A Senate Democrat who has been a top backer of cybersecurity and intelligence policies accused the Trump administration of “watering down” Russia’s responsibility for the SolarWinds breach and warned that the hackers had compromised several high-profile victims that remain unidentified.
Speaking Thursday at a virtual panel organized by the Aspen Institute, Mark Warner of Virginia criticized the government’s messaging about the SolarWinds campaign just two days after it issued its first formal accusation that the Kremlin was “likely” behind the intrusions, an allegation that has been reported within the press for weeks. He was joined by Kevin Mandia, chief executive of FireEye, and Katie Moussouris, founder and chief executive of Luta Security.
Warner, who as Vice-chair of the Senate Intelligence Committee spearheaded a five-volume report on the 2016 Russian election interference campaign, called that statement “one more outrageous effort to underestimate and underreport on Russian activity.”
Warner was effusive in his praise of FireEye and its leadership, avowing that the intrusion would still be undetected if FireEye had not brought it to light in early December.
Asked how FireEye had first discovered that its servers had been compromised, Mandia described an excruciating forensic process that began after the company realized someone had bypassed the company’s two-factor authentication system, which would have enabled them to masquerade across FireEye’s network as a regular employee.
FireEye then followed a forensic trail to the earliest evidence of compromise, at last homing in on a SolarWinds server embedded within its network.
“There’s no magical wand where you find backdoors in software that we all purchase and trust,” said Mandia. “What leads us to do all that work was all the forensics, the 1000s of hours of forensics we did prior, that led us to recognize that SolarWinds needed to be reversed.”
Mandia said the firm examined 4,000 executable files and decompiled millions of lines of code before it was able to isolate the hacker’s handiwork.
There’s no magical wand where you find backdoors in software that we all purchase and trust.”—FireEye chief executive Kevin Mandia, speaking at a virtual event hosted by the Aspen Institute on Thursday.
Warner also lamented the weakness of U.S. data breach notification requirements, which allowed U.S.-based companies to cover up breaches and undermined the government’s ability to punish foreign nations for cyberattacks.
“The number of brand-name players that are involved in this who have not come forward would surprise the hell out of many of the people watching this,” Warner warned. “Can we ever respond if there’s not some requirement of reporting, of notification?”
While questioning other aspects of the Trump administration’s response to the SolarWinds compromise, Warner agreed with the intelligence community’s judgment that the attacker’s motives were consistent with those of traditional espionage.
Still, he cautioned that the access the hackers acquired gave them the capability to inflict far more damage than they chose to. He urged the government to develop a clearer set of norms around permissible forms of digital espionage, though he conceded he did not know what those might be.
“It’s not a NotPetya denial of service, a complete taking down of our system, but I think we have to decide, is this within the bounds of acceptable espionage?” said Warner. “Countries spy on each other. But the volume and level both in terms of governmental entities and in terms of private sector enterprises, and the level of sophistication, ought to be alarming to all of us.”
Moussouris pushed back against that idea, adding that it’s unlikely for adversaries to adopt standards set by the U.S.
“The idea of setting up norms in cyberspace is one that is thrown around a whole lot,” said Massouris, who has decades of cybersecurity experience at Microsoft and the Department of Defense.“It feels to me like we’re in the decline of the digital Roman Empire and we’re trying to tell people that it’s not okay to use elephants to cross the Alps. Meanwhile, they’re using elephants to cross the Alps.”
In participating in an event organized days before, the panelists wound up confronting one more breach into the heart of the U.S. government than they bargained for.
Warner, of course, had a unique perspective. He participated in the mid-afternoon event even though he had been at the U.S. Senate until well after 4:00 a.m Thursday, after violent mobs were egged on by a president they adored to storm the U.S. Capitol and disrupt the certification of an election he lost.
His eyes red and his face drawn, Warner trained most of his anger on what happened in the U.S. Capitol, urging the audience to keep the SolarWinds campaign in perspective.
“The images that have been conveyed around the world in the last 18 hours, in every form for us, is a bigger goldmine and more priceless to Vladimir Putin than anything that Russia has attained out of this intrusion,” said. Warner. “I’m obviously pretty damn angry. My anger is not as the Senate Intelligence Committee Chairman. My anger is as an American elected official who believes in this system, and it is under full frontal assault.”