U.S. remains vulnerable to cyber-attacks, tech CEOs will testify

Alyza Sebenius, Bloomberg News

There should be a common standard for cyber security assessment in Canada: Huawei executive

VIDEO SIGN OUT

Key technology executives will testify that the U.S. remains vulnerable in cyberspace at the first public hearing in Congress to address a massive cyber-attack by suspected Russian hackers against the federal government and the private sector.

Sudhakar Ramakrishna, the chief executive officer of SolarWinds Corp. -- the Texas-based software firm that the hackers compromised as part of the attack -- plans to tell the Senate Intelligence Committee on Tuesday that “the level of potential impact is growing,” according to his prepared testimony.

The hackers responsible for the incident inserted malicious code into SolarWinds’s software, which was delivered to as many as 18,000 customers through software updates, though fewer are believed to have been targeted with additional hacking. The White House has confirmed that the hackers leveraged this access to breach more than 100 companies and nine U.S. agencies with follow-on hacking aimed at espionage.

Kevin Mandia, the chief executive of FireEye Inc., the cybersecurity firm which discovered the attack, will testify that the majority of victims were “government, consulting, technology and telecommunications entities in North America” while “a small number” of organizations in other countries were hit, according to his prepared testimony.

FireEye’s disclosure of the attack, which was pivotal in the country’s ability to investigate and mitigate the damage, has fueled calls for the requirement that companies disclose cyber-attacks on their networks. Senator Mark Warner, Democrat from Virginia who chairs the committee, has said he plans to raise the issue at the hearing.

Brad Smith, the president of Microsoft Corp., will testify that he believes in a “consistent obligation for private-sector organizations to disclose when they’re impacted by confirmed significant incidents.”

While the hearing will focus on SolarWinds, witnesses and lawmakers are expected raise concerns about U.S. readiness for future cyber-attacks as well -- which have the potential to cause more damage if adversaries seek to carry out destructive operations in addition to espionage. George Kurtz, the co-founder and chief executive of Crowdstrike Inc., the cybersecurity firm hired by SolarWinds for incident response, will call for improvements to federal cybersecurity as factors such as old systems and compliance rules “detract from core security work.”

The recent cyber-attack “is only the latest and surely not the last of a long string of major breaches in which hackers can impersonate most anybody on a network, gain the permissions needed to perform any actions on the network, bypass multi-factor authentication entirely and, every bit as devastating as it sounds, have the ability to sign in as a compromised user no matter how many times that user resets their password,” Kurtz said in prepared remarks.