[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]




 
                         WEATHERING THE STORM:
                        THE ROLE OF PRIVATE TECH
                        IN THE SOLARWINDS BREACH
                          AND ONGOING CAMPAIGN

=======================================================================

                             JOINT HEARING

                               before the

                   COMMITTEE ON OVERSIGHT AND REFORM

                     U.S. HOUSE OF REPRESENTATIVES

                           [Serial No. 117-5]

                                and the

                     COMMITTEE ON HOMELAND SECURITY

                     U.S. HOUSE OF REPRESENTATIVES

                           [Serial No. 117-4]

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           FEBRUARY 26, 2021

                               __________

      Printed for the use of the Committee on Oversight and Reform
      
      
      
      
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 





                       Available on: govinfo.gov
                           oversight.house.gov
                             docs.house.gov                             
                             
                             
                               ______                       


               U.S. GOVERNMENT PUBLISHING OFFICE 
 43-755 PDF             WASHINGTON : 2021                              
                             
                             

                   COMMITTEE ON OVERSIGHT AND REFORM

                CAROLYN B. MALONEY, New York, Chairwoman

Eleanor Holmes Norton, District of   James Comer, Kentucky, Ranking 
    Columbia                             Minority Member
Stephen F. Lynch, Massachusetts      Jim Jordan, Ohio
Jim Cooper, Tennessee                Paul A. Gosar, Arizona
Gerald E. Connolly, Virginia         Virginia Foxx, North Carolina
Raja Krishnamoorthi, Illinois        Jody B. Hice, Georgia
Jamie Raskin, Maryland               Glenn Grothman, Wisconsin
Ro Khanna, California                Michael Cloud, Texas
Kweisi Mfume, Maryland               Bob Gibbs, Ohio
Alexandria Ocasio-Cortez, New York   Clay Higgins, Louisiana
Rashida Tlaib, Michigan              Ralph Norman, South Carolina
Katie Porter, California             Pete Sessions, Texas
Cori Bush, Missouri                  Fred Keller, Pennsylvania
Danny K. Davis, Illinois             Andy Biggs, Arizona
Debbie Wasserman Schultz, Florida    Andrew Clyde, Georgia
Peter Welch, Vermont                 Nancy Mace, South Carolina
Henry C. ``Hank'' Johnson, Jr.,      Scott Franklin, Florida
    Georgia                          Jake LaTurner, Kansas
John P. Sarbanes, Maryland           Pat Fallon, Texas
Jackie Speier, California            Yvette Herrell, New Mexico
Robin L. Kelly, Illinois             Byron Donalds, Florida
Brenda L. Lawrence, Michigan
Mark DeSaulnier, California
Jimmy Gomez, California
Ayanna Pressley, Massachusetts
Vacancy

                     David Rapallo, Staff Director
                Peter Kenny, Chief Investigative Counsel
                       Elisa LaNier, Chief Clerk

                  Mark Marin, Minority Staff Director

                      Contact Number: 202-225-5051
                                 ------                                
                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas            John Katko, New York Ranking 
James R. Langevin, Rhode Island          Minority Member
Donald M. Payne, Jr., New Jersey     Michael T. McCaul, Texas
J. Luis Correa, California           Clay Higgins, Louisiana
Elissa Slotkin, Michigan             Michael Guest, Mississippi
Emanuel Cleaver, Missouri            Dan Bishop, North Carolina
Al Green, Texas                      Jefferson Van Drew, New Jersey
Yvette D. Clarke, New York           Ralph Norman, South Carolina
Eric Swalwell, California            Mariannette Miller-Meeks, Iowa
Dina Titus, Nevada                   Diana Harshbarger, Tennessee
Bonnie Watson Coleman, New Jersey    Andrew S. Clyde, Georgia
Kathleen M. Rice, New York           Carlos A. Gimenez, Florida
Val Butler Demings, Florida          Jake LaTurner, Kansas
Nanette Diaz Barragan, California    Peter Meijer, Michigan
Josh Gottheimer, New Jersey          Kat Cammack, Florida
Elaine G. Luria, Virginia            August Pfluger, Texas
Tom Malinowski, New Jersey           Andrew R. Garbarino, New York
Ritchie Torres, New York
                       Hope Goins, Staff Director
                 Daniel Kroese, Minority Staff Director
                          Natalie Nixon, Clerk
                          
                         C  O  N  T  E  N  T  S

                              ----------                              
                                                                   Page
Hearing held on February 26, 2021................................     1

                               Witnesses

Sudhakar Ramakrishna, President and Chief Executive Officer, 
  SolarWinds Corporation; accompanied by Kevin B. Thompson, 
  Former Chief Executive Officer, SolarWinds Corporation
Oral Statement...................................................     8

Kevin Mandia, Chief Executive Officer, FireEye, Inc.
Oral Statement...................................................     9

Brad Smith, President and Chief Legal Officer, Microsoft 
  Corporation
Oral Statement...................................................    11

Written opening statements and statements for the witnesses are 
  available in the U.S. House of Representatives Document 
  Repository at: docs.house.gov.

                           Index of Documents

                              ----------                              

  * Statement for the Record; submitted by Rep. Connolly.

  * Questions for the Record to: Ramakrishna; submitted by 
  Chairwoman Maloney.

  * Questions for the Record to: Thompson; submitted by 
  Chairwoman Maloney.

  * Questions for the Record to: Mandia; submitted by Chairwoman 
  Maloney.

  * Questions for the Record to: Smith; submitted by Chairwoman 
  Maloney.

  * Questions for the Record to: Ramakrishna; submitted by 
  Committee Chairman Thompson (Homeland), Rep. Titus, and Rep. 
  Guest.

  * Questions for the Record to: Thompson; submitted by Committee 
  Chairman Thompson (Homeland), Rep. Titus, and Rep. Guest.

  * Questions for the Record to: Smith; submitted by Committee 
  Chairman Thompson (Homeland), Rep. Titus, and Rep. Guest.

Documents entered into the record during this hearing, and 
  Questions for the Record (QFR's) with responses are available 
  at: docs.house.gov.


