Microsoft revealed late last week that they have completed their analysis, and found no evidence hackers abused its internal systems or products. The hackers did make off with code – small subsets of Azure, Intune, and Exchange. Microsoft also has released the toolkit the company developed to find the malware in its own code for use for free.
Channel Futures explores how some of the Microsoft investigation concluded rather quickly, and potentially self-serving. I’ve included a link to the piece for those perspectives.
The Biden administration has made a call for countries to come together to shape the “rules of the road” on cybersecurity and tech issues, particularly as they relate to China and Russia.
On Tuesday, the Senate Intelligence Committee heard testimony from Solarwinds, Microsoft, FireEye, and Crowdstrike. Microsoft’s Brad Smith called for “a clear, consistent disclosure obligation on the private sector”, noting that the company was not legally required to publicly disclose they had been breached. Amazon was invited to attend but refused – despite AWS being used in the attack. Also of note – Smith cited this as a multi-decade attack using more than a thousand engineers. SolarWinds CEO offered that liability protections for sharing information about incidents would be helpful, although Chair Senator Warner stated he did not want to forgive sloppy behavior.
It was revealed on Thursday by AWS that the hackers used Amazon Elastic Compute Cloud, as a purchased server, and did so via multiple service providers.
SolarWinds itself is investing up to $25M on security, as revealed in their quarterly investor call. The company beat their Seeking Alpha estimates in revenue for Q4, and have taken to quarter-by-quarter forecasts due to the breach.
Finally, as Congress reviews the security situation broadly, there are calls for a “Cyber Ambassador” in the State Department. The idea is a liaison to foreign officials, federal agencies, and private companies.
Why do we care?
I’m a bit skeptical of a cyber ambassador, but you can see in the hearings that we’re headed towards SOME kinds of notification and collaboration requirements. Microsoft and FireEye both asked for it specifically!
Let’s dwell here for a moment – sharing information is a very positive approach, and critical to moving forward. Think industry sharing organizations. Putting a set of minimum requirements, and appropriate protections, is the role of regulators. Then you layer on the industry sharing piece. As Senator Warner highlighted, we cannot protect sloppy operators at any level, but we also have to have guidelines.
Microsoft (in my view) is being very open. That’s not dismissive of the cybersecurity experts, who have some valid points. Let’s just compare to Amazon, who isn’t bothering to show up. Which do you really want? Unless the industry is allowed to disarm at the same time and create a space for that conversation, it won’t happen. That’s all due to liability.