of this 
there is no doubt, between the Federal Government and the 
private sector. And I look forward to being an active and 
constructive participant in these debates on these new issues, 
as I know every Member on this Committee is.
    And with that, I again, want to welcome you and thank you 
for the testimony and the insights that you will share with us 
and the American people. It is important that the public 
understand the current persistent information conflict that the 
United States finds itself in against nation-state adversaries 
like Russia, but also like China and Iran and North Korea.
    Thank you, Mr. Chairman.
    Chairman Warner. Thank you, Senator Rubio. I think we're 
going to go ahead and we'll just tradeoff. I believe the order 
of the speakers is going to be: FireEye, SolarWinds, Microsoft, 
and CrowdStrike.
    So Kevin, if you want to start us off, that'd be great.


    Mr. Mandia. Thank you, Mr. Chairman, Vice Chairman Rubio, 
and the rest of the Members of the Senate Intelligence 
Committee. It is a privilege to be here with the opportunity to 
speak with you.
    And as the first witness, I'm going to discuss what 
happened from a first-hand experience as a stage two victim to 
this intrusion. I have opinions on who did it. I have opinions 
on what to do about it. But in the next four minutes, I don't 
have enough time to get through all that. So I look forward to 
your questions.
    I just want to give you a little background on FireEye. 
Responding to breaches is what we do for a living. We have a 
whole bunch of Quincy-type people that do forensics 2,000 hours 
a year. And people hire us to figure out what happened and what 
to do about it when they have a security breach. We responded 
to over 1,000 breaches in 2020. It was a tough year for chief 
information security officers. And as I sit here right now 
testifying to you, we're responding to over 150 computer 
security breaches.
    In short, this is what we do for a living. And what we're 
going to tell you today, we tell you with high confidence and 
high fidelity on the intent of the attackers and what they did.
    So now I want to present kind of the anatomy of this 
attack. You know, we're referring to it as the SolarWinds 
campaign. But it's a little bit broader than that. Whoever this 
threat actor is--and we all pretty much know who it is--this 
has been a multi-decade campaign for them. They just so 
happened to, in 2020, create a backdoor SolarWinds implant.
    So the first part of this ongoing saga, stage one of this 
campaign, was you had to compromise SolarWinds. And the 
attackers did something there that was unique in that they 
didn't modify the source code there, they modified the build 
process, which to me means this is a more portable attack than 
just at SolarWinds. When you modify the build process, you're 
doing the last step of what happens before code becomes 
production for your buyers and customers, which just shows this 
is a very sophisticated attacker.
    And once they did that stage one compromise of SolarWinds, 
we didn't find the implant till December 2020. And it had been 
out there, if you look at a timeframe perspective, from March 
2020 and there was an update in June 2020, as well. But the 
attacker did something interesting when you get the timing. 
They did a dry run in October 2019, where they put innocuous 
code into the SolarWinds build just to make sure the result of 
their intrusion was making it into the SolarWinds platform 
production environment.
    I want to explain how we found this implant because there's 
no magic wand to say where's the next implant? When we were 
compromised, we were set up to do that investigation. It's what 
we do. We put almost 100 people on this investigation. Almost 
all of them had 10,000 hours there, so to speak, 10,000 hours 
of doing investigations, and we unearthed every clue we could 
possibly find. And we still didn't know. So how did the 
attacker break in?
    So we had to do extra work. And at some point in time, 
after exhausting every investigative lead, the only thing left 
was--the earliest evidence of compromised was a SolarWinds 
server. And we had to tear it apart. And what I mean by that is 
we had to decompile it. Specifically, there were 18,000 files 
in the update, 3,500 executable files. We had over a million 
lines of assembly code. For those of you that haven't looked at 
assembly, you don't want to. It's something that you have to 
have specialized expertise to review, understand, piece apart, 
and we found the proverbial needle in the haystack--an implant.
    But how do we get there? Thousands of hours of humans 
investigating everything else. And that's one of the reasons I 
share that as you wonder why people missed it. This was not the 
first place you'd look; this was the last place you'd look for 
an intrusion. Over 17,000 companies were compromised by that 
    So stage one was to compromise SolarWinds, get an implant 
in, and indiscriminately went to the 17,000 folks that 
downloaded it. That means the attackers had a menu of 17,000 
different companies.
    Stage two of this attack was the companies that these 
attackers intended to do additional action on and I want to 
talk about what they did during stage two victims. I want to 
say, stage one, the attacker hasn't done anything more than 
crack open the window into a company. But they haven't gone 
into the house to rob anything yet.
    Stage two, they go into the house to rob it. When we look 
at the stage two threat actor, or stage two victims, this is 
where Microsoft's top-down viewpoint from their Cloud, where 
there's a lot of activity, comes up with approximately 60 
victim organizations. And we read that the government is aware 
of about 100 organizations. For us being a stage two, we had 
first-hand account of what they do. The attackers came in 
through the SolarWinds implant. And the very first thing they 
did is went for your keys, your tokens. Basically, they stole 
your identity architecture so they could access your networks 
the same way your people did.
    And that's why this attack was hard to find because these 
attackers, from day one, they had a backdoor. Imagine almost a 
secret door in your house and the first thing that happens when 
it comes to that secret door is all your keys are right there. 
They just grab them, and now they can get into any locks you 
have in your house the same way your people do. And I think, 
during a pandemic, where everybody's working from home, it's 
way harder to detect an attack like this, where the only 
indicator of compromise was just somebody logging in as one of 
your employees. And there's nothing else far-fetched about 
    Right after they got our valid credentials, our two-factor 
authentication mechanisms bypassed, they went to our O365 
environment. And whether it was O365, or something else, I've 
had enough experience over my 25 years of responding to 
breaches to know this group targets specific people, almost 
like they have collection requirements. So there they targeted 
emails and documents. So stage two was: get credentials so you 
could log in; get the keys to the safety deposit boxes; stage 
the next step. Step two of that was access email, access 
documents with said keys.
    And then the third thing was dependent on who you were, and 
what you did, and what industry you are as a victim. But it's 
primarily what I put in the other category: steal source code, 
steal software. In the case of FireEye, take some of our red 
teaming tools that we use to assess people's security programs.
    Bottom line: exceptionally hard to detect. And when I got 
my first briefing on this and reviewed the facts on day one, 
everything about this aligned to a threat actor, who, it is my 
opinion, was more concerned about operational security than 
mission accomplished. And that the minute you could detect 
these folks and stop them breaking through the door, they sort 
of evaporated like ghosts until their next operation.
    So with that, on behalf of FireEye, I'd like to thank all 
of you for the opportunity to set the stage for the other 
witnesses. I'm very excited to work with all of you, and to my 
fellow witnesses and others in the private sector as well as 
the public sector to advance our Nation in defending ourselves 
in cyberspace. And I look forward to taking your questions.
    [The prepared statement of Mr. Mandia follows:]
    Chairman Warner. Thank you, Kevin.


    Mr. Ramakrishna. Chairman Warner, Vice Chairman Rubio, and 
Members of the Committee, on behalf of SolarWinds' employees, 
partners, and customers in the U.S. and around the world, I 
would first like to say thank you for inviting us to this 
    By way of background, I'm Sudhakar Ramakrishna, and I 
joined SolarWinds on January 4th of this year. Prior to 
SolarWinds, I was with a company called PulseSecure for over 
five years, and previously held executive roles at other 
technology companies.
    In my roles, I've been involved with cyber incidents and 
have seen firsthand the challenges they present, as well as the 
opportunities they create for learnings and improvements. While 
our products and customers were the subject of this unfortunate 
and reckless operation, we take our obligation very seriously, 
to work tirelessly to understand it better to help our 
customers, and to be transparent with our learnings with our 
industry colleagues and the government.
    SolarWinds started in 1999 in Oklahoma as a provider of 
network tools and to this date, we have remained true to our 
mission of helping IT professionals solve their problems and 
manage their networks, now through more than 90 products. 
Today, we remain a U.S.-headquartered company, with over 3,000 
employees working extremely hard to deliver customer success.
    When we learned of these attacks, our very first priority, 
and that remains true today, was the safety and protection of 
our customers. Our teams worked incredibly hard and tirelessly 
to provide remediations within about 72 hours of knowing about 
these attacks. We also acted very quickly to disclose these 
events to the authorities, while providing remediations and 
starting our investigations of what do we learn about this, who 
may have done it, and what exactly happened in the process of 
insertion into our Orion platform?
    We believe the Orion platform was specifically targeted in 
this nation-state operation to create a backdoor into the IT 
environments of select customers, as my colleague Kevin noted, 
as well. The threat actor did this by adding malicious code, 
which we call ``Sunburst,'' to versions released between March 
and June 2020. In other words, a three-month window was when 
the code with the malicious Sunburst code was deployed.
    I will note that this code has been removed and is no 
longer an ongoing threat to the Orion platform. Additionally, 
after extensive investigations, we have not found Sunburst in 
our more than 70 non-Orion products.
    Perhaps the most significant finding to date in our 
investigation is what the threat actor used to inject Sunburst 
into other Orion platforms. This injected tool, which we call 
``Sunspot,'' was stealthily inserted into the automated build 
processes of Orion and was designed to work behind the scenes. 
Sunspot, which we discovered, poses a grave risk of automated 
supply chain attacks through many software development 
companies, since the software processes that SolarWinds uses is 
common across the industry.
    As part of our commitment to transparency, collaboration, 
and timely communications, we immediately informed our 
government partners and published our findings with the 
intention that other software companies in the industry could 
potentially use the tool to detect possible current and future 
supply chain attacks within their software build processes.
    We understand the gravity of the situation and are applying 
our learnings of Sunspot and Sunburst and sharing this work 
more broadly. Internally, we call these initiatives ``secure by 
design.'' And it's premised on zero-trust principles and 
developing a best-in-class secure software development model to 
ensure our customers can have the utmost confidence in our 
    We have published these details regarding our efforts in 
various blog posts. But in summary, they are focused on three 
primary areas:
    The first is further securing our internal infrastructure.
    The second is ensuring and expanding the security of our 
build environments.
    And third, ensuring the security and integrity of the 
products we deliver.
    Given our unique experience, we are committed to not only 
leading the way with respect to secure software development, 
but to share our learnings with the industry. While numerous 
experts have commented on the difficulties that these nation-
state operations present to any company, we are embracing our 
responsibility to being an active participant in helping 
prevent these types of attacks. Everyone at SolarWinds is 
committed to doing so. And we value the trust and confidence 
our customers place in us.
    Thank you again for your leadership in this very important 
matter. We appreciate the opportunity to share our experiences 
and our learnings. And I look forward to your questions.
    [The prepared statement of Mr. Ramakrishna follows:]
    Vice Chairman Rubio. Thank you. And for the Members who 
haven't yet voted, I guess everybody's voted because 
everybody's almost gone here.
    So, Mr. Smith, thank you for being here. We appreciate it.


    Mr. Smith. Well thank you, Vice Chairman Rubio, and a huge 
thank you to Chairman Warner for bringing us all together to 
discuss what is obviously such an important issue to the 
country, and indeed to the world. And I also just want to say 
thank you to Kevin and Sudhakar. It took the leadership, and 
I'll say even the courage, of companies like FireEye and 
SolarWinds to step forward and share information. And it is 
only through this kind of sharing of information that we will 
get stronger to address this.
    I think Kevin and Sudhakar have done an excellent job of 
describing what happened. So I don't want to retrace the steps 
that they so ably took. Let me talk about two other things. 
First, what does this mean? And second, what should we do? 
Well, roughly 90 days or so since we first heard about this 
from Kevin's firm, from FireEye, I think we can step back and 
start to think about what it means.
    First, we're dealing with a very sophisticated adversary. 
And Vice Chairman Rubio, I think your words of wisdom, of 
caution, about avoiding certain labels are well put. But I do 
think we can say this: at this stage, we've seen substantial 
evidence that points to the Russian Foreign Intelligence Agency 
and we have found no evidence that leads us anywhere else. So 
we'll wait for the rest of the formal steps to be taken by the 
government and others. But there's not a lot of suspense at 
this moment in terms of what we're talking about.
    It's very, very clear that this agency is very, very 
sophisticated. And as Kevin noted, that has been true for a 
long time. That is not new. But I think two other things are 
new. The first is the scale of this attack, or hack, or 
penetration, or whatever we should call it. At Microsoft, as we 
worked with customers that had been impacted by this, we 
stepped back and just analyzed all of the engineering steps 
that we had seen. And we asked ourselves how many engineers did 
we believe had worked on this collective effort? And the answer 
we came to was at least 1,000. I should say at least 1,000 very 
skilled, capable engineers.
    So we haven't seen this kind of sophistication matched with 
this kind of scale. But there's one other factor that I do 
believe puts this in a different category from what we have 
seen. And I think even with a thoughtful consideration, it is 
appropriate to conclude even now: this was an act of 
recklessness, in my opinion.
    Why? Well, in part, I think Chairman Warner put it very 
well. The world relies on the patching and updating of 
software. We rely on it for everything. We rely on it not only 
for the safety and health of our computers, we rely on it for 
our physical infrastructure, for hospitals, and roads, and 
airports, because they all run on software. To disrupt, to 
damage, to tamper with that kind of software updating process 
is, in my opinion, to tamper with what is in effect the digital 
equivalent of our public health service. It puts the entire 
world at greater risk. And it was done I think one must 
acknowledge in a very indiscriminate way: to seek to plant 
malware and distribute it to 18,000 organizations around the 
world is in truth an act without clear analogy or precedent.