                         WEATHERING THE STORM:

                        THE ROLE OF PRIVATE TECH

                        IN THE SOLARWINDS BREACH

                          AND ONGOING CAMPAIGN

                              ----------                              


                       Friday, February 26, 2021

                  House of Representatives,
                          Committee on Oversight and Reform
                             Committee on Homeland Security
                                                   Washington, D.C.

    The committees met, pursuant to notice, at 9:06 a.m., via 
Webex, Hon. Carolyn Maloney [chairwoman of the Committee on 
Oversight and Reform] presiding.
    Present from Committee on Oversight and Reform: 
Representatives Present: Representatives Maloney, Norton, 
Lynch, Cooper, Connolly, Krishnamoorthi, Khanna, Mfume, Porter, 
Tlaib, Bush, Rice, Wasserman Schultz, Welch, Johnson, Sarbanes, 
Speier, Kelly, DeSaulnier, Comer, Jordan, Hice, Grothman, 
Cloud, Keller, Sessions, Biggs, Donalds, Fallon, and Franklin.
    Present from Committee on Homeland Security: 
Representatives Thompson, Langevin, Payne, Correa, Slotkin, 
Cleaver, Clarke, Swalwell, Watson Coleman, Rice, Demings, 
Barragan, Gottheimer, Malinowski, Torres, Katko, McCaul, 
Higgins, Guest, Bishop, Van Drew, Norman, Miller-Meeks, 
Harshbarger, Clyde, Gimenez, LaTurner, Meijer, Cammack, 
Pfluger, and Garbarino.
    Chairwoman Maloney. The committee will come to order.
    Without objection, the chair is authorized to declare a 
recess of the committee at any time.
    I now recognize myself for an opening statement.
    Good morning. I want to welcome everyone to this joint 
hearing of the Committee on Oversight and Reform and the 
Committee on Homeland Security. Welcome to Chairman Thompson, 
Ranking Member Katko, Ranking Member Comer, and all of our 
members. Today's hearing is the first in the House on the 
cyberattack uncovered last year that initially targeted the 
software company, SolarWinds, and its Orion product. The 
details are truly frightening.
    Here is what we know. A sophisticated attacker, reported to 
be the Russian Government, broke into SolarWinds' system and 
inserted malicious code into its software which customers then 
downloaded. The numbers tell how dangerous an attack like this 
can be. Nearly 18,000 customers downloaded updates containing 
the malicious code. It is not just the number of potential 
victims, as staggering as that is, or even the number of known 
victims of secondary attacks, but the nature of this attack and 
the profiles of victims that should give us all grave concern. 
Among the victims were major technology companies, some of 
which have the best cybersecurity in the world, as well as 
critical infrastructure firms, our Nation's law enforcement and 
government agencies involved in foreign affairs, and national 
security. It has affected approximately 100 private sector 
companies and at least nine Federal agencies, including the 
Department of Homeland Security, Department of Justice, and 
state, and Treasury, and that is just what we know. There is 
much more that we still don't know. We still don't know if they 
are still in the system. In the weeks and months ahead, our 
committee will continue our joint investigation to examine 
other aspects of this massive attack.
    Today, our focus is on the private sector. The private 
sector plays a key role in our Nation's cyber defenses, they 
own critical infrastructure, and they develop essential 
information, communications, and technology products. They help 
the government and other companies secure and defend their own 
networks. It was the private sector that uncovered this attack, 
not our own government. Specifically, FireEye discovered it, 
reported its findings, and shared it with the world. Had 
FireEye not taken that action, the attack could very well be 
fully up and running today.
    At the same time, the private sector was targeted as part 
of a campaign to gain access to government networks and other 
entities. All of the companies here today are victims of this 
attack, and all provide products and services to the government 
that puts the government at risk. Additionally, it is the 
private sector to whom the government must turn. In particular, 
the government has turned to Microsoft to learn whether it was 
exposed and how badly due to the widespread adoption of Office 
365 Cloud.
    The private sector must be held accountable for its role. 
Our committees recently obtained a presentation made by a 
former employee at SolarWinds named Ian Thornton-Trump. The 23-
page presentation, a portion of which I will put up on the 
screen now, appears to include a proposal from 2017 that 
stated, and I quote, ``The survival of the company depends on 
an internal commitment to security. The survival of our 
customers depends on a commitment to build secure solutions.'' 
I look forward to hearing from Mr. Thompson about the steps the 
company took in response.
    Cybersecurity demands strong leadership, but, 
unfortunately, we have suffered under four years of terrible 
leadership at the very top. On December 18, Secretary of State 
Mike Pompeo stated during a public interview, and I quote, 
``This was a very significant effort, and I think it's the case 
that now we can say pretty clearly that it was the Russians 
that engaged in this activity.'' Yet the very next day, 
President Trump tweeted this, and I quote, ``The cyber hack is 
far greater in the fake news media than in actuality.''
    So, what can we do now? First, I am pleased the Biden 
Administration has taken early steps to elevate the importance 
of cybersecurity and supply chain risk. Our committee plans to 
focus on Federal procurement. The government pays hundreds of 
billions of dollars for goods and services each year. We must 
demand better cybersecurity practices from our suppliers as 
well as increased information sharing with the private sector 
as a product of the contract agreement. Finally, the Oversight 
Committee plans to closely review agency roles, 
responsibilities, and strategy under the Federal Information 
Security Modernization Act, known as FISMA, to meet the complex 
and dynamic cybersecurity landscape of today. Much work needs 
to be done. Today and in the weeks and months ahead, we will 
focus on the facts with an eye toward legislative solutions in 
how we can improve cyber defenses across both the public and 
private sectors.
    With that, I now recognize the distinguished ranking 
member, Mr. Comer, for his opening statement.
    Mr. Comer [continuing]. Thanking the chairwoman for having 
this hearing. Last year, our Federal Government was hacked in 
the largest cyberattack in history. Some of the largest 
technology companies in the country were also hacked. The 
cyberattack took months of planning. It took extreme patience 
to execute. According to all the experts, it was incredibly 
sophisticated. The attackers covered their steps so they would 
not be detected, and it was wildly successful. According to one 
of our witnesses today, over 1,000 people were involved in the 
attack, and the likely culprit of the attack? Russia.
    Three months after the attack was discovered, there is 
still a lot we don't know, and many government agencies and 
companies were hacked. We don't know what the extent of the 
damage is, whether or not the Russians still have access to the 
