From Sen. Mark Warner’s office…you can watch the video here.
Below are Chairman Warner’s opening remarks as prepared for delivery:
First of all, I would like to take this opportunity to welcome our two new Members, Senators Casey and Gillibrand, to the Committee. I look forward to working with you, and all of our Members, in the bipartisan tradition of this Committee.
The Intelligence Committee’s record of working together in the interest of America’s national security has been due, in no small part, to the tireless efforts of our former Chairman, Senator Burr, and our new Vice Chairman, Senator Rubio. So I want to take this opportunity during my first hearing as Chairman to thank you both for your partnership. I am confident we will be able to keep working together in a bipartisan way in the 117th Congress.
I would like to welcome our witnesses today:
- Kevin Mandia, CEO of FireEye;
- Sudhakar Ramakrishna, President and CEO of SolarWinds;
- Brad Smith, President of Microsoft; and
- George Kurtz, President and CEO of CrowdStrike.
We also invited a representative from Amazon Web Services to join us today, but unfortunately, they declined.
Today’s hearing is on the widespread compromise of public and private computer networks in the United States by a foreign adversary, colloquially called the “SolarWinds Hack.” But while most infections appear to have been caused by a trojanized update of SolarWinds’ Orion software, further investigation has revealed additional victims who do not use SolarWinds tools. It has become clear that there is much more to learn about this incident, its causes, its scope and scale, and where we go from here.
This is the second hearing we’ve held on this topic. Our first was a closed hearing on January 6th with the government agencies responding to this incident. It is going to take the combined power of both the public and private sector to understand and respond to what happened.
Preliminary indications suggest that the scope and scale of this incident are beyond any that we’ve confronted as a nation, and its implications are significant. Even though what we’ve seen so far indicates this was carried out as an espionage campaign targeting 100 or so companies and government agencies, the reality is that the hackers responsible have gained access to thousands of companies, and the ability to carry out far more destructive operations… if they wanted to. The footholds these hackers gained into private networks – including of some of the world’s largest IT vendors – may provide opportunities for future intrusions for years to come.
One of the reasons the SolarWinds hack has been especially concerning is that it was not detected by the multibillion dollar U.S. government cybersecurity enterprise, or anyone else, until the private cybersecurity firm FireEye publicly announced that it had detected a breach of its own network by a “nation-state” intruder. A very big question looming in my mind is: had FireEye not detected this compromise in December… would we still be in the dark today?
As Deputy National Security Advisor Anne Neuberger, who has been chosen by the President to lead the response in this, said last week, the response to this incident – from both the public and the private sector – is going to take a long time. All of our witnesses today are involved in some aspect of the private sector response to this incident. I want to hear from them on the progress so far, the challenges we will need to overcome in order to fully expel these hackers, and how we can prevent supply chain attacks like this in the future. I also would like to hear from them about their experiences working with the federal government, namely the Unified Coordination Group, in mitigating this compromise.
The SolarWinds hack was a sophisticated and multi-faceted operation: a software supply chain operation that took advantage of trusted relationships with software providers in order to break into thousands of entities… combined with the use of sophisticated authentication exploits, leveraging vulnerabilities in major authentication protocols, basically granting them the keys to the kingdom, allowing them to deftly move across both on-premises and cloud-based services… all while avoiding detection. While many aspects of this compromise are unique, the SolarWinds Hack also highlights a number of lingering issues that we have ignored for too long.
This presents us an opportunity for reflection, and action. A lot of people are offering solutions, including mandatory reporting requirements; wider use of multi-factor authentication; requiring a “Software Bill of Goods;” and significantly improving threat information sharing between the government and the private sector.
I would ask if we shouldn’t have mandatory reporting systems, even if it requires some liability protection, so we can better understand and better mitigate future such attacks. Senator Collins was a leader on this in her efforts some years ago. There is an open question on who would receive such reports. Do we need something like the National Transportation Safety Board or a public-private entity that can immediately examine major breaches to see if we have a systemic problem as we seem to in this case?
I think there is some truth to the idea that if a Tier One adversary sends their A team against almost any company in the world, they’re going to get in. But that cannot be an excuse for doing nothing to build defenses, and making it harder for them to be successful once inside. I am very interested in hearing from our witnesses what they think our policy response should be, and what solutions they think will actually improve cybersecurity and incident response in the United States.
Beyond the immediate aspects of the SolarWinds hack are larger issues that this Committee must consider: Do we need norms in cyberspace – that are enforceable – like we have in other forms of conflict? We don’t bomb ambulances in war; should we therefore consider efforts to subvert patching, which after all is about fixing vulnerabilities, to be similarly off limits?
Once again, I want to thank our witnesses for joining us today, both in person and remotely. I’ve personally talked with nearly all of our witnesses – in some cases multiple times – since this incident was first reported. I appreciate their transparency and willingness to be a part of this conversation. After our witnesses conclude their remarks, we’ll move to a round of five minute questions based on order of arrival.
As a reminder to my colleagues, this incident is not over, it’s ongoing. So too are the criminal investigations by the FBI, so there might be some questions our witnesses cannot answer. However, I am confident they will all be as forthcoming as possible.