    We've seen this done in Ukraine, but we haven't seen it 
done quite like this. It's a little bit like a burglar who 
wants to break into a single apartment but manages to turn off 
the alarm system for every home and every building in the 
entire city. Everybody's safety is put at risk. And that is 
what we're grappling with here.
    So what do we do?
    I think we have to start by acknowledging and recognizing 
we need to do a lot. We all need to do a lot. We need to do a 
lot ourselves, and we need to do a lot together. Certainly, as 
Sudhakar was mentioning, we need to focus on the integrity, the 
protection of software build systems.
    The International Data Corporation estimates that there 
will be half a billion--500 million software apps--created in 
the next three or four years. That's half a billion build 
systems. And it's not just software companies; it's banks, it's 
hospitals, it's governments. It's everyone that creates 
software. There are new steps that we will need to take to 
better secure and protect against the kind of attack that we 
saw here.
    Second, I think we have a lot of work still to do, 
certainly across the United States, when it comes to the 
modernization of our IT infrastructure and to the application 
of IT best practices. At Microsoft, we can only see this attack 
among our customers when it got to their use of their cloud 
services and all of the attacks that took place, took place on 
premise. Meaning a server that was in a server room or a closet 
somewhere. And it points to the fact that until we modernize 
and move more people to the cloud, we're going to be operating 
with less visibility than we should.
    Third, we do need to enhance the sharing of threat 
intelligence. That's the term in the cybersecurity community 
for information about attacks that people are seeing. And our 
basic challenge today is that that information too often exists 
in silos. It exists in silos in the government, exists in 
different companies. It doesn't come together.
    Fourth, I think because of that need, it is time not only 
to talk about, but to also find a way to take action to impose 
in an appropriate manner some kind of notification obligation 
on entities in the private sector. And so of course you know, 
it's not a typical step when somebody comes and says, ``place a 
new law on me, put it on ourselves, put it on our customers,'' 
but I think it's the only way we're going to protect the 
country. And I think it's the only way we're going to protect 
the world.
    And finally, I do believe it is time--it's maybe even 
overdue time--for us to look at the rules of the road, the 
norms and laws, that if not every government is prepared to 
follow, at least the United States and our likeminded allies 
are prepared to step up and defend. And among other things, to 
say that this kind of tampering indiscriminately and 
disproportionately with a software supply chain needs to be 
off-limits. And there needs to be attribution and there needs 
to be accountability, as officials in the White House are now 
    Finally, I'll close by addressing one question that Vice 
Chairman Rubio, I think you posed. Who knows the entirety of 
what happened here? One entity knows. It was the attacker. The 
attacker knows everything they did. And right now the attacker 
is the only one that knows everything they did. We have pieces. 
We have pieces at Microsoft, SolarWinds, FireEye, CrowdStrike 
others, we all have slices. People in the U.S. Government.
    But we need to bring those slices together. And until we 
do, we'll be living and working and defending on an uneven 
playing field. That is not a recipe for success. But let's also 
acknowledge one other thing: we know more than we did 100 days 
ago. We are better informed, we are smarter, and we can turn 
that knowledge into a resolve and action. That's what we need 
to do. That's what I hope the Congress can do. That's what I 
think the country and our allies need to do. If we use what we 
have learned, we can better protect our future. Thank you.
    [The prepared statement of Mr. Smith follows:]
    Vice Chairman Rubio. Thank you. And finally Mr. Kurtz, I 
believe, is on virtual?
    Mr. Kurtz. Yes.
    Vice Chairman Rubio: All right. Excellent.


    Mr. Kurtz. Thank you. Good afternoon, Chairman Warner, 
Ranking Member Rubio, and Members of the Committee, thank you 
for the opportunity to testify today.
    During my three-decade career in cybersecurity, I have seen 
first-hand the evolution of adversary techniques and have been 
at the forefront of developing the solutions to thwart them. By 
the time I co-authored the original edition of ``Hacking 
Exposed'' in 1999, which later became the No. 1 selling book in 
security, it was clear that organizations consistently failed 
to adequately defend themselves.
    When I co-founded CrowdStrike in 2011, it was based on a 
conviction that the then-dominant approaches to security were 
no match for adaptive and well-resourced adversaries. We set 
out to elevate the industry's focus from stopping malware to 
preventing breaches regardless of their source.
    My testimony today is based on my prior and current 
experiences protecting thousands of organizations across the 
globe. I will begin by discussing our high-level findings in 
the supply chain compromise and what lessons we might take away 
from it.
    In mid-December, SolarWinds engaged our professional 
services team to perform incident response. Although we had not 
worked with SolarWinds prior to this engagement, nor had they 
used our software in the past, our teams collaborated 
effectively to investigate the breach, enhance their security 
posture, and share actionable intelligence with the entire 
security community. With their encouragement, we continue to 
coordinate and share findings with customers, industry 
partners, and Federal agencies as appropriate.
    Today, I would like to highlight a few significant 
capabilities this particular threat actor exhibited. Notably, 
the threat actor took advantage of systemic weaknesses in the 
Windows authentication architecture, allowing it to move 
laterally within the network as well as between the network and 
the Cloud by creating false credentials, impersonating 
legitimate users, and bypassing multi-factor authentication.
    The threat actor modified code within the development 
pipeline immediately prior to the software build, the final 
stage before source code becomes software. The threat actor 
leveraged unique IP addresses for commanding and controlling 
infrastructure for each of its victims, complicating 
investigations into the scope of the campaign, but used common 
encryption methods and scrubbing techniques to avoid leaving 
behind unique indicators.
    The threat actor was selective in activating the backdoors 
it implanted, purposefully selecting its victims from the wider 
universe of those who were vulnerable. With respect to 
attribution, CrowdStrike refers to this activity cluster behind 
these events using the name ``StellarParticle.'' We are aware 
that the U.S. Government has stated this threat actor is likely 
of Russian origin. While we currently are unable to corroborate 
that finding, we have no information to suggest it is 
    Regardless of attribution, there are a number of takeaways 
from these events. This campaign, in particular, emphasized the 
need to improve two important security disciplines: those 
involving supply chains and those involving security 
    StellarParticle is just the latest demonstration of supply 
chain attacks as a threat factor. This follows a number of 
previous high-impact campaigns where the origins of attack are 
at the vendor level. With respect to software development, in 
addition to ensuring secure coding practices and adequate code 
review, organizations must protect the development platforms 
and code repositories at least as well as their enterprise 
    Next, I would like to extend our considerations beyond this 
particular campaign, and address six essential cybersecurity 
concepts and emerging technologies.
    The first is threat hunting. We know that the adversaries 
periodically breach even very well-defended enterprises. 
Properly trained and resourced defenders can find these bad 
guys and thwart their goals.
    The second concept is speed. Every second counts to stop 
threat actors from achieving their objectives.
    Third is the power of machine learning prevention. The core 
state-of-the-art cybersecurity solution is the ability to 
defeat novel threats. Machine learning and artificial 
intelligence are essential.
    Fourth is the need to enhance identity protection and 
authentication. As organizations further embrace Cloud services 
and work-from-anywhere models, enterprise boundaries have 
continued to erode. This trend increases the risk of relying 
upon traditional authentication methods and further weakens 
legacy security technologies.
    One of the most sophisticated aspects of the 
StellarParticle campaign was how skillful the threat actor took 
advantage of architectural limitations in Microsoft's Active 
Directory Federation service. The Golden SAML attack allowed 
them to jump from customer on-premise environments and into 
Cloud and cloud applications, effectively bypassing multi-
factor authentication. This specific attack factor was 
documented in 2017 and operates at Cloud-scale version of 
similar identity-based attacks I originally wrote about in 
    Moving to the fifth concept, let's touch upon principles of 
zero trust. Instead of authenticating to a network or device 
once and having ready access to everything that's connected, 
users must re-authenticate or otherwise establish permission 
for each new device, or resource they wish to access. This 
reduces or prevents lateral movement and privilege escalation.
    Finally, I will touch upon something known as XDR, which 
stands for ``extended detection and response.'' Security teams 
demand contextual awareness and visibility from across their 
entire environments, including within Cloud and ephemeral 
workloads. As this Committee will appreciate, XDR generates 
intelligence from what otherwise may be no more than 
information overload. Each of these concepts applied equally to 
all organizations and regardless of size is a must.
    The last point is critical. Often, adversaries specifically 
target smaller organizations as a means to a greater end. This 
is part of the supply chain problem. We are proud that a number 
of security companies, including CrowdStrike, are committed to 
offering comprehensive, easy-to-use solutions and managed 
security services to organizations of all sizes with varied 
budgets. We also appreciate the need for improvements to 
government cybersecurity.
    Some of the most talented people in the field have worked, 
or currently work, in government organizations. Unfortunately, 
in many instances, our government colleagues are hobbled by 
legacy technologies, programs, complex procurement processes, 
or compliance obligations that detract from their core security 
    I realized that I've described a set of enormous challenges 
today. But I would like to close in a positive note. With 
CrowdStrike's visibility into trillions of security events 
across thousands of customers globally, I'm encouraged by the 
silent victories the security community experiences every 
second of every day. Defenders face an endless, evolving 
threat. But I remain optimistic that working together, we can 
    I hope my testimony today has offered some guidance on how 
we can accomplish that shared goal. CrowdStrike has its sleeves 
rolled up and is ready to continue to work with this Committee 
and the greater security community to achieve success. I would 
like to thank the Committee for inviting me to testify today 
and for its leadership. I look forward to answering your 
    Thank you.
    [The prepared statement of Mr. Kurtz follows:]
    Vice Chairman Rubio. Thank you. Let me just begin, Mr. 
Kurtz, by saying you've shown tremendous operational security 
behavior there. That backdrop you have in that video, you could 
be anywhere in the world.
    There's no way we could tell where you are just looking at 
that. I'm going to get that backdrop. That's awesome.
    So let me ask you and Mr. Mandia the same question. So let 
me just say, you know, everyone is familiar--I think the 
general public is familiar--with cyber-attacks and hacks. And 
the general guidance everyone is given is, you know, don't put 
some simple password like ``1234.'' They're easy to guess. 
Because we've seen, you know, they can guess it. There's all 
kinds of things out there that are also to be able to be 
cracked by them.
    Then there's the infamous--or the well-known--phishing 
email. You get an email, you click on it, and they're in your 
system. These are all hardware-type, sort of brute-force 
    For folks at home, who may watch this later or trying to 
understand what the big deal about all this, this involves the 
other thing we're told that we need to do all the time, which 
is constantly upgrade your software. Every time you get a 
software update, put it in because it's got new security 
features. So these guys get into that software update and 
you're basically in. It's almost like bringing them into your 
system under the guise of protecting you.
    And that's what we're dealing with here today. And this has 
been a known vulnerability; something that people knew was a 
theoretical possibility. My understanding is this is the first 
time we've ever seen it at this scale or scope. And you'll 
correct me in your answer if I'm wrong.
    The question I would have for all of you, but really for 
Mr. Mandia and Mr. Kurtz, is this a sophisticated technique? 
This is not something that someone could do out of the basement 
of their home. Or is this something that could eventually we 
could see it become widespread? What level of sophistication do 
you need to embed yourself in the software upgrade that 
ultimately winds up in someone's system?
    Mr. Mandia. You know, I'll jump on that first. And this was 
a planned attack. This is not something done in somebody's 
basement. There is somebody that thought about this. My gut is 
this attack started somewhere where somebody said, ``If we 
wanted to compromise these entities, where's the supply 
chain?'' They probably had a list of five to ten companies. 
SolarWinds was one of them. And they figured out who can we get 
into? How do we do the implant?
    When they got into SolarWinds, they didn't just rush right 
to the implant. They wanted to make sure they could inject code 
first in the build process. That was in October `19. Then four 
to five months later, they have an implant. In that four to 
five months, they designed an implant that masqueraded to look 
like SolarWinds traffic. It was hard to pick up on the network. 
It had things in it in the malware, and you know malware--a lot 
of times you hear that word, you just shut down. And what's he 
going to say next?
    Well, this is what this malware did. It slept for the first 
11 days after it was installed. So that if somebody did detect 
its beacon going out, they wouldn't be able to associate a 
beacon from the SolarWinds machine to the update they did 
randomly 11 days sooner. Another thing it did is it looked for 
nearly 50 different products and shut them down when it ran.
    So people are like, why didn't anybody detect this implant? 
It's because when it executed, it looked to see if 
CrowdStrike's agent was on the endpoint, if FireEyes agent was 
on the endpoint, if Windows Defender was on the endpoint, and 
it shut it off. You don't make a backdoor as a bad guy as a 
regular user. You make one as the root user, a system-level 
    Senator Rubio, there's no doubt in my mind this was 
planned. It was an operation. There was a lot of people 
involved. And the question really is: where's the next one? And 
when are we going to find it?
    Vice Chairman Rubio. Mr. Kurtz, I'm guessing you probably 
agree with that assessment. So this is all without little doubt 
a nation-state actor. It would take that level of 
sophistication, is that right? Do both of you agree with that?
    Mr. Mandia. I do.
    Mr. Kurtz. Yes.
    Vice Chairman Rubio. Who? Who is that nation-state actor? 
Have you seen indications in it that tell you this is who we 
believe it is?
    Mr. Mandia. George, you want to go first on that one?
    Mr. Kurtz. Well, when we look at the adversaries across 
various nation-state actors, obviously, there's a level of 
sophistication and tradecraft. And as I pointed out in my 
testimony, the tradecraft and operational security was superb. 
One of the things that we typically look for are things like 
markings within tool chains. And what we saw, in particular 
with the back door and the build process, was something we call 
``code washing.'' And that was actually removing these tool 
chains to these fingerprints that Kevin indicated that our 
company and his company keep on file, right? So we know who the 
bad guys are and how they operate.