systems they hacked, or whether we have been able to 
successfully kick them out. You may not have heard about this 
attack because it hasn't affected your daily life. You still go 
home to a warm house every night, you can still flip on the 
television at night and watch TV, you can still facetime with 
your friends and family, but that is only because the attackers 
chose not to disrupt those activities. As far as we know, this 
attack was an espionage campaign, an intelligence-gathering 
operation only, but what the attackers have shown us is none of 
the software we use in our daily lives is truly safe. The apps 
we download on our phones, laptops, and tablets, any device, 
can be sabotaged.
    Last week, we all prayed for millions of people in Texas as 
the power grid failed and they froze in their homes. Now, 
imagine if an adversary had the ability to take our electric 
grid offline in the dead of winter or the peak of summer. Now, 
imagine if this took place during a national crisis. Imagine if 
an adversary wanted to toy with our financial markets. Imagine 
if an adversary had the ability to control supply chains and 
manipulate whatever they wanted. It doesn't take much to 
realize the horror that would ensue if an adversary were 
motivated to do any of these things.
    The attackers did not take down our electric grid, poison 
our water, or cause chaos in our financial system, among other 
necessities or occurrences of our daily lives. At least this 
time they didn't, but that is not to say they couldn't have. 
The truth is this attack is still ongoing even today and has 
not been completely neutralized. This offers the potential for 
unforeseen additional damage. The fact the attackers did not do 
these things that received the attention of Americans going 
about their everyday lives says nothing of their capabilities 
to do so the next time. This isn't the first-ever attack of 
this kind, nor will it be the last. For far too long, 
cybersecurity has been addressed as the mere cost of doing 
business, an add-on, a minor line item to simply check the box. 
This mindset must end.
    No one, including Congress, the Administration, or the 
private sector can afford to allow this moment pass without 
ensuring we finally adopt effective solutions. I appreciate 
this opportunity to review what happened in this massive 
cyberattack that one of our witnesses referred to as the 
largest ever, and to play a part in developing a game plan for 
deterring and responding to any future event. I am convinced, 
though, that cybersecurity must not be left to the recesses of 
academic debate or half-hearted compliance, but, instead, it 
must become a daily focus for all involved in software 
development, procurement, and operations.
    Just contemplate for a moment this particular attack. 
Companies, which many expect to secure their systems with 
topnotch cybersecurity, were the very ones who failed to 
identify the attack before damage had already occurred. Some of 
those organizations are here today. The same goes for our 
government agencies who glaringly missed the adversary's nearly 
year-long presence freely roaming about in our most sensitive 
network. I believe the time has come to take concrete action to 
actively defend our Nation from foreign cyberattacks just as 
forcefully and with the same resources as we would if the 
instrument of attack were physical or kinetic. We don't sit 
back when our country is physically breached or our homes and 
places of business are invaded, and neither should our 
responses be to roll over following an attack in cyberspace.
    It is only a matter of time or chance until we are faced 
with real disruption and destruction. We must do everything in 
our power to defend this digital sphere and forecast to our 
adversaries that we at least are no longer asleep at the wheel. 
I yield back.
    Chairwoman Maloney. Chairman Thompson. I now recognize 
Chairman Thompson for his opening statement.
    Mr. Thompson. Thank you very much. Good morning. I would 
like to thank Chairwoman Maloney for holding today's joint 
hearing on the SolarWinds breach and the related malicious 
cybercampaign. Just over two months ago, we learned that a 
state actor, likely Russia, had engaged in a large-scale 
cybercampaign, infiltrating government and private sector 
networks and burrowing inside them. By the time FireEye 
voluntarily shared information about the breach of its network, 
Russian actors had established a presence on victims' network, 
undetected for nearly a year. That is hardly comforting. While 
the campaign is notable for its patience, assistance, scope, 
and scale, the methods and tools used, though sophisticated, 
are not entirely new.
    NotPetya, a 2017 destructive supply chain attack with a 
global impact, involved Russian actors compromising Ukrainian 
tax preparation software to access victims' network. That same 
year, security researchers published their findings regarding 
an attack vector using forged SAML tokens. Nonetheless, the 
Federal Government and the private sector were caught flat 
footed. I do not mean to diminish the complexity of the attack 
or to suggest we could have prevented it, but I want to make a 
point that our collective failure to make cybersecurity a 
central component of our national security and invest in it 
accordingly contributed to the success of the campaign and the 
difficulty we face in understanding its impact. In short, past 
warnings of what could come failed to trigger a meaningful 
shift in our approach to security.
    My goal in our joint investigation is to move beyond 
admiring the complexities of this campaign and the challenges 
associated with stopping one like it and start charting a path 
forward. In the 15 years I have served on the Homeland Security 
Committee, one thing has become clear. We can't become so 
consumed by preventing the last attack that we are blind to the 
threats of the future. Instead, we must identify systematic 
opportunities to improve our ability to prevent, defend 
against, mitigate, and raise the cost of all malicious 
cyberactivity. Toward that end, I hope to identify a 
combination of next-term fixes and longer-term structural 
solutions that will improve our ability to better understand 
the adversary, defend our networks, and identify attacks more 
quickly.
    None of the witnesses here today can have a conversation 
with me or with the Cybersecurity and Infrastructure Security 
Agency about malicious activity occurring on an agency network 
because of restrictions agencies add in their contracts. That 
unnecessarily complicates our oversight work, limits 
situational awareness, and slows recovery. I believe that is a 
problem we can fix quickly. In recent days, I have been 
encouraged to learn of growing interest in enacting a cyber 
incident reporting log. Former chairman of the Cybersecurity 
Subcommittee, Cedric Richmond, authored an amendment included 
in the House-passed National Defense Authorization Act that 
would have established a cyber incident notification 
requirement. Unfortunately, we were unable to reach agreement 
with our Senate counterparts, but we look forward to trying 
again this year and hope we can enact cyber incident 
notification legislation in short order.
    In the longer term, we must figure out how to make security 
a value proposition, not only for policymakers, but for 
investors in the private sector who are focused on earnings. We 
