The chief executive of SolarWinds on Monday said his company is still seeking a fuller understanding of the scope of the hack on its Orion software — and laying the groundwork for what SolarWinds, as well as the federal government, should be doing next.
“What we are… still learning is the breadth and depth of the sophistication of the attackers, number one,” Sudhakar Ramakrishna said at a Center for Strategic and International Studies online event where he noted that the company’s investigation into what happened is ongoing. “Number two is the patience with which they carried out these attacks, and obviously the persistence,” he said, citing as an example that the hackers appeared to use earlier versions of Orion code as a test bed for their eventual attack.
Ramakrishna took over as CEO weeks after news about the hack of SolarWinds’ updates to its Orion software had become public. The breach, part of a suspected Russian espionage campaign, eventually claimed victims in numerous federal government agencies and major technology companies.
The new CEO will need to explain the incident, though, to the Senate Intelligence Committee on Tuesday, and then during a joint hearing of the House Homeland Security and Oversight panels on Friday. It likely will take months to sift through the fallout from the breach and fully understand its ramifications, the White House previously said.
Next steps include overhauling how SolarWinds builds software in order to reduce the chance that someone can insert malware into the company’s technology before it’s certified, Ramakrishna said. That entails “parallel build systems” within the company whereby different people access the software and use different techniques to build it, he said.
It also means reexamining the phenomenon that made the the company such a ripe target, such as the fact that “when you gain access to the Orion platform, you gain administrative privileges to the Windows server that the Orion platform is running on,” whereas perhaps lower privileges would’ve made more sense, he said.
SolarWinds is also working with other companies on what lessons federal agencies like the National Institute of Standards and Technology and Defense Department can take on setting standards, Ramakrishna said.
While he said SolarWinds has federal agencies have worked well with his company, he still wishes there was one centralized location where industry could report all breach information that could then be shared across government. Federal policymakers have long wrestled with how to do that, proposing the creation of one cybersecurity department or a cyber-like National Transportation Safety Board or more recently, establishing a national cyber director within the White House.
CSIS’s Suzanne Spaulding asked Ramakrisha about a 2015 information sharing law that offered companies liability protections for passing on threat data — a law that has only demonstrated halting progress on threat information exchanges. Ramakrishna answered that the potential for lawsuits is a “a topic that we think about, but it’s not a top of mind topic for us at this point.” Instead, as a mid-sized company, he said he finds the number of federal agencies involved in cybersecurity daunting.