    In this particular case, these tool chains and the 
infrastructure is very unique. What that means is they took 
particular care to actually conceal their identity. And at the 
highest level, we've attributed, as I said in my written and 
verbal testimony, to a particular a cluster of activity. I know 
the government has talked about Russia as being one of the 
threat actors. You know, from our perspective, we have nothing 
further to add to either confirm or deny that; but what I can 
tell you, it is absolutely a sophisticated nation-state actor.
    And as Kevin said, this took a lot of work. A lot of 
planning went into this. And we think about how difficult 
software is to build. Each one of my esteemed panelists are in 
the software business. We know how hard it is to build 
software, to get software working. And the idea to actually 
inject something and have it all work without errors, and 
without anyone actually seeing it is, again, superb tradecraft 
and something you have to look at and say it's very novel in 
its approach.
    So I'll turn it back to Kevin and Brad, they probably have 
some further thoughts on the attribution piece. But as I 
mentioned, a sophisticated actor that we continue to track.
    Mr. Mandia. And one thing unique to this case is when you 
do the evidence on 1,000 cases a year and something doesn't 
fall into a grouping, that's odd. That's peculiar. And then 
when you go back 17 years of cases and digital fingerprints, 
and it still doesn't fall into it. You start doing process of 
elimination. You talk. You know, when we found the IP addresses 
used to attack FireEye, we did go to partners like Microsoft, 
we went to the U.S. Government--what I call ``ring zero.'' You 
go to the intel agencies. Nobody had seen them in use before.
    I'll just sum up my comments this way. We went through all 
the forensics. It is not very consistent with cyber espionage 
from China, North Korea, or Iran. And it is most consistent 
with cyber espionage and behaviors we've seen out of Russia.
    Chairman Warner. Appreciate those answers. I do think we've 
had the previous Administration acknowledge likely Russian. 
We've had testimony of the people in front of us. We've had the 
current Administration acknowledge this source as well. I think 
the sooner we make even more fulsome attribution, the better 
because we need to call out our adversary--know we know who did 
it--and plan an appropriate response.
    And I agree with Senator Rubio: we don't even have our 
language down entirely. Sometimes we know we know what 
espionage is; we know what a denial of service attack would be 
at the other end of the spectrum. Where this fits is, I think, 
one ongoing question.
    But I think we've oftentimes talked about this as ``the 
SolarWinds hack.'' But there are other vectors. In my 
understanding, the Wall Street Journal has reported that as 
many as 30 percent of the victims were not accessed through 
SolarWinds but by other means--and maybe this is best for 
FireEye and CrowdStrike. And obviously, Microsoft would have a 
view as well.
    Why aren't we getting more details about the other vectors 
that the adversary has entered? The other platforms that may 
have been utilized? Again, I think this is reflective of the 
point that since we are totally waiting on willing 
participants, we could still be uninformed because other major 
enterprises could be victims as well but had not chosen to come 
forward. So how can we get a better handle on the non-
SolarWinds component of this attack?
    Mr. Mandia. I can tell you this is--we're doing Stage Two 
investigations right now for our customers. And the number one 
other way we're seeing these attackers break in is what's 
called ``password spraying.'' They're just popping passphrases 
that they got from some breach over here and they're 
recognized. If you think about it, all of us probably have 
Amazon accounts; we have Microsoft accounts; we have Google--
whatever we're using. We have an email account and a passphrase 
that we may use to access a whole bunch of applications. Some 
of those third-party breaches make our user ID and passphrase 
aware to the threat actor and then they try it on your 
corporate networks.
    So these aren't when I say password spraying, I almost feel 
like, sir, they know some of these passphrases by the time they 
show up and knock on your door. So you know, we have 3,300 
employees at FireEye, I have to believe that some of them use 
their FireEye.com email to access dozens, if not more, of the 
apps on the internet. If any of those vendors get compromised 
and their passphrase is compromised and they use the same 
passphrase for Amazon.com as FireEye.com, we may have a 
problem. So that's another attack that they use.
    And here's the reality: this group has zero-day capability, 
most likely. They're going to--how they get initial foothold to 
them network will continue to change. But the way you know it's 
them is when they come back in, they target the same things, 
the same people, the same emails, similar documents, like they 
have collection requirements.
    Chairman Warner. To my question, Brad and George, if you 
want to add to this. Again, we've talked about this as a 
SolarWinds hack, but there are other vectors that they entered. 
And, but for the fact that you came forward, both SolarWinds 
and Microsoft came forward, there may be other very large 
enterprises that have not been as forward leaning that may mean 
this vulnerability still exists.
    Mr. Smith. Yes. I would say, Mr. Chairman, a couple of 
things. First, absolutely. There are more attack vectors and we 
may never know exactly what the right number is.
    I think the first question you're in effect asking is well, 
why? And I would analogize to this: you know, this is like 
finding someone in the building and now you have to figure out 
how they got in. And you know, in our case at Microsoft, we 
identified 60 customers where we figured out that they had 
obtained, once they got in, typically, the password to 
somebody, an IT administrator who could get them into, say, 
something like Office 365. But in each instance, they got in on 
premise, so it wasn't in our server or our service. And so we 
need to work with somebody else to get to the bottom.
    Chairman Warner. But doesn't that mean, though, that this 
is not demonstrating a unique vulnerability that's in Microsoft 
    Mr. Smith. Oh absolutely.
    Chairman Warner.--or Microsoft Cloud? But there may be 
other brand-name players that may have been penetrated that 
have not been as forthcoming who are leaving policymakers and 
potentially customers in the dark. Is that true or not true?
    Mr. Smith. It is absolutely true. I think it means two 
things. One is yes, there's a variety of services. And there 
are a lot of ways in. I also would just pick up on one of the 
things that Kevin said, because he used a phrase that is 
familiar to all of us in the cybersecurity community but 
probably not to, say, somebody who is watching this hearing 
from home--this notion of a ``password spray.''
    Yes, I think in recent years, we've all sort of learned 
that people may try to figure out our own individual password. 
A password spray is when you use a single password, and you 
apply it to a lot of accounts. For example, if I were to go 
back to where I grew up near Green Bay, Wisconsin and have 
1,000 email addresses from people in Green Bay, and I just 
applied the password ``gopackgo,'' I'll bet dollars to 
doughnuts, there's a Green Bay Packers fan who's using that 
password. In fact, I'll bet there's more than one. And if I 
find ten of those, 1,000, then I'm in and I can go from there.
    So it just points to a variety of tactics. From the most 
sophisticated really, when you're talking about disrupting a 
supply chain, to the very broad that point to just a lot of 
factors. We all need to keep learning about how to secure our 
own email and other accounts.
    Chairman Warner. Well, I'm going to move to Senator Cornyn. 
But it does beg the question that Senator Rubio and I both 
asked about when a large enterprise like Amazon is invited they 
ought to be participating. There are other brand name known IT 
and software and cloud services that may have been vulnerable 
to this kind of incident as well, and their public and active 
participation, we're going to make sure that takes place.
    Senator Cornyn.
    Senator Cornyn. Thank you, Mr. Chairman. And thanks to each 
of you for testifying here today. I share the concern that has 
been expressed that Amazon Web Services declined to 
participate. I think that's a big mistake. It denies us a more 
complete picture that we might otherwise have. And I hope they 
will reconsider and cooperate with the Committee going forward.
    Mr. Ramakrishna, thank you for talking with me yesterday. 
And since you're headquartered in Austin, Texas, I took 
particular note of that fact and appreciate that conversation.
    I think one of the things we discussed is something that 
Chairman Warner brought up and that is, even though SolarWinds 
is the focus of what we're discussing here today, this is not 
unique to SolarWinds. Correct?
    Mr. Ramakrishna. Senator Cornyn, thank you for that 
question. You're absolutely right. I'll elaborate on the 
question that Senator Warner asked and tie the two comments 
together here.
    Supply-chain attacks are happening as we speak today, 
independent of solo events. There was a report just two days 
ago about a French company being hacked and it was dubbed as a 
supply-chain attack.
    As we discovered what we call Sunspot--the code, the 
injected tool--and as we evaluated it, it is blindingly obvious 
that that can be applied to any software development process, 
which is the reason why we believe that dubbing it simply as a 
solo-events hack is doing injustice to the broader software 
community and giving us a false sense of security, possibly, 
which is the reason why that--even though we are taking 
corrective steps and learning from this experience--we consider 
it our obligation to be a very active participant in this 
endeavor to make us all more safe and secure by promptly 
outlining our findings and communicating them with both our 
government authorities as well as the industry.
    Senator Cornyn. Our time is limited today and I hope at 
some point we can talk about the attribution and the putting 
the Russian intelligence services or whoever is responsible 
here at risk because right now it seems to me that we are doing 
a very bad job, generally speaking, of punishing the people who 
are perpetrating these attacks.
    But let me just ask you, at different times, I know there's 
been legislation offered. Senator Collins and I discussed some 
that she had introduced previously with Joe Lieberman, our 
friend the former senator. It seems to me that there should be 
an obligation of some sort, on the part of a victim of a cyber-
attack like this, to share what they know, what they've 
learned, with the appropriate authorities. And I can only 
imagine the chills that run up and down some people's backs 
when I say that. I think about liability concerns, other 
reputational risks, and the like.
    But if we're going to get our arms around this at all, it 
seems to me we need to know a lot more than we know under the 
current practices in terms of the obligation of the victims to 
step forward. Before I asked you about that and what that would 
look like with perhaps with some sort of liability protection 
associated with it. I will tell you that I'm a Member of the 
Judiciary Committee, as Senator Feinstein is. And we actually 
have designated seats on the Intelligence Committee from 
certain authorizing committees like the Judiciary Committee.
    And Mr. Smith, from your experience testifying there, 
usually when we're talking about data breaches, people want to 
talk about the company that allowed the data breach, how could 
we sue them? And which is an entirely different perspective 
than I think we need to have--a more complete approach to this 
and one that does not treat the victim as the offender, but one 
that works more cooperatively.
    So what about some sort of mandatory disclosure obligation 
that maybe would be coupled with some sort of liability 
protection? I know in the intelligence field in the past, phone 
companies that have cooperated with certain collection have 
gotten liability protection as part of part of that.
    Mr. Smith, do you have a view on that?
    Mr. Smith. Yes, I do. I think the time has come to go in 
that direction. I think Senator Collins was either ahead of her 
time or the rest of us were behind our time. But either way, I 
think we can find a way to move forward this year.
    I could perhaps use the word notification rather than 
disclosure. We should notify someone. We should notify. I think 
a part of the U.S. Government that would be responsible for 
aggregating threat intelligence and making sure that it is put 
to good use to protect the country, and for that matter people 
outside the country. I think we need to decide upon whom it 
should be that that duty should fall on. It should certainly 
fall on those of us in the tech sector who are in the business 
of providing enterprise and other services.
    I think it's not a bad idea to consider some kind of 
liability protection. It will make people more comfortable with 
doing this. This is about moving information fast to the right 
place so it can be put to good use.
    Senator Cornyn. Mr. Chairman, can I ask the other witnesses 
if they have a different view or additional views on that 
    Mr. Mandia. No, I agree with it. And coming down to another 
level of specificity to me, notification needs to be 
confidential or you don't give organizations the capability to 
prepare for those liabilities. And so we like the idea of you 
can notify with threat intelligence that's actionable, you get 
speed from that if it's confidential because you can have 
threat data today and your arms around the incident three 
months from now. And it's just too big of a gap to have a 
disclosure law, and we're getting the intel three months to 
five months too late.
    So I like the idea of confidential threat intelligence 
sharing to whatever agency has the means to push that out to 
places, then disclosures that were a legal requirement to 
inform those who are impacted. And you don't know that day one. 
In FireEye's case, we were sharing intel really fast. And we 
did not know what we had lost in our breach yet, but we knew 
there was something different about it. So I just think that's 
an extra detail. Get the intel out there quickly if it's 
    Senator Cornyn. Mr. Chairman, my time is expired so I'll 
yield back.
    Chairman Warner. I think this is a subject that we're going 
to come back around to and there are models out there. I don't 
think our traditional reporting mechanisms necessarily work. So 
the National Transportation Safety Board or others. Senator 
Wyden's up next.
    Senator Wyden. Thank you, Mr. Chairman.
    The impression that the American people might get from this 
hearing is that the hackers are such formidable adversaries 
that there was nothing that the American government or our 
biggest tech companies could have done to protect themselves. 
My view is that message leads to privacy-violating laws and 
billions of more taxpayer funds for cybersecurity.
    Now, it might be embarrassing, but the first order of 
business has to be identifying where well-known cybersecurity 
measures could have mitigated the damage caused by the breach. 
For example, there are concrete ways for the government to 
improve its ability to identify hackers without resorting to 
warrantless monitoring of the domestic internet.
    So my first question is about properly configured 
firewalls. Now the initial malware in SolarWinds' Orion 
software was basically harmless. It was only after that malware 
called home that the hackers took control and this is 
consistent with what the Internal Revenue Service told me, 
which is while the IRS installed Orion, their server was not 
connected to the internet. And so the malware couldn't 
communicate with the hackers. So this raises the question of 
why other agencies didn't take steps to stop the malware from 
calling home.
    So my question will be for Mr. Ramakrishna, and I indicated 
to your folks I was going to ask this. You stated that the 
backdoor only worked if Orion had access to the Internet, which 
was not required for Orion to operate. In your view, shouldn't 
government agencies using Orion have installed it on servers 
that were either completely disconnected from the internet or 
were behind firewalls that blocked access to the outside world?
    Mr. Ramakrishna. Thanks for the question, Senator Wyden. It 
is true that the Orion platform software does not need 
connectivity to the internet for it to perform its regular 
duties, which could be network monitoring, system monitoring, 
application monitoring on-premises of our customers.