must address persistent challenges in threat information 
sharing and find more strategic ways to effectively leverage 
the unique capabilities of the government and the private 
sector in our shared goals of better security. In that vein, it 
may be time to reassess the obligation of large, highly-
resourced companies with outsized footprints in our economy, in 
our government, and evaluate whether more should be expected of 
them. And we need to find ways to change behavior in the 
private sector, particularly those in the government supply 
chain, so executives value security as much as earnings 
statements and fast product rollout. I look forward to candid 
conversations about these issues today.
    Before I close, I want to thank our witnesses for being 
here today. Since December, I have been impressed by the degree 
of transparency in their conversations with us. It is important 
to have a complete record of what happened, and how, so we can 
have a candid conversation about what needs to change. With 
that, I yield back the balance of my time.
    Chairwoman Maloney. I now recognize Ranking Member Katko 
for his opening statement.
    Mr. Katko. Chairwoman Maloney, and Chairman Thompson, and 
Ranking Member Comer, and all my other colleagues that are with 
us today, this is a very important hearing. It is one of the 
most important threats facing our country today, cybersecurity, 
and it is important, I think, that we take a good look at the 
situation and learn from it.
    As everyone in this hearing knows, we are in the midst of 
arguably the most devastating espionage campaign ever waged 
against our Nation. With each passing day, we learn more about 
the tactics, techniques, procedures, and unprecedented 
sophistication surrounding this campaign. While a number of 
details remain elusive, the overall picture is slowly coming 
together, and much of this incremental clarity is due to what 
we have learned from our private sector partners, so I 
appreciate their steady engagement in the whole-of-society 
response. I also recognize that we need more of this private 
sector sharing. I hope we can spend our time during this 
hearing evaluating the best paths forward. How can the 
cybersecurity community do more than just bounce back, but also 
bounce forward from these events?
    From my vantage point, we know enough to identify initial 
lanes of policy responses that fall into five categories. 
First, we need to seriously rethink our fragmented approach to 
dot-gov security by centralizing authority with the 
Cybersecurity and Infrastructure Security Agency, known as 
CISA, wherever possible. While CISA's Federal hunt authority 
from the 2021 NDAA is a welcome step in the right direction, 
CISA still does not have the proper authorities, resources, or 
holistic visibility into the Federal networks enterprise to 
effectively defend and nimbly respond to attacks.
    Second, we need to better understand the nature and extent 
of third-party cyber risks. With no disrespect at all to our 
witness, Mr. Ramakrishna, relatively few people had even heard 
of SolarWinds in early December 2020, yet its products are 
leveraged by most of the Fortune 500's, with a relationship 
between vendor and customer that inherently enables a high 
degree of administrative privilege on the host network. In this 
interconnected web of hardware, software, and services that 
underpin our way of life, there are concentrated sources of 
risk that could result in cascading or systemic impact if we 
assume there is a breach. We need to better illuminate answers 
to these questions.
    Third, once we identify the potentially concentrated 
sources of cyber risk, we need to ensure that vendor 
certification processes actually reduce that risk, not create 
perfunctory compliance exercises. There are a number of vendor 
certification or risk of judgment regimes in various stages of 
operationalization right now across the Federal Government with 
DOD's Cybersecurity Maturity Model Certification, or CMMC, and 
the Federal Acquisition Security Council, or FASC, garnering 
the most headlines. Let's work together to ensure these regimes 
accomplish our common goal of actually reducing the risk.
    Fourth, we need to drive better software assurance and 
development life cycle practices across the entire ecosystem. 
Whether software flaws are deliberate or not, the software 
supply chain represents an attack vector that, if exploited, 
leaves the potential for a digital pandemic of sorts, where the 
impact of one bad line of code can be felt across the entire 
country. Last, we must impose real costs on cyber adversaries 
like Russia, China, Iran, and North Korea. While there is no 
silver bullet, deterrence still matters. Naming and shaming, 
indictments, sanctions, offensive measures where appropriate--
these should all be tools in our toolkit and tools that we 
utilize. From the sophisticated nation-state-led incident to 
the more routine, such as ransomware, the cost-benefit analysis 
of cyber aggression still favors adversaries far too often. In 
short, they are winning the modern-day arms race, and we need 
to step up. I welcome the recent announcement by the 
Administration to begin to hold Russia accountable through 
sanctions. I hope those sanctions are real, I hope they are 
firm, and I hope they are severe.
    I imagine we will hear a constructive dialog today about 
breach notification and incident reporting. An undeniable gap 
in our country's cybersecurity posture is the fact that there 
is not a consistent, overarching incentive for industry to 
disclose a breach. As a result, our Federal agencies are often 
operating in the dark instead of having access to the critical 
aggregate data regarding the tactics, techniques, and 
procedures of bad actors. As we move forward, we must consider 
approaches to close this gap. Whether that should be 
partnership based or compulsory or hybrid is yet to be seen, 
and I welcome robust private sector feedback on this issue.
    These are all necessary and worthy policy conversations for 
our homeland security, but we must also not lose sight of the 
immediate needs to put necessary resources toward the Federal 
dot-gov SolarWinds response. I feel strongly that any executive 
branch actions related to SolarWinds must build upon and 
bolster CISA's mission as the lead Federal civilian 
cybersecurity agency, as I recently stated in a letter to 
President Biden.
    I, again, want to thank our witnesses for testifying today. 
I look forward to hearing from you all on an issue of great 
bipartisan interest for the Nation. I yield back.
    Chairwoman Maloney. Now I will introduce our witnesses. Our 
first witness today is Sudhakar Ramakrishna, who is the current 
CEO of SolarWinds. Then we will hear from Kevin Thompson, who 
is the former CEO of SolarWinds. Next, we will hear from Kevin 
Mandia, who is the CEO of FireEye. Finally, we will hear from 
Brad Smith, who is the president of Microsoft. The witnesses 
will be unmuted so we can swear them in. Please raise your 
right hands.
    Do you swear or affirm that the testimony you are about to 
give is the truth, the whole truth, so help you God?
    [Chorus of ayes.]
    Chairwoman Maloney. Let the record show the witnesses 
answered in the affirmative. Thank you. And without objection, 
your written statements will be part of the record. With that, 
Mr. Ramakrishna, you are now recognized for your testimony.

