Lawmakers do not know whether the hack of federal networks via the SolarWinds computer network management software would have been discovered by the U.S. government if a private cybersecurity firm had not identified it, said Sen. Mark Warner, Intelligence Committee chair, during a Tuesday hearing.
The hack of SolarWinds software led to the compromise of nine federal agencies and 100 private-sector companies while exposing some 18,000 total public- and private-sector entities to the hackers, said Anne Neuberger, deputy national security adviser for cyber and emerging technology.
Mr. Warner, Virginia Democrat, said one of the most concerning factors of the hack was that “it was not detected by the multibillion-dollar U.S. government cybersecurity enterprise or anyone else” until FireEye announced its findings publicly.
“Preliminary indications suggest that the scope and scale of this incident are beyond any that we’ve confronted as a nation, and its implications are significant,” Mr. Warner said at the hearing. “Even though what we’ve seen so far indicates this was carried out as an espionage campaign targeting more than 100 or so companies and government agencies, the reality is the hackers responsible have gained access to thousands of companies, and the ability to carry out far more destructive operations if they’d wanted to.”
Mr. Warner noted that while most of the affected systems look to have been victimized through SolarWinds’ software, some victims did not use SolarWinds tools. He also noted that the hackers’ footholds into private networks “may provide opportunities for future intrusions for years to come.”
The Senate Intelligence Committee’s hearing on Tuesday afternoon is gathering testimony from SolarWinds CEO Sudhakar Ramakrishna, alongside Microsoft President Brad Smith and representatives from the cybersecurity firms CrowdStrike and FireEye. Mr. Warner said a representative from Amazon Web Services declined to attend the hearing at the invitation of the committee, but he said Amazon has provided information to the committee.
Mr. Warner said his committee previously had a closed hearing on Jan. 6 with the government agencies responding to the hack.
View original Post