    Senator Wyden. It just seems to me--what I'm asking about 
is network security 101 and any responsible organization 
wouldn't allow software with this level of access to internal 
systems to connect to the outside world, then you basically 
said almost the same thing.
    My question then, for all of you: is the idea that 
organizations should use firewalls to control what parts of 
their networks are connected to the outside world is not 
exactly brand new. NSA recommends that organizations only allow 
traffic that is required for operational tasks, all other 
traffic ought to be denied. And NIST, the standards and 
technology group, recommends that firewall policy should be 
based on blocking all inbound and outbound traffic, with 
exceptions made for desired traffic. So I would like to go down 
the row and ask each one of you for a yes or no answer. Whether 
you agree that the firewall advice would really offer a measure 
of protection, from the NSA and NIST? Just yes or no. And if I 
don't have my glasses on, maybe I can't see all the name tags, 
but let's just go down the row.
    Mr. Mandia. And I'm going to give you the ``it depends.'' 
The bottom line is this. We do over 600 red teams a year; a 
firewall has never stopped one of them. You know, a firewall is 
like having a gate guard outside of New York City apartment 
building and they can recognize if you live there or not and 
some attackers are perfectly disguised as someone who lives in 
the building and walks right by the gate guard. In theory, it's 
a sound thing. But it's academic in practice. It is 
operationally cumbersome.
    Senator Wyden. I don't want to use up all my time.
    Mr. Mandia. Nope.
    Senator Wyden. We'll say that your response to NSA and the 
National Institute of Standards, ``it depends.'' Let's just go 
down the row.
    Mr. Ramakrishna. So my answer, Senator, is yes to standards 
such as NIST 800-53 and others that define specific guidelines 
and rules.
    Senator Wyden. Very good.
    Mr. Smith. I'm squarely in the ``it depends'' camp.
    Senator Wyden. Okay.
    Mr. Smith. For the same reasons that Kevin is.
    Senator Wyden. Okay, I think we have one other person, 
don't we?
    Mr. Kurtz. Yes. And I would say firewalls help but are 
insufficient. And, as Kevin said, and I would agree with him, 
there isn't a breach that we've investigated that the company 
didn't have a firewall or even legacy antivirus. So when you 
look at the capabilities of a firewall, they're needed. But 
certainly they're not the be-all and end-all. And generally, 
they're a speed bump on the information superhighway for the 
bad guys.
    Senator Wyden. I'm going to close and my colleagues are all 
waiting. The bottom line for me is that multiple agencies were 
still breached under your watch by hackers exploiting 
techniques that experts had warned about for years. So in the 
days ahead, it's going to be critical that you give this 
Committee assurances that spending billions of dollars more 
after there weren't steps to prevent a disaster attack, 
disastrous attacks, that experts had been warning about was a 
good investment. So that discussion is something we'll have to 
    Thank you, Mr. Chairman.
    Chairman Warner. Is Senator Cotton on the web?
    Senator Cotton. Yes, I am here. So thank you, Mr. Chairman. 
Gentlemen, thank you for your appearance today.
    I want to start, Mr. Smith, with you. Microsoft has said 
some of its source code was stolen. Does that present future 
security risks? And if so, what are you doing to mitigate it at 
    Mr. Smith. Well, the short story is, our security system 
does not depend on the secrecy of our source code. I mean, we 
live in a world where probably there's more source code by tech 
companies published in open-source form than there is that's 
not published. And at Microsoft, our source code is accessible 
to every Microsoft employee. It's not considered to be a 
particular secret, and our entire threat and security model is 
based on the premise that there will be times when people will 
have access to source code.
    Do we like the fact that this actor saw it? Absolutely not. 
But we do not believe that it undermines or threatens our 
ability to keep our customers or ourselves secure. We will, by 
the way, as we always do, to answer the rest of your question, 
Senator, we'll ask ourselves, what do we change? It's not 
apparent to me that I need to have access to our source code. 
It's not apparent to me that our Senate lobbyists need to have 
access to our source code. So we may have fewer people that 
have access to source code in the future, but it's really not 
at all the heart or center of what we're focused on here.
    Senator Cotton. Okay. Mr. Ramakrishna, approximately 30 
percent of the victims of the attack were not using SolarWinds 
software. What do you think that tells us about the nature of 
the attack and what victims were targeted and how they were 
    Mr. Ramakrishna. Senator Cotton, thanks for the question. 
This is referring to the Wall Street Journal report, I believe. 
Thirty percent is an approximation. As best as we know, there 
are many different types of attacks and different types of 
threat vectors. We are not a security company per se. So we 
wouldn't have detailed information about those types of threat 
vectors. But what I can share is the discoveries that we have 
made with Sunspot can apply to any supply chain out there, and 
it's quite possible that there are active supply chain attacks 
ongoing right now, some of which we may know about, some of 
which are yet to be discovered.
    Senator Cotton. Mr. Mandia or Mr. Kurtz, would you like to 
respond as well?
    Mr. Mandia. George, go ahead.
    Mr. Kurtz. Well you know, again, when you look at the 
supply chain of attacks here, it is very difficult obviously to 
identify these things. And when we look at the adversary's 
capabilities, and we look at what was actually done, as we 
talked about earlier, it's not an easy problem to solve. And 
you know, from my perspective, it's one that we have to come 
together, we have to continue to share intelligence and 
information. And we have to realize that there are many other 
techniques and actors that are out there. And when you look at 
the overall landscape you know, 30 percent weren't from 
SolarWinds. This isn't a surprise.
    Over the last year, we stopped 75,000 breaches that are in 
process, and probably a quarter of them were nation-states. So 
this happens every day from every nation-state actor, every e-
crime actor, and their variety of tools and different 
techniques and tasking orders that are out there. So it's an 
ongoing effort and I wish there was a silver bullet. There 
isn't. But I think a big part of this is exposing the 
techniques and just how prevalent these attacks are to the 
American people. So that we can do something about it. And we 
can come together as a group, both in the technology field as 
well as in government.
    Mr. Mandia. And Senator Cotton, this is Kevin Mandia 
speaking. To me, the attacker did the SolarWinds implant. 
They've already moved on to whatever's next. We've got to go 
find it. This attacker, you know, maybe their pencil's down for 
a few months. But the reality is, they're going to come back. 
They're going to be an ever-present offense that we have to 
play defense against, and how they break in will always evolve. 
And all we can do is close the window and close the security 
gap better next time.
    Senator Cotton. Okay, then one final question. I think I'll 
direct this toward Mr. Mandia and Mr. Kurtz again.
    To what extent do we think this was designed toward what we 
might call ``collection'' in the intelligence world; simply 
trying to collect information to learn more about America's 
intentions, plans, capabilities, or what you might call a 
``covert action'' in the intelligence world, say, sabotage of 
public utilities or military applications or so far, so forth? 
Or could it be both?
    Mr. Mandia. Yes, George, I'll jump first. Just because we 
got to see what they did first-hand when they broke in us. The 
reality is this. They were very focused. They had specific 
individuals that they targeted, they had keyword searches that 
they did when they broke in. So this was not a group that 
operated like a tank through a cornfield. They had a plan, they 
had collection requirements, and to some extent, I would say 
they were disciplined and focused on those collection 
requirements. Not efficient with tradition to just grab 
whatever they could grab.
    Mr. Kurtz. And just to add what Kevin says, I think it's 
important to realize that as technology companies, we all 
leverage big data. The adversary does as well. And while 
they're collecting this information, they're also storing it, 
they're indexing it, and they have the ability to go back to 
it. So if a new order comes in--a new, specific order to target 
a company, target a government organization--they can look for 
that access, they can look at what's already been collected, 
they could leverage that.
    The second piece of this is in the early days it was 
network exploration. Then it turned into data exfiltration. And 
then it turned into data destruction and an impact, right? So 
certainly, when you have this level of access, you can collect 
data. If you start impacting systems, it's a pretty good way to 
get caught.
    So could it be turned into that? Absolutely. But in 
general, what we've seen is collection, and that simply goes 
into the big machine, the big apparatus to be used again for 
further missions.
    Chairman Warner. Senator Bennet.
    Senator Bennet. Thank you. Thank you all for being here 
today. Thank you, Mr. Chairman, for holding this hearing.
    I wanted to get some clarification along the same lines as 
Senator Cotton, actually. Mr. Mandia, maybe I'll start with you 
just for people at home who don't understand how, you know, 
what they've read is this is a SolarWinds----
    Mr. Mandia. Right.
    Senator Bennet [continuing]. investigation. That's what 
they imagine what we're dealing with here. That's clearly not 
the case, based on what we saw in the Wall Street Journal 
report with only 30 percent of the folks who somehow got pulled 
into this who had no SolarWinds----
    Mr. Mandia. Right.
    Senator Bennet [continuing]. connection. Help us understand 
what that means in terms of the ongoing nature of this. You 
know, when you say they put their pencils down, have they 
really put their pencils down? Or are they out there working 
their pencils and we just can't see it because we don't know?
    You started out at the beginning saying maybe they went 
through a list of, like, five to ten vendors and said these are 
the likely ways in and we'll pick this one. But clearly they 
picked other ways in as well. So I'm just trying to get a sense 
of the full scope of how.
    Mr. Mandia. Yes. And you know when I said pencils down, I 
mean they were so successful on this breach they probably got a 
few days off because they collected so much information.
    Senator Bennet. Right. So they're waving the flag.
    Mr. Mandia. Basically, right now, there's such vigilance in 
the security community they're not going to spoiler their 
latest technique right now. We're all looking for it. So 
they're pencils down for the next great implant.
    Senator Bennet. Right
    Mr. Mandia. I would be if I were them. Every intrusion 
starts with initial access. How an attacker gets that varies. 
When we say the ``SolarWinds implant,'' that was the initial 
access for a campaign this group did from March of last year 
until about December of last year when we started detecting it.
    But this group's been around for a decade or more. 
Different people go in and out of that group probably. We're 
probably responding to the kids of the people I responded to in 
the 90's when this group was active. So the bottom line, how 
they gain a foothold in a victim network, SolarWinds was a way. 
They will always have other ways.
    This is a group that hacks for a living. And then when they 
break in, what they do after they break in really doesn't 
change that much. They target specific people, primarily folks, 
at least in our case, that did work with the government. They 
target government projects. They target things that are 
responsive to key words. We respond to a lot of threat groups 
that when they break in, you can tell they broke in to make 
money or they broke in and there's a manual review where 
somebody's literally going through every file alphabetically on 
a desktop.
    These folks have economy of movement. If they broke into 
your machine, Sir, they string search it, they find responsive 
documents, they get out of Dodge. They have an economy that 
shows they're professional. And that doesn't change. So if they 
broke in yesterday via SolarWinds and we patched that and fixed 
it like we have, tomorrow they're going to have something else. 
And they're going to try to come back through whatever doorway 
they can find.
    Senator Bennet. And tomorrow they might be looking for 
something else, too.
    Mr. Mandia. The good news is usually they aren't. But 
you're exactly right. The collection requirements could change. 
We've identified this group because they'd break into a 
company. And then we'd get them out. And if they got back in, 
they're after the same sort of things and that's one of the 
indicators; it's still them. So their tools and tactics can 
change but a lot of what they target does not.
    Senator Bennet. And I'm happy for anybody to jump in if 
you'd like to. But with the rest of my time--there was some 
discussion earlier--sorry, we were in and out going to votes 
and things--about reasons they might not want to actually 
destroy data or destroy systems because they might get detected 
if they do that. Whereas if they stay in there and they don't 
mess around with stuff--. But if they wanted to really do 
mayhem in our systems, what would that look like? What does our 
worst nightmare look like?
    Mr. Smith?
    Mr. Smith. Well I'd offer a few quick thoughts. First 
building on your answering your prior question and then 
answering this one. I would just add that in addition to 
targets in the United States we have identified targets in 
Mexico, Canada, the U.K., Belgium, Spain, Israel, and the UAE. 
So it was broader and international in scope.
    Second, 82 percent of the 60 target victims that we 
identified were outside government. So I think there's an 
aspect to your question well: who else were they targeting and 
why? And I would say that there are at least two other reasons 
that we would surmise, two motives if you will. Sometimes if 
you're going after a government agency that has very good 
security practices in place, you might look for a third party 
that might have an individual who was given password and 
network access to, say, the government's network.
    And you might hope that that third party organization--
maybe it was a computer service provider, maybe it was an 
accounting or consulting firm, maybe it was a think tank that 
was working on a contract--you would hope that maybe they had 
lesser security in place and that's why you would start there. 
It's a vehicle to get somewhere else.
    And then I do think at times they target tech companies in 
part to understand how technology works. But frankly it's 
perhaps in the category of counter-intelligence. Every day we 
are looking--you heard the reference to threat hunting--we are 
looking for evidence of this organization engaged in attacks. I 
think they want to know what we know about them and what their 
methods are.
    But then I do think your other question is so important, 
because at the end of the day, what do you do once you're 
inside? Do you just collect information? Or do you wreak havoc? 
Well, this agency typically collects information. But we know 
exactly what havoc looks like. All you have to do is look at a 
day in June in 2017 when another part of the Russian government 
used exactly the same technique. A supply-chain disruption with 
a Ukrainian accounting software program. That, too, was an 
update. It turned off, damaged, 10 percent of that country's 
computers. ATMs stopped working. Grocery stores stopped the 
capacity to take credit cards. Television news stations went 
off the air. That is what havoc looks like and that is what we 
need to be prepared to defend against as well.
    Chairman Warner. We're going to move to Senator Heinrich. 