    STATEMENT OF SUDHAKAR RAMAKRISHNA, PRESIDENT AND CHIEF 
EXECUTIVE OFFICER, SOLARWINDS CORPORATION; ACCOMPANIED BY KEVIN 
    B. THOMPSON, FORMER CHIEF EXECUTIVE OFFICER, SOLARWINDS 
                          CORPORATION

    Mr. Ramakrishna. Chairwoman Maloney, Chairman Thompson, 
Ranking Member Comer, and Ranking Member Katko, and members of 
the committee, on behalf of SolarWinds employees, customers, 
and partners in the U.S. and around the world, I would first 
like to say thank you for inviting us to participate in your 
hearing today. By way of background, my name is Sudhakar 
Ramakrishna, and I joined SolarWinds as president and CEO on 
January 4 of this year. I was previously CEO of Pulse Secure 
and before that held other executive roles at technology 
companies. In these roles, I have had the experience of being 
involved in cyber incidents and seen firsthand the challenges 
they present as well as the opportunities for learnings and 
improvements.
    Also joining me today is Kevin Thompson, who served as our 
president and CEO for 10 years until his departure on December 
31, 2020, which he had previously announced in August 2020. Mr. 
Thompson cares very much for our customers and employees, and 
we appreciate his long service to the company. To aid in our 
investigation, he has agreed to serve as a special advisor to 
me and the board. He has had the opportunity to meet the staff 
of both of your committees to provide early insight into the 
event. While our products and customers were subject of this 
unfortunate and reckless attack, we take our obligations 
seriously to work tirelessly to understand it better, to help 
our customers, and to be transparent with our learnings.
    SolarWinds started in 1999 in Oklahoma as a provider of 
network tools, and we have remained true to the mission of 
helping IT professionals solve problems and better manage IT 
environments, now through more than 90 products. Today, we 
remain a U.S.-headquartered company, and our 3,000 dedicated 
employees work hard every day to help customers succeed. When 
we learned of these attacks, our top priority was to ensure 
that our customers were safe and protected. Our teams have been 
working tirelessly to help our many customers first and 
foremost, while also investigating the what, who, and how of 
the attack. We acted quickly to disclose the attacks, provide 
remediations and support to our customers, and share our 
learnings publicly.
    We believe our Orion platform was specifically targeted in 
this nation-state operation to create a backdoor into IT 
environments of select customers through versions that we 
released between March and June 2020. That is a three-month 
window. SUNBURST has been removed and is not an ongoing threat 
in Orion. Additionally, after extensive investigations, we have 
not found SUNBURST in any of our more than 70 non-Orion 
products. Perhaps the most significant finding of our 
investigations to date was the discovery of what the threat 
actor used to inject SUNBURST into the Orion platform. The 
injected tool, named SUNSPOT, poses a grave risk to automated 
supply chain attacks through many software development 
companies since the software build processes, like ours, are 
very common in the industry.
    As part of our commitment to transparency, collaboration, 
and timely communications, we immediately informed our 
government partners and published our findings with the 
intention of helping other companies combat current and future 
attacks. We understand the gravity of the situation and are 
applying our learnings from the event and sharing this work 
more broadly. Internally, we are referring to our work as 
Secure by Design, and it is premised on zero-trust principles 
and developing a best-in-class secure software development 
model to ensure our customers can have the utmost confidence in 
our solutions.
    We have published details regarding our efforts, but, in 
summary, they are focused on three primary areas: first, 
further securing our internal environments; second, enhancing 
our product development environments; and third, ensuring the 
security and integrity of the products we deliver. Given our 
unique experience, we are committed to not only leading the way 
with respect to secure software development, but to share our 
learnings with the industry. While numerous experts have 
commented on the difficulties that these nation-state 
operations present for any company, we're embracing our 
responsibility to be an active participant in helping prevent 
these types of attacks. Everyone at SolarWinds is committed to 
doing so, and we value the trust and confidence our customers 
place in us.
    Thank you again for your leadership in this very important 
topic. We appreciate the opportunity to share our experience 
and our learnings, and I look forward to addressing your 
questions. Thank you.
    Mr. Lynch. [Presiding.] Thank you, Mr. Ramakrishna, and 
because Mr. Thompson and Mr. Ramakrishna submitted joint 
testimony, Mr. Thompson is not providing oral testimony at this 
time. Therefore, we are going to move on to Mr. Mandia. Mr. 
Mandia, you are now recognized for your five minutes of 
testimony.

 STATEMENT OF KEVIN MANDIA, CHIEF EXECUTIVE OFFICER, FIREEYE, 
                              INC.

