Monday, March 8, 2021
Home Tech & Gadget Microsoft president: The only reason we know about SolarWinds hack is because...

Microsoft president: The only reason we know about SolarWinds hack is because FireEye told us

Microsoft President Brad Smith takes part in a panel discussion with US President Donald Trump and industry executives on the country’s reopening, in the State Dining Room of the White House in Washington, DC, May 29, 2020.

Mandel Ngan | AFP | Getty Images

The massive hacking of government systems through a software vendor would have remained unknown to the public had it not been for a company’s decision to be transparent about a breach of its systems, Microsoft’s president said Tuesday, Brad Smith, to lawmakers.

“The fact that we are here today, discussing this attack, dissecting what went wrong and identifying ways to mitigate future risks, only happens because my fellow witness, Kevin Mandia, and his colleagues at FireEye , chose to be open and transparent about what they found in their own systems, and to invite us at Microsoft to work with them to investigate the attack, ”Smith told the Special Senate Committee on intelligence, according to his prepared remarks.

“Without this transparency, we probably still wouldn’t know about this campaign. In some ways, it’s one of the most powerful lessons for all of us. Without this kind of transparency, we won’t be able to strengthen cybersecurity. . “

Smith’s testimony highlights the number of cybersecurity incidents that may not be disclosed. Smith told lawmakers that private sector companies should be required to be transparent about material breaches in their systems. He compared the “patchwork” of disclosure requirements in the United States to more consistent obligations in countries like the European Union.

FireEye revealed in a regulatory filing in December that it was hacked by what it believed to be a state-sponsored actor who primarily sought information relating to its government clients. The company said the attack was unusually advanced, using “a new combination of techniques that we or our partners have not seen in the past.”

Shortly thereafter, Reuters reported that hackers potentially linked to Russia had accessed the mail systems of the departments of commerce and the US Treasury through software updates from SolarWinds. The Department of Defense, State Department and Department of Homeland Security were also affected, the New York Times later reported. Reuters reported, citing sources, that the SolarWinds attack was linked to the FireEye incident.

Days later, Reuters reported that Microsoft was also hacked. US agencies later shared that Russian actors were likely the source of the attack. Smith said in his written testimony that Microsoft does not dispute this assessment, saying, “Microsoft is unable to make a final attribution based on the data that we have seen.”

Smith told Congress that Microsoft notified 60 customers, mostly in the United States, that they had been compromised in the attack. But he warned lawmakers that there are certainly more victims yet to be identified. A White House cybersecurity adviser estimated last week that nine government agencies and around 100 private companies were affected by the attack. Smith told Congress that Microsoft has identified other government and private sector victims outside of the United States who have been affected.

Smith proposed that in addition to requiring more disclosures from private companies, the government should provide “faster and more comprehensive sharing” with the security community.

“A private sector disclosure requirement will promote greater visibility, which in turn can strengthen a national coordination strategy with the private sector that can increase responsiveness and agility,” Smith said in his written remarks. “The government is in a unique position to facilitate a fuller view and appropriate exchange of indicators of understanding and material facts regarding an incident.”

But Mandia, CEO of FireEye, told CNBC’s Eamon Javers in an interview ahead of Tuesday’s hearing that disclosure was “a pretty darn complex question.”

“The reason this is such a complex issue is because of all the responsibilities that companies face when making a public disclosure,” Mandia said. “They have shareholder lawsuits, they have a lot of business impact considerations. You don’t want to create a lot of fear, uncertainty and doubt unnecessarily either.”

Intelligence Committee Chairman Mark Warner, D-Va., Said in his opening remarks on Tuesday that it might be worth considering stricter disclosure requirements, even if it means creating protection against the responsibility of companies that comply with these disclosure obligations.

– CNBC’s Jessica Bursztynsky contributed to this report.

Subscribe to CNBC on YouTube.

WATCH: How SolarWinds Massive Hack Failed


Note: The content and images used in this article is rewritten and sourced from

Most Popular

CDC issues new guidance for people who are vaccinated against Covid

Pharmacist Madeline Acquilano inoculates public school safety officer Victor Rodriguez with the Johnson & Johnson Covid-19 vaccine at Hartford Hospital in Hartford, Connecticut...

JEE Main 2021 results announced on, here’s how to check score

New Delhi: The National Testing Agency (NTA) announced the results of JEE Main 2021 on Monday, March 8. Candidates who have taken...

‘Superman’ Henry Cavill dedicates heartwarming post to his mother on Women’s Day: ‘Learned an awful lot about being a good man from her’

Even Superman can't save the world if he doesn't have a strong woman to support him in his efforts. This is the...

Looming China extradition deal worries Uighurs in Turkey

Joining hundreds of women in Istanbul to protest against China's treatment of Uyghurs, Nursiman Abdurasit tearfully reflects on his mother imprisoned in Xinjiang...