What Mr. Smith just referenced was what we refer to as 
    Mr. Smith. NotPetya.
    Chairman Warner [continuing]. but was that the potential 
existed at--even this attack.
    Senator Heinrich.
    Senator Heinrich. Thank you, Chairman.
    So if I have this right, a nation-state actor that is in 
all likelihood the Russians, used U.S. software and then 
command and control servers in U.S. data centers to conduct 
this attack. And I think the fact that this attack was launched 
from within the U.S. is potentially a really important part of 
this story. Advanced persistent threat actors know that the NSA 
is prohibited from surveilling domestic computer networks. So 
it makes sense for them to circumvent U.S. surveillance 
whenever possible.
    For any of you: do you believe that the adversary launched 
the attack from U.S. servers in a deliberate effort to avoid 
    Mr. Smith. I think it was sort of an I.Q. test. We can't 
know exactly what they thought but it looks like they passed 
the I.Q. test. They figured out that it would be more effective 
and less likely to be detected if it was launched from a U.S. 
data center.
    Senator Heinrich. Anyone else want to add to that or in 
    Mr. Ramakrishna. No, I think I would agree.
    Mr. Mandia. I agree with those statements.
    Mr. Kurtz. Yeah.
    Senator Heinrich. For Mr. Smith, while the focus continues 
to be on how the private sector shares information with the 
government, we also want to ensure that the government is doing 
enough to share information with the private sector. Mr. Smith, 
you expressed concerns in a blog following the SolarWinds 
attack about the Federal Government's insistence on restricting 
through its contracts our ability to let even one part of the 
Federal Government know that the other part has been attacked.
    Can you elaborate a little bit about this comment? And in 
what ways could the Cybersecurity Information Sharing Act of 
2015 be improved to ensure that that is possible?
    Mr. Smith. Yeah, it was, I have to admit, one of the things 
I found surprising and a bit frustrating for us. Because the 
first thing we do when we identify a customer who's been 
attacked is we let them know. We notify each and every 
customer. It was immediately apparent to us that it was 
important not just to let an individual department or agency of 
the U.S. Government know but to make sure that there was some 
central part of the government that would have this information 
about the government as a whole.
    And what we found was that our contracts prohibited us from 
telling any other part of the U.S. Government. So we would 
basically go to each agency and say can you please tell so and 
so in this other place? And the good news is, people did. They 
acted quickly. But it does not strike me as the type of 
practice that makes a lot of sense for the future. So there is 
an opportunity for reform.
    Senator Heinrich. Probably not the most efficient way to 
make sure information travels quickly.
    Mr. Smith. It doesn't seem like it's consistent with the 
year 2021 and technology.
    Senator Heinrich. Mr. Mandia. In your statement for the 
record you said that victims of crime are the first to know 
when they've been violated. But in a case like this, only a few 
government agencies and a handful of security or other private 
companies are in a position to be the first to know. I agree 
that doesn't seem right. You suggested that a small group of 
cyber first responders could prevent or mitigate the impact of 
cyber incidents through sharing information quickly and 
confidentially. That's a very intriguing idea.
    Can you describe how you think that would work?
    Mr. Mandia. You bet. There's got to be a way for folks who 
are responding to breaches to share data quickly to protect the 
Nation, protect industries. And that would require (A) defining 
what is a first responder. And I think it's pretty simple. If 
you're trying to figure out what happened to unauthorized or 
unlawful access to a network, you're a first responder.
    And if you do that for other companies beside yourself, 
you're a first responder. And first responders should have an 
obligation to share threat intelligence to some government 
agencies so that, without worrying about liabilities and 
disclosures, we're getting intel into people's hands to figure 
out what to do about it. Right now the unfortunate reality is, 
a lot of times when you share threat intel, it's just a public 
    And it makes people weary to do so and we slow down the 
process. So that's what I mean by that. I could articulate 
more. But first responders know who they are. And I think it's 
easy to define. We have many laws that define certain 
categories like Internet provider. We need to know. If you're a 
first responder, you're obligated to get threat intel into the 
bucket so we can protect the Nation.
    Senator Heinrich. No, I think that's very helpful. When you 
detected this activity were you obligated to tell the U.S. 
Government? Why or why not? And was that obligation legal or 
    Mr. Mandia. We notified the government customers we had 
before we went public with the breach. And we found out later 
based on contractual reviews who we had to notify or not. But 
the reality is the minute we had a breach, I was talking to 
what I call ring zero. The intelligence community, law 
enforcement--you don't want to get email when you don't know if 
your email's secure. So the reality is, I would say on the 
record, I think we told every government customer we had that 
we had a problem, period, before we even went public.
    Senator Heinrich. Thank you.
    Chairman Warner. Senator Heinrich, both the points that 
this was launched from domestic servers and the lack of 
information sharing were really important points. And now one 
of our new Members joining us remotely, Senator Casey. Your 
first intelligence questions.
    Senator Casey. Mr. Chairman, thanks very much. And thanks 
for the welcome to the Committee. And I appreciate the 
testimony of our witnesses.
    I wanted to start with the role of the Federal Government 
here. And maybe we'll just go down the panel starting with Mr. 
Mandia to give us an assessment of the Federal Government's 
response to date. And then I'll move to a second question 
regarding what we do going forward.
    So Mr. Mandia, why don't we start with you?
    Mr. Mandia. Without a doubt, the number one thing the 
Federal Government can do that the private sector cannot do is 
impose risk and repercussions to the adversaries. Period. So 
we've got to have some kind of public doctrine to Mr. Smith's 
idea of rules of the road. We've got to communicate where 
there's a red line. I know we think it's a tough thing to 
define, and we admire the problem, but we've got to come up 
with what's tolerable, not tolerable, communicate it so we 
don't see a gradual escalation. But to impose risk and 
repercussions is the purview of the government.
    And the second biggest thing is the attribution. The 
government's in the best place to get attribution the most 
right. So those two things without--, and by the way, there is 
no risk of repercussions if you don't know who did it. So those 
are the two things that I'd firmly place into--the government 
is best suited to do that. And I'll leave it to some of the 
other witnesses on the government's role and how to safeguard 
the private sector and work with the private sector, because I 
know we have a lot of great ideas.
    Mr. Ramakrishna. Senator, I'll keep it quick. And the 
suggestion I would make is to leverage some of the 
recommendations in the Solarium Commission report and have a 
single entity in the government, that public sector entity 
where all private sector entities can go and communicate with 
and communicate to and have the responsibility of that agency 
to then disseminate it to every relevant party.
    To date, we feel like we have to communicate with multiple 
agencies and sometimes that doesn't help us from a speed and 
agility perspective.
    Mr. Smith. Let me if I could point to two successes that I 
think are worth building on. First, I think it's really notable 
that the NSA in December published a circular that described in 
technical detail the nature of the attack, how people could 
identify whether they were victimized by it, and how they could 
protect themselves from it.
    And I think that it was extremely well done from a 
technical and cyber-security perspective and it was published 
to the world. And I think that the NSA and the U.S. Government 
did the world a great service. And that's the kind of thing 
that we should aspire to have our government do in the future.
    Second, last week I thought Anne Neuberger at the White 
House in a press conference took a similarly critical step. She 
shared to all of us information that frankly none of us had; 
namely, that the government had identified roughly 100 private 
companies and nine Federal agencies that had been impacted by 
this incident. And that tells me that there is now at work real 
efforts to consolidate this information across the different 
parts of the government. So that's encouraging.
    She's also indicated that her work is far from done. 
They're focused on next steps that need to be taken in a 
variety of ways. But I do think this is a very important 
moment. The government can speak authoritatively about the 
nature of attacks and how to protect ourselves, and the 
government can speak authoritatively about the scope that has 
    Mr. Kurtz. I would also just like to jump on this. I would 
also say that CISA's done a lot of work here--a lot of great 
work. Has put out some, I think, interesting information, 
indicators, some scripts that helped the public. And while 
we're talking about the government and we're talking about 
corporations, there's a whole host of smaller entities that are 
out there that have no real way to protect themselves. So I 
think, to Kevin's point, as a first responder--which we are, 
which he is and others--it's important that we have a single 
source that we can go to.
    We're doing incident response not only for big companies 
and governments but for many small companies. We need to be 
able to share this information as quickly as we can without 
impacting the customer themselves.
    Senator Casey. Mr. Kurtz, I'll end with you, just with one 
follow-up. When you go through what I think were six proposals 
or recommendations, what do you think is the most urgent, at 
least as it relates to the Federal Government?
    Mr. Kurtz. Well I think there's probably a couple things. 
But certainly threat hunting is one of the biggest areas. And 
as we've talked about before, it's a sophisticated actor. With 
enough time and effort, they're going to go get into somewhere. 
And we always make the distinction between an incident and a 
    There isn't a major company or a government on this planet 
that hasn't had an incident, and they will continue to have 
incidents. But you want to be able to identify those very 
quickly so they don't turn into breaches. And these are like 
sentries that are looking for the bad guys. They're looking for 
these indicators, they're looking for these back doors. And 
it's a tall task. I pointed out things like machine learning 
and artificial intelligence.
    All of my fellow witnesses are working on these sort of 
techniques as well as us. And that's a big part of a go-forward 
strategy. Figure out what's there, use the technology to our 
    Senator Casey. Thanks, Mr. Chairman.
    Chairman Warner. Thank you, Bob.
    Senator Burr.
    Senator Burr. Thanks very much.
    Let me thank all of our panelists today for your 
willingness to be here and, more importantly, for your 
knowledge in this.
    I've got to reflect for just a minute and I'm going to do 
it even though Senator Wyden left, because I strongly disagree 
with what he implied. He implied that because NSA and this--
said that proper hygiene is a firewall that should be something 
that should be mandated and everybody should use it and that 
would solve our problem.
    And the three of you that deal specifically in searching 
out intrusions said no, no, no. No. It's helpful, but it 
doesn't solve it. And to suggest that in the day of COVID that 
you've got a choice between washing your hands, hand sanitizer, 
and masks, but if you choose just to wash your hand and not do 
the other two, you're never going to get COVID. It's ludicrous. 
And I want the record to show that what the response from those 
who track these was listen, this is sophisticated. They're way 
past this.
    So yeah, that's a good thing for companies to adhere to. 
But don't think that that's going to solve it with the 
adversaries we're up against right now. I want to turn to 
George just real quick, and I want to go on Senator Heinrich's 
question. In the SolarWinds attack, Amazon Web Services hosted 
most of the secondary command and control nodes. And all of 
AWS's infrastructure was inside the United States.
    Now I feel like having a cyber-attack deja vu here, whether 
it's Russian hack of DNC in 2016, the North Korea and Sony 
hack, or current supply chain hacks, we constantly see foreign 
actors exploiting domestic infrastructure for the command and 
control to hide the nefarious traffic in legitimate traffic. 
Here's the problem. Given the legal restrictions on the 
intelligence community, we don't have the ability to surveil 
the domestic infrastructure. So what should the U.S. Government 
role be in identifying these types of attacks?
    Mr. Kurtz. Well I think it's working with providers like 
AWS, working with folks like Microsoft, working with others, 
CrowdStrike and FireEye and others. Because when you look at 
this particular attack, why did they use U.S. infrastructure? 
Because they just wanted to blend in. Right? And I can tell you 
there's a ton of attacks that we look at that use foreign 
infrastructure, that use bulletproof hosting, which is you know 
the ability to anonymize and pay for hosting and 
infrastructure. And we know who they are and we tend to look 
for those bad actors. Right?
    So if you can use infrastructure that looks legitimate no 
matter whose infrastructure it is, you're going to blend in and 
make it harder. And this particular attack was insidious just 
the way it communicated and the protocols it used. It looked 
like legitimate traffic going to infrastructure that you know 
is normal. But that's why it's important, when you think about 
these attacks, to have visibility. I talked about threat 
hunting, to have visibility on the end points, because that's 
at the tip of the spear.
    And these network access devices are just speed bumps, as I 
talked about earlier. What's actually happening is on the end 
point. What's actually happening is beaconing out. And you have 
to have visibility. And you have to collaboratively work with 
the private sector and the public sector together. And I think 
that's the only way we're going to solve it.
    Senator Burr. Kevin, I want to turn to you and I want to 
ask for a little more specific statement. You alluded to the 
fact that this is not going to stop without a government 
dictate that says: here's what we're going to do. Let me just 
ask it this way. Will it stop if they pay no price for what 
they do?
    Mr. Mandia. No. I think if you don't impose risks or 
repercussions we're all--you know I've used this analogy for so 
long, you'll get how long I've used it. We're all playing 
goalie and we're taking slap shots from Wayne Gretzky. I mean, 
the puck's going to get in the net sooner or later. And that's 
what's happening in cyber space right now. Folks are taking 
slap shots and literally there is no risk or repercussion to 
the folks doing it.
    So we're all fighting a losing battle over time.
    Senator Burr. So Sudhakar, as it relates to SolarWinds, can 
you build software today without the risk of what happened?
    Mr. Ramakrishna. Thanks for the question, Senator. We've 
done extensive analysis with our partners at CrowdStrike and 
KPMG of our entire build environment and entire infrastructure. 
And we've seen no evidence of the threat actor in our 
environment or in our build systems and our products.
    We've also learned from this experience and applied them to 
what I've been describing as ``secure by design.'' One of the 
key tenants of that is to evolve software development life 
cycles to secure development life cycles. And related to that, 
we've come up with a methodology where source code doesn't get 
built in traditional ways and we use parallel build systems 
with different people accessing them, with different access 
    And we correlate the output of them across those three to 
significantly reduce the potential for a threat actor to 
consistently compromise every one of our build systems at the 
same time. That is the level of effort our teams are going 
through to build safe and secure solutions. Which I hope will 
be a model for others.