    Mr. Mandia. Thank you. I would like to thank Chairwoman 
Maloney, Ranking Member Comer, Chairman Thompson, and Ranking 
Member Katko for this opportunity, and I am excited to share my 
observations with you, a first-hand account of what took place 
at FireEye and at many of these other victims. So, I am going 
to share what happened to most of the victim organizations, and 
I know Mr. Smith's going next. He's going to talk a lot more 
about what to do about it, and though I have opinions about who 
did it and what to do about it, I'll reserve those for the 
moment when we get questions.
    I want to set a little bit of background first about what 
FireEye does, and it is just to provide context. Responding to 
breaches is what we do for a living. So, when we ourselves were 
breached based on having a SolarWinds implant, we put nearly 
100 people on the job, and the majority of the folks working 
it, figuring out what happened and what to do about it, did 
their proverbial 10,000 hours of computer forensics on 
intrusions. And as I'm sitting here talking to these 
committees, we're responding to over 150 security breaches, and 
in 2020, a tough year for chief information security officers, 
we responded to nearly 1,000 security breaches globally. So, 
we're a company that every time we respond, we're the 
detectives, and we take the trace evidence of every single 
breach that we have firsthand experience of, and we put in a 
data base and track it. So, with that, let me talk about the 
anatomy of this intrusion.
    First and foremost, everybody's calling it the SolarWinds 
hack. In reality, this is an ongoing saga. The group that did 
the compromise that led to 100 different organizations 
compromised and nine government agencies compromised is not new 
to the game. These are folks that are special operations. And 
think of it as, if you're an organization and you've locked 
your doors and locked your windows, this is the special ops 
robbing the house, not some average criminal just trying to 
shake the doorknobs or trying to crack open the windows. So, 
this was the varsity team on offense, and all the signs, all 
the digital fingerprints that our company cataloged proves 
that, that this was a foreign intelligence service.
    So, stepping through the anatomy of this intrusion, I look 
at it in two stages. Stage one, the attacker had to break into 
SolarWinds, and when they did that, you already heard the 
details from Mr. Ramakrishna that the attackers did something 
that's pretty darn hard to detect. At the very end of a build 
process, they altered the production environment. So, this 
isn't somebody hacking in and changing source code. They're 
hacking the build process, and when you go to build your 
production code, it is altered at the last minute. In this 
case, to provide the timeline, the attackers that broke into 
SolarWinds for this stage one of this whole campaign, the first 
thing they did, they got the implant in, but the implant was 
innocuous, and there's evidence that in October 2019, the 
threat actors put the innocuous code in simply to test, ``Do we 
have a way to get into the supply chain?'' After the attacker 
proved that they could get their arbitrary code into 
production, then they created, by March 2020, an implant that 
provided surreptitious access to anyone who updated their 
networks with the next SolarWinds update to the Orion platform.
    So, how did we find this implant at FireEye? We found it 
based on literally exhausting every single other investigative 
lead at FireEye. We had detected some unusual activity on our 
network, and when we investigated that and started pulling the 
thread, the earliest evidence of compromise kept going back to 
a SolarWinds server. And the reason I am sharing this story 
with you is there is no magic wand on finding an implant. 
People trust the third-party software that they buy, rely on, 
and install. In this case, because we do forensics for a 
living, special operations attacked us. It would take special 
operations, people that are in the trenches responding to 
breaches every day, to detect it. We had to reverse over 18,000 
files that were in the SolarWinds platform; 3,500 of those 
files were executables. We de-compiled them into a million 
lines, and with people that can read assembly language and 
understand it, they are the ones that found the implant, and 
that's why this was so hard to detect. So, that's the stage one 
of this breach.
    Stage two I'll cover very quickly because after stage one, 
the attackers had a menu of over 17,000 companies that had 
downloaded the implant, but that doesn't mean the attacker 
stole anything from 17,000 companies. The stage-two victims are 
where the attacker decided, ``I want something,'' and the 
attackers manually engaged with about 100 different 
organizations. In stage two, the attackers did three things: 
first, steal your keys. They came in through the trap door in 
the basement that you didn't know about. They took your keys, 
and with those keys, they accessed your information the same 
way people and employees do. Second thing they did is they did 
very specific and focused targeting of documents and emails. 
And the third thing these attackers did, I put in the ``other'' 
category based on the victim. They stole source code or 
software, and in the case of FireEye, they stole assessment 
tools that we use to assess the security of organizations.
    So, with that level of detail, I'd like to thank the 
committee for this opportunity. We stand ready to work with you 
and work with the companies in the private sector to defend the 
Nation. Thank you.
    Mr. Lynch. Thank you very much. That is very helpful 
testimony, Mr. Mandia. We appreciate it. Mr. Smith, you are now 
recognized for your testimony for five minutes. Thank you.

