On Tuesday, the press already hoisted sail to cover the Senate hearing which will probe the pirate hijack of SolarWinds, scheduled for Friday. The company’s President and CEO Sudhakar Ramakrishna will be grilled under hot lights in front of the Intelligence Committee, along with former SolarWinds CEO Kevin Thompson. They certainly have some ‘splainin to do.
Senate hearing on historic hack
Senators are expected to start probing into the dark and mysterious origins of the nefarious “SolarWinds” cyber-intrusion which compromised a startling number of high-target federal agencies through their computer networks. What makes this one so treacherous is that it lurked inside the official supply chain software updates put out by the company on a regular basis.
A focus of the hearing will be to find out how SolarWinds was compromised originally. Their patches were expected by end users to be trustworthy, virus-free, and meant to fix security flaws. Not install them.
This will be the first congressional hearing into the SolarWinds exploit, frequently called “one of the worst U.S. intelligence failures on record.” The Senate Intelligence Committee will be grilling Sudhakar Ramakrishna like a steak over “his company’s handling of the breach,” Wall Street Journal writes.
He won’t be alone. “other technology executives whose companies and products were ensnared in the attack or have helped respond to it” will be taking the witness stand as well.
Congress has looked into some pretty serious hacking crimes in the past few years but this is much more significant and troubling than the ones which targeted Equifax or the Office of Personnel Management.
Congress can hold one hearing after another on the subject, but without any solid legislation it doesn’t do a whole lot of good. That’s why Imperialist Senator Mark Warner of Virginia, the new committee chairman, decided “he would make scrutiny of the SolarWinds episode a priority of his panel.”
National notification law
Warner hopes that the severity of the SolarWinds incident will be a wake-up call to “reinvigorate debate on legislative and policy proposals, including a reconsideration of a national data breach notification law.”
The viruses keep hiding below the radar. “We get these blips of interest in cyber and then it fades.” Some of the questions at Friday’s hearing will center around the broader challenges of “supply chain” security. “We are still trying to learn how big, how broad, how much it is going to cost to remediate.”
One thing is certain, when Ramakrishna takes the witness stand at the hearing, he’s going to insist on “better communications between industry and government.” Compartmentalizing the data isn’t helping. “It is important that the industry shares information because cyber-attacks cannot be dealt with alone.”
He sees it “as an organizational commitment to the community.” After all, “why would a victim of a hack be out there talking about it? It is our obligation to do so.” He insists there are three key things which must be improved.
At the hearing, Ramakrishna is expected to lay out three key aspects for improvement including “more public and private partnerships between companies and governments to resolve these issues, which should also include protection and possible incentives for hacked victims to come forward publicly.”
Next, “the community needs to set better standards for itself, to reach for excellence instead of just compliance. We should do more than just check off the necessary boxes to meet requirements.” Third, “there needs to be better communication methods with government agencies.” He suggests a “clearinghouse” that communicates with companies and then disseminates the information to the necessary agencies.