    Senator Burr. Are these practices that you're sharing with 
others in the industry?
    Mr. Ramakrishna. We are completely committed to doing it, 
and we are doing it as we do it.
    Senator Burr. Thank you, Mr. Chairman.
    Chairman Warner. I would simply want a quick comment that I 
agree with my friend, Senator Burr's comment that a firewall 
alone cannot keep out a sophisticated actor. But it doesn't 
mean the corollary--and I had conversations with the CEO of 
SolarWinds on this--that just because it's a sophisticated 
actor then that means that you shouldn't do good cyber hygiene.
    Mr. Ramakrishna. Absolutely.
    Chairman Warner. It is not an either/or.
    Senator Burr. No, I agree with you totally. I think what 
we're hearing--and maybe we're just not saying it right--is 
that even with the best cyber hygiene, even with the best 
protocols in place because of how good and persistent and how 
much money a nation-state has like Russia, we're susceptible
    Mr. Ramakrishna. Yes.
    Senator Burr. You know the puck is going to get in the 
goal, as Kevin said, and if we've missed anything and you've 
got something that assures us the puck won't get in the goal, 
then here or privately share what it is so that we can begin to 
pursue and flesh out that type of policy.
    Chairman Warner. But the problem is we may not know the 
puck was even in the goal. But if you've got good cyber-
hygiene, chances are you will discover the puck at some point. 
We'll continue that hockey analogy. Now as we move to our next 
new Committee Member, Senator Gillibrand. Welcome to the 
Committee and your first Intelligence Committee questions.
    Senator Gillibrand. Thank you, Mr. Chairman.
    I want to follow-up on knowing whether you've had the puck 
go into the goal. One of you said that the hack that shut down 
CrowdStrike and other defense software--and it affected them 
before they could start working. So why do these programs--why 
was there no alarm, and how were they shut down?
    And related, why were there no alarms in the SolarWinds and 
anti-virus software logs which should have shown the unusual 
behavior, access, or other traces of unauthorized access?
    Mr. Kurtz. Yeah, so this is George. Maybe I can take that. 
There were probably multiple, dozen software technologies that 
were targeted to actually be shut down. In our particular case, 
you can think about the camera. You know if someone came up to 
a camera and smashed the camera you'd actually see what they 
did. And our particular software has a level of monitoring 
where if someone tries to tamper with it we would actually be 
able to see that.
    And in fact, you'd actually have to reboot the system. As 
Kevin mentioned, pretty persistent where it waited and kind of 
did things you know over a number of days.
    Senator Gillibrand. But there was nothing? There was no 
alarm? Even the after the 11 days?
    Mr. Kurtz. Well once you have admin access on a particular 
system, if you're shutting it down you know you can pretty much 
do anything you want on it. And that's just a function of how 
the operating system works. And what we focus on, and I talked 
about this in my written testimony, is no silent failure. And 
we've designed our system that even if there is a failure 
somewhere along which we call the kill chain, this attack 
sequence, we're still going to detect something down the road.
    And I think this is really important when I talked about 
threat hunting. You may not catch the initial stage of the 
attack, but you're looking to catch it along the way, and 
you're looking to do that with speed. If someone's going to rob 
a bank there's only so many ways to rob a bank. You've got to 
get there; you got to get the money; you have to get out. 
Right? What car they drive, what weapon they use, how they do 
it doesn't really matter.
    So as long as you can identify the chain of activity, which 
is really important, you can stop these breaches. And that's 
why we stopped over 75,000 breaches just last year. So it's 
obviously a challenging problem but that's why when we look at 
this, it's really about risk mitigation; using multiple 
technologies and having visibility across your network.
    Senator Gillibrand. Alright. Mr. Smith, I think you said on 
``60 Minutes'' that there were more than 1,000 developers 
working on writing this malicious code. Why do you know that or 
how do you know that? And with a group that big, if it is based 
in Russia, how come we didn't detect it or see it before?
    Mr. Smith. Well there was a lot more than a single piece of 
malicious code that was written. And so one of the things we 
analyze: what was done from an engineering perspective on each 
of these second stage attacks that Kevin was talking about 
before. And in essence what we saw was a very elaborate and 
patient and persistent set of work. They entered. Then, as they 
were in through that back door, they in effect opened a window. 
They then swept up behind themselves. They closed the back 
door. They used that window. They identified accounts. They 
were able for the most part to really rely on stealing 
passwords and accessing credentials, especially where 
credentials were not well secured, meaning they weren't stored 
on a hardware dongle or they weren't stored in the cloud. But 
they were able to get people's passwords. They were then very 
persistent in using that at what we call elevated network 
privilege to work across a network.
    And we just were able to look at our estimate of how much 
work went into each of these individual attacks, how many 
attacks there appear to be in total, and we asked our 
engineering teams: these threat hunters that you were hearing 
about before--what do you think is on the other side of this? 
And that was their estimate. And we have asked around with 
others: does this estimate seem off base? And no one has 
suggested it is.
    Senator Gillibrand. Let me ask Mr. Ramakrishna a final 
question. So the Wall Street Journal reported that there was as 
many as a third of the victims were accessed by means other 
than SolarWinds. However, those access vectors, including TTPs 
and infrastructure, have not been made public. Why is that and 
do you expect to release the full details of the other access 
vectors? And what other ways did the cyber actors use to gain 
access to victims?
    Mr. Ramakrishna. Senator that's a very good question. We, 
as a manufacturer or producer of IT management tools, do not 
have the security capabilities to be able to investigate other 
threat vectors. And that's where the colleagues at this witness 
table with me will be able to help us and the broader industry 
identify those threat vectors. On our part, what we have 
committed to doing and continue to do is sharing everything 
that we are finding.
    And the significant discovery that I mentioned about 
Sunspot is one key element of eliminating threat vectors. As we 
learn some new vectors ourselves at SolarWinds, we are 
committed to sharing those. But I think the broader security 
industry will take the mantle on that.
    Senator Gillibrand. Thank you, Mr. Chairman.
    Chairman Warner. Thank you.
    Senator Collins.
    Senator Collins. Thank you, Mr. Chairman.
    Mr. Chairman, let me echo the concerns that Senator Cornyn 
and you have raised about Amazon not being present. I think 
they have an obligation to cooperate with this inquiry and I 
hope they will voluntarily do so. If they don't, I think we 
should look at next steps.
    I also want to thank both of you for mentioning legislation 
that Senator Joe Lieberman and I authored and brought to the 
Senate floor back in 2012, which was defeated largely due to 
the lobbying efforts of a large business group. And the irony 
is that this grit business group, at the time that they were 
lobbying against mandatory reporting, was itself being hacked, 
which I found out about from the FBI later. I take no pleasure 
in that. I think that shows how widespread this problem is.
    I want to follow-up on two issues. One is the issue of 
reporting. Mr. Mandia, we know from the White House report and 
from our own briefings that the hackers did gain access to at 
least nine Federal agency networks. Yet the U.S. Government 
learned of this cyber-attack through FireEye. So, in your 
judgment is it reasonable for us to assume that our government 
probably would still be in the dark about the Russians or 
whoever the hackers were--likely the Russians--being on our 
systems if it were not for your voluntary disclosure?
    Mr. Mandia. I think over time I believe we would have 
uncovered this. I think there's a lot of activity that out of 
context nobody could put their finger on the larger problem. 
The minute we found the implant and the minute we disclosed 
what had happened, it connected a lot of dots for a lot of 
folks. All I can tell you is when I spoke to the government 
about this basically as it was unfolding for us nobody was 
surprised as to what I was telling them.
    So I think we could sense there was behavior on certain 
networks that wasn't right. But we couldn't find the cause 
until we put it all together.
    Senator Collins. But none of those agencies had taken 
actions until you contacted them. Is that accurate?
    Mr. Mandia. I don't know what actions they may or may not 
have taken.
    Senator Collins. The second issue that I want to talk about 
is our critical infrastructure: 85 percent of the critical 
infrastructure in this country is owned by the private sector, 
and that's one reason that I think mandatory reporting is so 
critical. We have only to look at what happened in Texas from 
natural causes to imagine the damage that could be done by a 
    Now it's my understanding that our government has assessed 
that this operation was focused on stealing information rather 
than taking down networks. But how difficult--and I would like 
to ask the entire panel this--how difficult would it have been 
for the hackers to disrupt these networks if they wanted to?
    Why don't we start with you, Mr. Mandia, and just go down 
the panel.
    Mr. Mandia. Two comments, Ma'am, very quickly on that. 
Disruption would have been easier than what they did. They had 
focused, disciplined data theft. It's easier to just delete 
everything in a blunt force trauma and see what happens, which 
other actors have done. But what I've observed this group do--
and I think this is an important detail--a lot of times when 
you break into a network you get what's called the domain admin 
account. And just use that to grab everything.
    It's the keys to everything. It's the master key in the 
hotel. What this group actually did is they wanted to break 
into room 404. They got a room key that only worked for room 
404. Then they got the room key for 407. They actually did more 
work than what it would have taken to go destructive. But 
obviously, they had the access required and the capability 
required should they have wanted to be destructive to have done 
    Senator Collins. Thank you.
    Mr. Ramakrishna. Senator Collins, I would agree with that 
based on my studies and research of other similar breaches in 
other countries, such as in Ukraine.
    Senator Collins. Thank you. Mr. Smith.
    Mr. Smith. I would agree as well. And I'd just highlight a 
couple of aspects that I think are important. First, especially 
when we're talking about publicly owned critical infrastructure 
in this country, a lot of it is too old. It needs to be 
modernized. And I'll just point to one example was some of our 
work with a state agency responsible for public health.
    When our consultants went in to work with them they found 
that the manual for the software was more than 20 years old, 
meaning the software itself was more than 20 years old. So and 
that's why you see these ransomware attacks which need to 
connect with this. They so often target municipalities, we've 
seen Baltimore, we've seen New Orleans. They target hospitals.
    So that that is in critical need of improvement. I do think 
the other thing that is really worth thinking about more 
broadly for the whole Committee is I don't think we can secure 
the country without investing in more cybersecurity people for 
the country. There's really a critical shortage nationwide of 
cyber security professionals and I think we can put our 
community and technical colleges to work in part to get more 
people into public agencies, into small businesses and others.
    We are doing a lot to try to publish information. At 
Microsoft we have published 31 blogs since we learned about 
SolarWinds you know from FireEye. But there's just not enough 
people in many places to read them and act on them.
    Senator Collins. Thank you. I know my time has expired. 
Maybe Mr. Kurtz could respond for the record.
    Chairman Warner. Okay. And I don't.
    Mr. Kurtz. Sure, thank you.
    Chairman Warner. I'd just simply mention as well, Senator 
Collins, you appropriately pointed out the failure to report on 
the private sector side. There's no obligation on the public 
sector side.
    Senator Collins. Right. Well part of the problem is that 
there should be this exchange.
    Chairman Warner. Yep.
    Senator Collins. Of information that's not occurring now on 
either side.
    Chairman Warner. Absolutely. Senator Blunt.
    Senator Blunt. Thank you, Chairman. Mr. Mandia, did you 
feel when you found this problem in your system did you think 
there was a legal obligation to report it to anybody?
    Mr. Mandia. Yeah, we had third party counsel involved. We 
did not have a legal requirement at least based on the legal 
advice that I got to disclose at the time that we did. So we 
did so based on we're a security company, we work to a higher 
order. Yeah, it's all built on trust. And you got to report.
    Senator Blunt. And Mr. Ramakrishna, what did you think 
there was a legal obligation to report this when you found out 
about it to the government or anybody else?
    Mr. Ramakrishna. Senator, I was not with the company when 
this particular incident happened.
    Senator Blunt. Got it.
    Mr. Ramakrishna. So I will take it on record and come back 
to you with exactly what happened at that point in time.
    Senator Blunt. And Mr. Smith, from your testimony I think 
it was point four in the things we should do though there was 
some element of it in point three. It's your view that there 
should be a requirement now that these kinds of things be 
reported. Is that right?
    Mr. Smith. Yes. And I think we should build on the 
conversation we had here. But you know, we too concluded we had 
no legal obligation to report. But I think we had a duty 
nonetheless first of all to each customer, second of all to the 
U.S. Government and third of all to the public which is why we 
published those 31 blogs.
    Senator Blunt. So do you think we should create a legal 
obligation for you to report if you're aware of a problem like 
    Mr. Smith. I do. I think we need to be thoughtful, tailor 
it, make it confidential. But we will not secure this country 
without that kind of sharing of information.
    Senator Blunt. So on that topic and we'll just stay with 
you and then work our way back down. On that topic, you know 
these companies. All four of the people represented here have 
great expertise and great resources which I'm sure you've used 
a lot of to figure out how they got there, if you figured that 
out, how long they've been there. How would we expect a normal 
person that does business with your companies to be able to do 
that on their own? And maybe, Mr. Smith, that goes to your view 
we need more cyber expertise.
    But how would we expect a regular company, unlike these 
companies at the table today, to have any sense whether anybody 
was in their system or not?
    Mr. Smith. Well the first thing I would say is I think it's 
a decision for you to make as to whom you want this obligation 
to apply. You know certainly it should apply to tech companies. 
Should it apply to every customer of a tech company? I think 
that is a separate question. Second, of course people cannot 
report something they're not aware of. Our customers who use 
our cloud services know when we are able to detect that they 
are being breached in the cloud or they're being attacked 
because we tell them. And so we let them know.
    Now ironically one of the episodes we've learned from this 
time was in some instances we called people on the phone and we 
said we're from Microsoft and we want you to know you're being 
attacked and they're like yeah, right and they hung up. They 
didn't believe that this big company was calling this small 
business. But that is our job, our responsibility I think--to 
help our customers. And we can provide information to the 
government, or in certain instances others could as well.