  STATEMENT OF BRAD SMITH, PRESIDENT AND CHIEF LEGAL OFFICER, 
                     MICROSOFT CORPORATION

    Mr. Smith. Well, thank you, and I want to thank Chairwoman 
Maloney, Chairman Thompson, Ranking Member Comer, Ranking 
Member Katko, and really all the members of the two committees.
    I think Sudhakar and Kevin have done an excellent job of 
describing a lot of what happened, and no doubt we'll get into 
more of that. I thought I would, as Kevin suggested, build on 
what the two of them said and talk a little bit about what is 
it that we can do. What is it that the private sector can do? 
What is it that all of us can do by working together? I think 
there are a number of concrete steps, and some of the opening 
comments, I thought, did an excellent job of identifying, as it 
was said, many of the lanes down which we need to travel. As 
Sudhakar said, this was an attack on the software supply chain, 
and by that, he meant it planted malware into a software 
update. I think that points to one of the first things we need 
to focus on securing, more broadly, across the software 
ecosystem.
    The International Data Corporation has estimated that as 
many as a half a billion software apps will be created in the 
next three years globally. Well, all of these applications will 
be distributed. They'll need to be updated. I think we all have 
work to do. Certainly at Microsoft we look forward to working 
with others on what we can do to help secure the software 
supply chain and avoid this kind of risk, this kind of problem, 
this kind of tampering with software updates. That is a very 
specific activity.
    I think the second thing we need to do is think much more 
broadly. We need to focus on the modernization of the 
information technology infrastructure, and we need to apply, 
more broadly, cybersecurity best practices. We've looked at the 
customers that use Microsoft software that we were able to 
identify had been hacked in this incident, and what we have 
found repeatedly is that they could've better protected 
themselves simply by applying the many cybersecurity best 
practices the world has recognized already, that we've 
encouraged customers to apply already. And I think this is an 
important day for us to step back and think again about how we 
better help small businesses, as well as large customers, to 
apply these best practices.
    I think that leads us to a third opportunity for us all to 
do better. When we ask ourselves why the world is not using all 
of the cybersecurity best practices that exist today, I think 
one of the reasons becomes self-evident. It's because in the 
United States and around the world, there is a shortage of 
trained cybersecurity personnel. In the United States today, 
there's a shortage of more than 300,000 trained cybersecurity 
personnel, and this is something that we, a tech company like 
Microsoft, can focus on addressing by helping colleges and 
universities, high schools, and others develop the people we'll 
need in the future. But I think there's an important role for 
government to play as well.
    The fourth area where I think we can do better, where we 
really need to do better, is to share threat intelligence 
information to ensure that when there is information about this 
kind of hack or attack, it is being shared first with 
customers, something that we do immediately when we detect this 
kind of hack at a Microsoft customer, but something that 
doesn't happen broadly enough across our industry, and we can 
share it with the government. It needs to be, I think, better 
shared across the government and then in appropriate ways back 
with the private sector itself.
    Fifth, I think the time has come to adopt a national law 
that will impose cyberbreach incident reporting obligations, 
and there are important questions to be considered. To whom 
should it apply? When should it apply? How should it be 
administered? To whom should the information go? How should 
that information be shared? These are all questions for your 
two committees and the Congress as a whole, but 2021, I 
believe, needs to be the year that Congress acts and we use 
this step to strengthen the security of the Nation.
    Finally, I think we need to strengthen the international 
rules of the road. What happened here is and should be a 
violation of international norms and international law. It is 
the kind of act that was reckless. It is the kind of act that 
needs to have consequences, and those consequences need to be 
based on global standards. This is a combination of six steps 
that we can take, steps that I believe will make us stronger. 
Thank you.
    Mr. Lynch. Thank you, Mr. Smith. Now I would like to 
recognize my friend, the gentleman from Mississippi, Chairman 
Thompson, for five minutes for questions.
    Mr. Thompson. Thank you very much, Mr. Chairman. I thank 
the witnesses for their very important testimony. This is to 
Mr. Thompson and Mr. Ramakrishna. A theme emerging this week is 
that the supply chain compromise that exploited the SolarWinds 
Orion platform could have happened to anyone, but since 
December, I have read troubling accounts about the security 
culture at SolarWinds. One report indicated your server 
password was ``SolarWinds123.'' Now, according to another 
report, a former employee raised concerns about the security 
culture at SolarWinds four years ago. As you know, we have 
recently obtained testimony from that employee during a 
presentation. So, Mr. Thompson, did you take any action based 
on the security recommendation that this employee, Mr. Trump, 
made to the company?
    Mr. Thompson. So, I believe that we have, over the history 
of time at SolarWinds, taken security seriously, security of 
our internal systems and the secure development of our 
products. Mr. Trump arrived in the company April 2017. Shortly 
after that, we actually hired Tim Brown, who is a 30-year 
veteran from Dell who was a fellow at Dell, which is one of 
their highest-ranking engineers, to be in charge of not only 
the internal security of SolarWinds, but also product security 
at SolarWinds. We also actually did hire Mr. Trump back in 
September 2017 as part of some of the initiatives that we were 
working on. So, I believe we have taken security seriously in 
2017, and really beginning in 2016, we enhanced our security 
posture.
    We hired a CTO in 2016 who had been a CIO at a large global 
Fortune 500 company. We hired a very experienced CIO in 2017. 
As I said, we hired Tim Brown in the middle of 2017, who is a 
very experienced VP of security. We also implemented a----
    Mr. Thompson. Thank you. Thank you. Thank you very much. 
So, your testimony is that, based on that recommendation, you 
did do things. So, Mr. Smith, you talked about the challenges 
facing companies, like all of the cyber companies that we have 
talked about. One you talked about, the challenge of a work 
force. You know, our committees are constantly being requested 
by many of the companies on the screen to expand the visa 
programs so that we can import labor supply because we don't 
have it here. So, tell me what a company like Microsoft is 
doing with historically black colleges and minority-serving 
institutions to help that labor force be developed right here 
in this country.
    Mr. Smith. Well, thank you, Chairman Thompson. I think it 
is a very important question. You know, so far, just this year, 
Microsoft has spent more than $2 million to provide grants to 
faculty members at HBCUs to add cybersecurity and other 
information technology curriculum to, you know, the courses 
that are offered at these institutions. We are going to be 
increasing that amount to $3.2 million per year. We are going 
to be spending that each of the next three years.
    But it is not just, I think, investing in these 
institutions so that they can train the next generation of 
professionals. We are very focused on hiring individuals at 
HBCUs. Our recruiting season is still unfolding this year, but 
already we have had recruiters at 27 HBCUs. We are excited that 
already 136 students at these institutions have accepted jobs 
to work at Microsoft, 73 full time, 63 to be with us as interns 
this coming summer. I do believe that the HBCUs are growing and 
powerful engines for the protection of cybersecurity. We can 
collectively, I think, as an industry add to their strength, 
and we will be the beneficiary of the students that they will 
graduate.
    Mr. Thompson. Thank you very much. This notion of a cyber 
breach info office, I take from your testimony, as you know, we 
tried to get it passed last year, and it was taken out in the 
Senate. So, your testimony to both committees is that that 
would be an important instrument for us to have to get in-time 
notification of breaches.
    Mr. Smith. Yes, that's correct. I think we do need to take 
