On February 26th, a congressional hearing pertaining to the SolarWinds hack got underway. Executives from a suite of major software companies briefed senators on the latest SolarWinds-related findings and discussed how to prevent similar attacks in the future.
The SolarWinds attack took place on US soil. While the National Security Administration (NSA) may have the agency to surveille international computer networks, it cannot legally surveille domestic ones. This helps to explain why the attack was missed by the NSA.
Although invited to attend the hearing, the company declined to send a representative. The hackers used EC2 (Amazon Elastic Compute Cloud). Amazon has reportedly shared AWS-related information with the federal government. However, the company does not wish to make the information public.
In the US, information often sits in silos. The engineers behind the SolarWinds breach may have known about the lack of US public-private cyber security-related information sharing. The “fingerprints” of the attack loosely existed across a variety of different organizations. However, none of those organizations communicated the details to one another, which is an aspect of why the attack quietly persisted for more than a year.
According to the senate, there may be interest in creating an incentive-based program that encourages public and private reporting of cyber security breaches.