    Are you going to ask every small business to do that? It's 
probably not necessary for this purpose.
    Senator Blunt. Yeah. I think if we move forward on that 
discussion some helpful thoughts from all of you about when 
that obligation to report. If you've called a customer and said 
you've been hacked, is there an obligation you should have then 
to report? We could work on that.
    Mr. Mandia, how long do you think this had been in your 
system whenever you found it? And I know it was the two 
telephone verification seeing that extra verifier in there that 
was the tip off.
    Mr. Mandia. Right.
    Senator Blunt. How long do you think it had been there?
    Mr. Mandia. Well a couple ways to answer that. Bottom line 
it was a couple months from initial access but the attacker 
wasn't alive every single day. I think, in other words, they 
were on our system for maybe three hours in one day, a week 
would go by, couple hours on another day. We weren't a full-
time job for the intruders that broke into us. Because they had 
broken into 60 plus other organizations if not 100. So we did 
get their attention and there's several days of activities 
before we detected them.
    But over time it was several months.
    Senator Blunt. And of course you'd contend that very few 
companies would be better prepared than yours to find out.
    Mr. Mandia. Right.
    Senator Blunt. If somebody's in your system because that's 
what you do.
    Mr. Mandia. Right.
    Senator Blunt. Mr. Kurtz, you mentioned on the bank robbery 
example I think it was something like you get there, you get 
in, you get the money, you get out. It seems to me that in this 
intrusion they weren't all that interested in getting out. What 
do you think that means? That they would get there and just 
hang around, as Mr. Mandia said, and do something and a week 
later might look and do something else?
    What kind of hacker is that? What are they positioning 
themselves to do? Clearly not to shut down your system at that 
moment. But why do you think they were persistent in this, what 
I think, is a relatively different way than we might have 
    Mr. Kurtz. Well this is indicative of a nation-state actor 
and it's in their interest to maintain persistence. If they 
were collecting data, they want to continue to collect 
information over a period of time. If the campaign as was 
pointed out this is the way it works, right? You've got 
different mission objectives and campaigns. If the campaign is 
over, they certainly would want to remove their tool so they 
weren't found by companies like CrowdStrike and FireEye and 
Microsoft and others.
    So it's in their best interest to maintain the persistence 
because you never know what they're going to need. And one of 
the things that I really want to point out and how this works 
in practice is that when you get into a system when an 
adversary gets in they don't necessarily know what they're 
going to find. And then they find some interesting tools, they 
find some emails that may lead them to another company they can 
    And it's a massive spider web of interrelated entities and 
information that they have to collect. And when you draw that 
out, if you can imagine a crime scene where you kind of put 
everything on the bulletin board and you start connecting the 
dots between the actors, that's what it's like for the victims. 
And from one company to the next company to the next company to 
a government agency, they can all be connected together with 
some of these campaigns.
    And there's no reason for them to get out unless that 
campaign is over. And certainly unless they want to remove that 
malware and their tools which typical which we've seen in this 
particular case cause they didn't want anyone else to find 
    Chairman Warner. Senator King.
    Senator Blunt. Thank you. Thank you, Mr. Chairman.
    Senator King. Thank you, Mr. Chairman. Excellent, excellent 
hearing. A lot of important points. A couple just I want to 
emphasize. Mr. Mandia, I'll give you another analogy to use as 
well as Wayne Gretzky, and that is if all we ever did was lock 
our windows and robbers never had to worry about going to jail, 
there'd be a lot more robbers. I think deterrence is one of the 
most important parts of a national strategy and frankly it's 
one that really hasn't been very well developed in this 
country. And as you pointed out I think it has to be declared.
    It has to be public. The adversary has to know what the 
capabilities are and that costs will be imposed. That leads me 
to a second point that I think Brad Smith mentioned but we 
didn't really develop. And that is the importance of 
internationalizing this problem and that is working with our 
allies because we're not the only ones. I think you mentioned 
there was an attack on a French company by this same group.
    And to the extent that we have the international community 
and the establishment of some kind of international norms, red 
lines, guardrails, whatever you want to call them then things 
like sanctions are much more effective. I want the hackers to 
not be able to go to Monte Carlo as well as Miami. So 
deterrence is key. And the international piece of it is also 
    And then the final thing that I think has come out today 
very clearly is the importance of some kind of joint 
collaborative environment where there can be an easy and quick 
and efficient flow of information. Liability protection may be 
necessary. Anonymizing the data may be necessary. But some kind 
of mandatory breach notification is also part of this package.
    All of these bills, all of these ideas by the way are part 
of the work that we're going to be doing on the solarium this 
year and I look forward to working with the Members of this 
Committee on things like the collaborative environment, breach 
notification, the international aspect of it.
    Let me ask a specific question. Mr. Mandia, do we need a 
central Federal attribution office? It strikes me that 
attribution the FBI has a piece of it, the NSA has a piece of 
it, maybe the CIA, and whomever somewhere else. Attribution is 
key. You can't do deterrence, you can't respond unless you have 
    Should there be a central attribution department, if you 
will, that could act quickly and do attribution more 
efficiently than is the case today?
    Mr. Mandia. Well I can say this, sir. I don't know if it 
needs to be a single committee or single agency. But 
attribution is critical and all that you know any time I get to 
advise a head of state it's very simple. If you don't know who 
did it, you can't do anything about it. So I would argue it's 
one of the most critical issues we have to solve as a Nation is 
we got to know who did every breach.
    I think that those data points will automatically come from 
multiple agencies with multiple missions and areas of 
responsibility. And then bring it to domestic challenges like 
the SolarWinds breach and all the liabilities hitting 
companies. It is helpful and maybe it's CISA, maybe it's the 
FBI, but it is helpful that most organizations recognize that 
we are expected to defend ourselves from the drive by shootings 
on the information highway.
    But we shouldn't have to defend ourselves from the SVR. I 
mean that doesn't seem like a benchmark that this Nation should 
set for every small to medium sized company out there that you 
need to defend yourself from a foreign intelligence service 
trying to hack you. So I would say this. Categorical 
attribution for these companies that do disclose is very 
helpful for those companies. So in other words, if there was 
public attribution that said SolarWinds was compromised by a 
nation-state, good enough.
    Because it takes the wind out of the sails of all the 
plaintiff lawsuits that we all get when we get compromised and 
we tell the world about it. Thank you.
    Senator King. Thank you. And it seems to me that moving on, 
we clearly ought to do attribution better. The other piece 
that's come out today is, and Senator Burr mentioned this, is 
gaps in our authority. The NSA and the CIA cannot spy on 
Americans. They cannot watch what's going on in American 
networks. That sort of leaves the FBI which is really a law 
enforcement agency as the intelligence agency for domestic 
    It seems to me that we need to think of how these 
authorities fit together and what the gaps are to be sure that 
we have the tools to protect ourselves. Not that we want to spy 
on Americans, but we also want to be able to protect Americans. 
Mr. Mandia, your thoughts on that?
    Mr. Mandia. I do believe there's got to be a way for the 
U.S. Government when we need to mobilize to understand how we 
can do it domestically. And the example I've always used, sir, 
is very simple. If the intelligence community recognizes 
there's going to be an attack on Wilkes Barre hospital this 
Friday by the best hacking group on the planet, we'd just start 
moving the patients out of the hospital. And that seems like we 
can do better than that as a Nation.
    We ought to be able to impose the risk profiles that we 
need to and project our capability domestically when we need 
to. And right now, I don't see the ability to do that.
    Chairman Warner. Senator Feinstein.
    Senator King. Appreciate it.
    Chairman Warner. Dianne.
    Senator Feinstein. Oh, excuse me. Thank you very much, Mr. 
Chairman. I'm looking at this worldwide threat assessment of 
the United States intelligence community. It was done by Dan 
Coates, a former colleague of ours when he was Director of 
National Intelligence. And it's deeply concerning to me because 
it points out really the seriousness of this thing and the 
impact of it, the length of time eight months that it went on.
    Nine Federal departments, over 100 companies, and we don't 
know what, at least I don't, what the Russians took. And it 
seems to me to have this kind of situation out there and I've 
been on this Committee for a long time. And just have a hearing 
and not do anything about it. And know that we know now that 
there is this kind of vulnerability available.
    So let me begin with you, Mr. Mandia. You're a Californian. 
What do you advise this Senate to do about this?
    Mr. Mandia. Yeah there's several recommendations. I still 
believe it is critical we find a way to have a centralized 
agency that we can report threat intelligence to confidentially 
and that if you're designated as a first responder in cyber 
space, whether private or public sector, you report to that 
agency. That means we get the intelligence into the hands of 
people that can take actionable steps way faster than 
disclosure of incidents which just takes too long.
    To Brad Smith's point and you have those six bullet points. 
I think it's actually five bullet points. And they're all 
right. It's what we should do. I'm specifically talking about 
the threat intelligence sharing. Let's up it a notch. Let's say 
you have to if you're a first responder.
    Senator Feinstein. How would you do that? When you say up 
it a notch, what specifically would you do?
    Mr. Mandia.--Have legislation that defines who a first 
responder is. That if you respond to unlawful, unacceptable, or 
unauthorized access to networks as a business and you see 
certain things that threat intelligence and we know what it is 
in the community that needs to be shared with a specific 
agency. Confidentially shared so that you don't have to know 
who the victims are because the victims have liabilities that 
make them delay.
    They'll do months of investigation before they would 
disclose everything. But we want to get the intel faster and 
into the hands of the right people more quickly. I do believe 
it needs to be a central agency inside the government. You 
can't go to three or four, you've got to pick one. And that if 
we're responding, we got to let you know here's what's going 
    Senator Feinstein. And this would be private sector as well 
as government sector?
    Mr. Mandia. Yes.
    Senator Feinstein. So it would be a comprehensive bill that 
essentially would set a kind of operational protocol that has 
to be followed.
    Mr. Mandia. It it's similar to operating agreements for all 
the folks who accept credit card use. The Visa operating 
agreements. You literally have 24 hours to start sharing 
information regardless once you know. And it's not based on all 
the things that you may have lost. You've got to get the intel 
into the hands of the folks that can start safeguarding the 
Nation far faster than what we're doing today.
    Senator Feinstein. Could I ask the other two witnesses to 
reflect on what Mr. Mandia has said?
    Mr. Ramakrishna. Senator, I agree with that single agency 
to report to and the public private partnership. Clearly that 
is one of our recommendations as well and that will be 
consistent with the goal of having speed and agility in 
responding to these types of events.
    As you noted, some of these have gone for too long and 
we've lost time in detecting the perpetrators and taking 
corrective steps.
    Senator Feinstein. Mr.
    Mr. Ramakrishna. Additionally, I would recommend in the 
context of public and private partnerships standards, such as 
NIST, and procedures, such as CMMC, can be improved with better 
collaboration, better transparency between private and public 
to evolve those from what are today compliance based 
methodologies to focusing on excellence.
    That is where I think Brad's idea of having a larger pool 
of STEM based focused education as well as specific cyber 
security education will come in handy.
    Senator Feinstein. Thank you.
    Mr. Ramakrishna. And then the last thing I would say in the 
context of coming out and identifying breaches and encouraging 
people even to come out and identifying the breaches there was 
a concept of liability protection that was discussed. There is 
significant brand reputation that people are worried about as 
well. And in the context of this broader work, I'd recommend 
that we address those as well which are not strictly liability 
but broader than that.
    Senator Feinstein. Thank you. Mr. Smith.
    Mr. Smith. Yeah, I would endorse everything that you just 
heard. I would add in the areas of rules of the road I think 
there are three areas that are just clearly ripe for this 
Committee and others to say are off limits. The patching and 
updating of software should be off limits, certainly when an 
and a this disproportionate.
    Senator Feinstein. Well wait, the patching and off date--
    Mr. Smith. And updating.
    Senator Feinstein. Updating of software.
    Mr. Smith. Yeah. Yeah that was.
    Senator Feinstein. Should be off limits to whom?
    Mr. Smith. For these types of nation-state attacks. That 
would be the first thing. The second would be cyberattacks on 
hospitals and healthcare providers. Vaccine distributors. I 
mean there's been a ground swell of both concern about what 
we've seen in the last year and attacks on that sector. And the 
third is attacks on our electoral infrastructure. On voting, on 
the tabulation of votes, on voter registration rolls.
    And I think there's a ready vehicle that's ripe because 75 
governments, but not our own, have already signed the Paris 
Call for Trust and Security in Cyberspace. More than 1,000 
private organizations, including my own, has signed that. And I 
hope this White House and this State Department will act on 
that. The consensus is there if U.S. leadership can help push 
it across the finish line.
    Senator Feinstein. Mr. Mandia, would you just reflect for a 
    Chairman Warner. Can we.
    Senator Feinstein. Oh, just one question.
    Chairman Warner. Yeah. We've gone through the five minutes 
so we're.
    Senator Feinstein. Okay. Thank you.
    Chairman Warner. Senator Sasse.
    Senator Sasse. Thank you, Chairman. And thank you to all 
four of you for being here. This has been a very constructive 
hearing. I would just associate myself with the many comments 
of folks expressing frustration that Amazon isn't here. I think 
they should be and I think we should pursue whatever is 
necessary. Hopefully they'll do that voluntarily.
    I'd also like to underscore a few things that were said 
along the way by Angus King about some of the deterrence 
objectives of the Cyber Solarium Commission. He and Mike 
Gallagher, House Member from Wisconsin, have invested tons of 
time. I was a commissioner but those two guys co-chaired it. 
