Senate Hearings on Online Hack

CBJ – Top executives from Microsoft, SolarWinds Corp and cybersecurity firms FireEye Inc and CrowdStrike Holdings were on the hot seat at U.S. Senate hearings where they tried to defend their actions following massive online security hacks, which are now being blamed on Russian infiltrators.

Some tech experts say it was the largest hacks ever discovered in the U.S.

SolarWinds and Microsoft programs were used to attack others and the hack impacted more than 100 major American companies and at least nine U.S. federal agencies.

It had been hoped Amazon representatives would also attend, because it was their servers where the cyberattacks are believed to have started. However, nobody from Amazon was present. Lawmakers have already made veiled threats that if the company doesn’t willingly come to the table it could well be forced to through legal channels.

Microsoft President Brad Smith told the U.S. Senate’s Select Committee on Intelligence that the true scope of the latest intrusions is still unknown, because most victims are not legally required to disclose attacks unless they involve sensitive information about individuals.

FireEye Chief Executive Kevin Mandia also testified. It was his company that first discovered the hackers.

SolarWinds CEO Sudhakar Ramakrishna explained how his company’s software was hijacked by the hackers to break in to other organizations. CrowdStrike CEO George Kurtz said his company is helping SolarWinds recover from the massive breach.

Microsoft admits the hackers were able to read the company’s closely guarded source code for how its programs authenticate users. However, Smith stressed that the breach was not due to programming errors on Microsoft’s part but rather on poor configurations and other controls on the customer’s part.

In CrowdStrike’s case, hackers used a third-party vendor of Microsoft software, which had access to CrowdStrike systems, and tried but failed to get into the company’s email.

CrowdStrike’s Kurtz turned the blame on Microsoft for its complicated architecture, which he called “antiquated.” If that was the case, the question of why use it? could be asked.

Alex Stamos, a former Facebook and Yahoo security boss, now consulting for SolarWinds, agreed with Microsoft that customers who split their resources between their own premises and Microsoft’s cloud are especially at risk because skilled hackers can move back and forth. It seems the best approach is to move completely to the cloud, but not halfway in between because it’s those back and forth movements where vulnerabilities can be exposed.