There's a whole bunch of work to be done about breach 
notification that they've been thinking on in addition to some 
of the work that Susan Collins has done.
    Mr. Mandia, I know you answered it multiple times through 
the course of the last three hours but your summary five 
minutes ago about the need for a central single repository at 
the Federal Government for these breach notifications I think 
was very succinct and compelling, so thank you for that.
    Mr. Smith, when I came back from voting a little while ago 
I think I heard you say, I was just walking into the room, that 
you thought there were a thousand highly trained engineers 
involved in planning this attack. Did I hear you right?
    Mr. Smith. That that is our best estimate, yes.
    Senator Sasse. And could you kind of give us a level set of 
other attacks or espionage efforts in the past? Like, say the 
CCP's OPM hack. Do we have any theory of how many people would 
have been involved in that, trained folks?
    Mr. Smith. Well, I don't. But you certainly didn't need an 
engineering group of similar magnitude to steal data. You 
really need to then think about how to use that data which is 
probably some combination of engineering and artificial 
intelligence. And you know, I do think as we scan the horizon 
around the world, we are seeing variation in tactics. You know 
we are seeing in one part of the world more of this I'll call 
it engineering intensive effort to you know penetrate 
individual organizations with great patience and persistence.
    And then extract data on an ongoing basis as you would if 
you are a foreign intelligence agency. You know in another part 
of the world you're probably seeing you know more collection of 
very large data sets. And in all probability the way one would 
make use of those data sets is to aggregate them and use 
artificial intelligence machine learning you know to start to 
knit them together and then say use them for disinformation.
    And so you know as we look at the world, we have espionage 
threats. We have disinformation threats. And then ultimately we 
always have the threat we were talking about before of actually 
damaging a society or a country as we saw in Ukraine.
    Senator Sasse. Right. Very helpful. Is there any equivalent 
breaches that you can think of that would have had this scale 
of human capital involved in planning them?
    Mr. Smith. I can't think of a similar operation that we 
have seen that would have similar human scale, no.
    Senator Sasse. So this is arguably the largest planned 
cyberattack ever?
    Mr. Smith. I haven't seen anything larger. I think we were 
having a good conversation before about what label precisely to 
attach to this. But it was a very it's the largest and most 
sophisticated operation of this sort of that we've seen.
    Senator Sasse. So going back to some of Martin Heinrich's 
questioning and then Chairman Senator Burr's follow-up on the 
same thought. It'd be useful for those of us who are not 
technologists to hear the three of you kind of talk about the 
difference between the design flaws, not that anybody is 
particularly responsible inside the U.S. Government for having 
failed to detect this, because it's a new kind of attack. But 
design versus execution flaws given Martin's points about the 
NSA being prohibited from surveilling domestic systems.
    Who should in our current structure have found this 
earlier? Again I'm not looking for you to blame cast, I'm 
looking at us as the Congress to recognize that we have an IC 
that is not structurally prepared to respond to something like 
this. When your greatest capabilities are at the NSA and 
they're prohibited from surveilling the systems where they 
would detect it, the FBI is chiefly responsible for law 
enforcement investigations after the fact. Structurally, we're 
not prepared to defend against this, are we?
    Mr. Mandia. I guess I'll jump in on that one. There's no 
question you have to have private and public partnership in it. 
Period. When you look at critical infrastructure and who's 
running it. I want to be clear though, why people didn't detect 
this, the Achilles heel, is because the front door was locked. 
So the attackers had to break in to SolarWinds, implant 
something, we still don't know how they broke in to SolarWinds 
that I'm aware of. And this is probably the last avenue in 
cyber security.
    Now we know you've got to worry about supply chain risk and 
you're going to see the elevation in security there. So the 
reason everybody didn't detect this right away is over the last 
30 years in cyber security you used to be able to drive through 
the front door. And we kind of closed that and then it became 
spear fishing and tailored attacks against individuals. And we 
got really good at that. And now they went to the supply chain.
    And it was inevitable. We knew they'd get there. Apparently 
it takes something like this for us to really decide to up the 
    Senator Sasse. But if we think about how many questions 
you've had to answer today about reporting requirements, you 
also had a sense, Mr. Smith, you said something about the 
reporting prohibition on you going from one government agency 
to the next. How long was that delay in our structure? If you 
had been able to notify everybody once you knew once your four 
companies knew what you knew how much faster would it have been 
than it was in the situation where you actually had 
prohibitions on information sharing intra-USG?
    Mr. Smith. Well I think in this instance when we spoke to 
officials in one agency typically within a day I think they 
spoke to officials in another. So they understood and they were 
fast moving. I do think that one of the challenges in this 
space is the nature of all threat intelligence, whether it's 
cyber-based or physically based, is that it's always about 
connecting dots. So the more dots you have, the more likely you 
are to see a pattern and reach a conclusion.
    And so I think one of the challenges here is that the dots 
are so spread out, they're in a variety of different private 
companies and they always will be. And then they're spread out 
across different parts of the public sector as well. So this 
notion of aggregating them is key. The one thing that we 
haven't talked about though that I would add to this is there 
should be some level of information sharing in an appropriate 
way back to those of us in the private sector that really are 
first responders.
    You know I look at the Microsoft threat intelligence center 
and we are able to aggregate all of this data across our 
services. And you heard from CrowdStrike or FireEye and they do 
similar things. But we too are operating with imperfect 
information when we don't have access to this knowledge. So 
that's another key question I think that really merits 
    Senator Sasse. I'm over time but thank you to all four of 
you and I'll follow-up with some of you for more as well. 
Thanks Chairman.
    Chairman Warner. Well I'm I want to thank all the witnesses 
but I also want to make sure people have hung in if Senator 
Blunt, Senator Burr, Senator Rubio I've got one more question 
but I want to see if Senator Blunt do you have anything else?
    Senator Blunt. No, sir.
    Chairman Warner. And do you have Richard? Marco?
    Vice Chairman Rubio. I mean I think one of the things about 
this is you know corporations and government we do we trust a 
number of software vendors now to run programs remotely in the 
cloud. They even allow them access to our networks to provide 
updates to help perform better, for safety and so forth. So 
this is really is not just a national security thing, it really 
goes at the heart of how we conduct business across multiple 
    By the way, I would venture to guess that most companies, 
mid-sized companies and above, have no idea how many different 
pieces of software they don't know what their own inventory is 
of what they're running. And so it would be now's probably a 
good time to have someone in charge of knowing that in case 
something like this comes up.
    I have three quick questions. On SolarWinds, I'm not sure 
I've heard yet, do we do we know what the initial entry point 
into the network was?
    Mr. Ramakrishna. Senator, our investigation on how which is 
initial entry point is still active at this point. We have had 
a number of hypotheses over the last couple of months working 
with our investigation partners. We've been able to narrow them 
down now to about three, which I hope will help us conclude to 
one. But just the nature of the investigation is we are still 
sifting through terabytes of data to figure out if we can 
pinpoint that particular one.
    Vice Chairman Rubio. So is TeamCity produced by JetBrains 
any indication they could be one potentially?
    Mr. Ramakrishna. Senator, TeamCity is a tool used in the 
build processes by us and many other companies out there. We, 
to date, have no evidence that it was the backdoor used to get 
into SolarWinds. Although we haven't eliminated that 
possibility, we haven't proven it.
    Vice Chairman Rubio. And for on Microsoft, as far back as 
2017 that the forged identity credentialing you were aware of 
that vulnerability as far back as when were you aware of that 
and what was done from the point you knew moving forward on the 
to address that?
    Mr. Smith. Well the forged identity refers to an industry 
standard, SAML, a markup language. It's an industry standard 
that is supported by a wide variety of products including our 
own. Actually as we investigated this incident, we found that 
it was relevant in only 15 percent of the cases and in those 15 
percent, in every instance you know this tool was used to in 
effect add access capability only after the actor was in the 
network, had obtained access with what we call elevated 
privileges, and was able to move around and then use this.
    But to answer your question this particular standard, the 
SAML standard, was created in 2007. So long before 2017 we and 
many other companies in the industry have been working to move 
people towards a more modern authentication standard. And there 
has been one that has been around since 2012. More broadly, 
independent of what security standard you use for this kind of 
authentication the thing that we have been advising our 
customers and the practice that we have been following 
ourselves is really to do the following.
    One, move your authentication service into the cloud. 
Number two, secure all of your devices. We have a service 
called Intune that does that. Number three, you know, make sure 
you're using multi-factor authentication. Number four, have 
what's called least privileged access meaning don't give 
individuals access to the entire network or to be able to do 
things that they don't need to do. And number five, use a 
contemporary or a modern anti-virus or anti-malware service 
like Windows Defender.
    And the reality is any organization that did all five of 
those things, if it was breached it in all likelihood suffered 
almost no damage.
    Vice Chairman Rubio. Because it would have been contained 
or whatever in the individual compartment they entered. Okay.
    Mr. Smith. Absolutely. Yeah. And these are five practices 
that the world knows about and this goes back I think to this 
point that we do need more cyber security professionals to work 
with more organizations. And obviously it's incumbent on us. We 
every day we're working to make it easier for our customers to 
deploy all of this stuff.
    Vice Chairman Rubio. Yeah, and I think that just touches on 
the notion that even if you can't prevent the attack or the 
intrusion you can mitigate its impact if you can do some of 
these things that you've discussed. Mr. Mandia, this is my last 
question. We talked about notification. Not disclosure but 
notification. And this seems to me that and you may have some 
thoughts on this what is the threshold for that?
    Is it a major breach? Is it breach? Is it breaches that 
have indications of nation-state involvement?
    Mr. Mandia. It's hard.
    Vice Chairman Rubio. Because I think every day someone's 
getting pinged by somebody. So what's
    Mr. Mandia. I agree and you don't want to spread fear, 
uncertainty, and doubt by folks who can't do a proper 
investigation or lack the expertise or quite frankly they don't 
know what really happened but they disclose so fast that they 
do create an unnecessary fear. That is the hardest part because 
every disclosures going to have some discretion built into it. 
And that's why when I'm talking about notification I'm trying 
to there's public disclosure and legal disclosure.
    I'm trying to separate that, and Brad Smith did in his 
testimony very well, to threat intelligence sharing. And I'm 
more talking about threat intel, get it out there fast, get it 
out there confidentially so you have the time to figure out the 
threshold for disclosure. But that's a lot of work because I 
think it depends on the industry you're in whether you should 
disclose. I think it there's contract law that'll apply. You 
should disclose to your customers at least that are impacted.
    But I still feel disclosure is always going to be based on 
the impact of a breach which requires investigation.
    Chairman Warner. Well let me thank all of the panel and 
George who's online. We actually had well Senator Risch didn't 
want to ask a question. We had full participation from the 
Committee and that is a sometimes rare occurrence. I take away 
four issues that I'd like for the record since it's been a long 
    The fact that Smith said this was potentially one of the 
most serious breaches he's seen. We know that it got into Mr. 
Ramakrishna's 18,000 customers and while they chose to only 
exploit 100 plus the fact that this could have been used not 
for exploitation and ex-filtration of information but could 
have been turned they were inside as I think Mr. Mandia so 
eloquently put it could have been exponentially worse and I 
think we need to recognize the seriousness of that.
    Number two and I think Senator Rubio was raising this as 
well that while it was a top tier nation-state with their A 
team and it may be hard for any individual company or public 
enterprise to totally block that out, we can't default to 
security fatalism. We've got to at least raise the cost for our 
adversaries. And whether the items that Mr. Smith just 
enumerated in terms of better protections even if they get in 
we can find them and raise their costs if we think through 
    Mr. Smith commented on this but I would like the rest of 
you for the record to comment on this, this idea around norms 
and international norms. I use the analogy that in warfare you 
don't bomb the ambulance. Well should we try to get to a point 
that you don't bomb the patch? Or that you don't hit the 
hospital literally? Or the electoral systems? How do we move 
toward that system of norms?
    And finally I think there is a real growing sense and I 
hear this from industry as well that we need some level of at 
least information sharing around on a mandatory basis. Again, I 
want to compliment Kevin's company and Kevin personally for 
coming forward because but for that effort we might still be, 
this might still be ongoing. And how we think about that what 
that reporting to or whom it rep we report to mechanism, I 
think it's going to require some new creation.
    And while I am very open to some level of liability 
protection, I'm not interested in a liability protection that 
excuses the kind of sloppy behavior for example that took place 
in Equifax where they didn't even do the basic cyber hygiene. 
That if you report that you should not be free of your 
responsibility if you have been a sloppy player.
    So I think there are models. There's FinCEN in the 
financial sector, there's the National Transportation Safety 
Board which may be an even better example. I think Mr. Mandia 
pointed out within the credit card arena there is this 
information sharing. Some I know have been thinking about the 
idea that the cloud service providers, the large enterprises, 
the first responders a la CrowdStrike and FireEye maybe being 
co-located at some location with parts of the government.
    Because this notion of getting the information out real 
time, that's not going to happen with all due respect to the 
great talents that are at the FBI that's not going to happen 
when it goes to the FBI and they're just not in the business of 
information sharing. It frankly is probably not going to happen 
even though CISA's skills continue to be upgraded. We're going 
to need to think about a different model and I challenge all of 
you to come forward with that.
    I think there's a great deal of appetite bipartisan 
appetite. I think we realize how serious we were and we 
potentially dodged a much more serious bullet. And really 
appreciate all of your participation and it's been constantly 
mentioned those companies who chose not to participate so far 
we're going to give them another chance and hopefully they will 
recognize they have that kind of public service obligation that 
is reflected by the testimony today.
    With that the hearing is in adjourned. Thank you.
    [Whereupon at 12:07 p.m. the hearing was adjourned.]

                         Supplemental Material