that type of step. There will be important details that need to 
be discussed, but this is the time to take that kind of action.
    Mr. Thompson. Thank you very much. I yield back, Mr. 
Chairman.
    Mr. Lynch. The gentleman yields back. The chair now 
recognizes the gentleman from New York, Ranking Member Mr. 
Katko. You are now recognized for five minutes.
    Mr. Katko. Thank you, Mr. Chairman, and I want to thank all 
the witnesses for their very thoughtful and engaging testimony. 
I am really heartened that your comments are consistent with 
and supportive of the five categories of response that I laid 
out in my opening statement, and I want to explore those a 
little bit more if I can.
    First of all, with Mr. Mandia, earlier this week, you 
outlined, Mr. Mandia, some of the enormous time and costs that 
go into the threat-hunting and intrusion-remediation services. 
Can you describe briefly for me, just briefly, the magnitude of 
the resources that go into these threat-hunting teams and 
penetration-testing services, how much they cost, the man 
hours, woman hours that go into it, things like that briefly?
    Mr. Mandia. You know, sir--thank you for the question--I 
don't think it takes a lot of people to test your networks on 
how secure they are, and I do believe that is the best way to 
get unvarnished truth in security. Kind of like you do crash 
test dummies to test the safety of a vehicle, shoot real 
bullets at a bulletproof vest to determine how effective it is, 
in cybersecurity you need to test your security, and that is a 
couple folks. There is a great asymmetry between offense and 
defense. To have somebody perpetrate what would be perceived as 
offense, not a lot of resources.
    The problem is the 52-card pickup you play on the other 
side because of that asymmetry. One attacker can create work 
for hundreds of thousands of defenders. It is a bad asymmetry 
in cyberspace I think other nations have picked up on where 
they can't beat us with tanks, won't beat us with planes, but 
in the cyber domain, if they train folks, the A-team can create 
work for potentially millions of defenders. So, the bottom 
line, that asymmetry is the problem. It is hard to answer your 
question without cataloging the offense, very few people. 
Defense, you have to pitch a perfect game every day and put a 
lot more people on it.
    Mr. Katko. Got it. Thank you for that. And to followup on 
that, as you know, CISA was granted authority in the Fiscal 
Year 2021 NDAA to conduct threat hunting on Federal agency 
networks----
    Mr. Mandia. Mm-hmm.
    Mr. Katko [continuing]. With or without consent, which is, 
I think, a very positive step forward. Do you have 
recommendations on how CISA can most effectively implement this 
new authority?
    Mr. Mandia. Well, I am convinced this will work with the 
private sector on that. We all have threat-hunting teams. My 
company does it every single day all the time for thousands of 
customers. Microsoft has a team that does it. There are a lot 
of security folks that do threat hunting, and the reason we 
have to do threat hunting is not every product stops 
everything, period. There is no such thing as perfect security, 
so you have to have the catcher's mitt behind your products. 
And CISA's folks that do threat hunting will be able to tap the 
private sector and be driven by the private sector, so I think 
it is exactly the right thing to do.
    Mr. Katko. Mr. Smith, I am going to followup on something 
Chairman Thompson said, and I am in complete agreement with him 
that the information sharing is such a critical component. But 
the problem with the information sharing is if a company is 
hacked into and they share the information, are they buying 
themselves more problems and more public scrutiny and perhaps 
more liability if they do the right thing and share that 
information with CISA? So, what role do you see CISA as a hub 
for a Federal focal point to help aggregate all this national 
risk picture across the sectors, right, No. 1? And No. 2, how 
do you do so in a way that protects the industry and 
incentivizes the industry to share this information instead of 
just not sharing it because they are afraid of opening 
Pandora's box and problems for them?
    Mr. Smith. Well, first of all, I think you make a really 
important point. The White House said a week ago that more than 
100 companies, or roughly 100 companies, in the United States 
had suffered this kind of attack or hack. You have three 
companies here today, and that is because we have chosen to 
speak up, and what you get is an invitation to appear as a 
witness under oath at a House hearing. And so I think a lot of 
companies choose to say as little as possible, and often that 
is nothing.
    But silence is not going to make this country stronger, and 
so I think we have to encourage and, I think, even mandate that 
certain companies do this kind of reporting. I think we do need 
to identify the right place where the report should go. CISA is 
a very strong candidate, and it deserves serious consideration, 
and we need to think about the process and the type of 
information that should be shared and when it should be shared. 
And we need to be very careful that we don't, in effect, tell 
firefighters to stop fighting the fire so they can fill out 
forms and, you know, meet with government officials instead. 
So, we need to balance all of the work that needs to be done, 
but Kevin really captured well the asymmetry, and we can only 
be effective if we can connect the dots in everything that we 
see. That can only be done with this kind of effective 
information sharing.
    Mr. Katko. Well, it is not often that you hear the private 
sector saying they need more government mandates, so that, I 
think, highlights the importance and the magnitude of this 
problem. And I think Chairman Thompson, and I, and the others 
are going to work very hard to try and make this a reality 
because information sharing is what made us a much safer nation 
after 9/11 with the Joint Terrorism Task Forces. We need to do 
the same thing in the cyber area, and anything we can do to 
turbocharge that process, we have to do going forward. I have 
so many more questions, but I am out of time and I yield back. 
Thank you.
    Mr. Lynch. The gentleman yields back. The chair now 
recognizes the gentlewoman from the District of Columbia. Ms. 
Norton, you are now recognized for five minutes.
    Ms. Norton. I thank the gentleman for yielding. This is an 
important hearing, and we have heard of breaches of both the 
private and the governmental sectors. It is kind of a two-
fisted breach. My first question is for Mr. Mandia of FireEye. 
Our most recent information from the current White House, I do 
believe these breaches occurred in the last Administration, but 
it is clear that it could occur and may be occurring right now. 
So, let me ask about the breaches or the impact on government 
agencies in particular.
    For example, the information I have been given is that the 
breaches included the Department of Energy, including a 
component responsible for managing the Nation's nuclear 
weapons. You can see the issue there, Mr. Mandia. Another 
agency was the Department of Justice, of course, which enforces 
our laws, but breached also, but also has to do with countering 
foreign intelligence on the United States. Also breached, of 
course, was the Department of Treasury. Now, that Department 
maintains the Nation's financial infrastructure and imposes 
financial sanctions on our adversaries. You can see, Mr. 
Mandia, what this leaves us open to. Would you agree that 
compromising any one of these agencies would be considered a 
victory for an adversary?
    Mr. Mandia. Well, I think the first comment I would say is 
this is an ongoing intrusion set. The SolarWinds backdoor was 
just part of a very long saga. I first started responding to 
breaches for the U.S. Government in the 1990's. This group was 
active then. They are going to be active tomorrow. There is 
going to be ongoing targeting of those agencies. This intrusion 
set using the SolarWinds backdoor happened to be successful at 
least for surreptitious access and staying surreptitious and 
clandestine on the networks for a certain period of time. You 
know, we will respond to it, and it will take those agencies 
time, months, to get their arms around the scale and scope of 
what happened. And I think we are in that window where they 
don't know yet, and we got to wait on the final investigation.
    Ms. Norton. Well, we certainly need the investigation to be 
finalized because we are still in the window and they are still 
being breached. That raises continuing problems for us. And 
continuing with you, Mr. Mandia, in 2015, a foreign actor or 
groups compromised the systems of the Office of Personnel 
Management. They accessed clearance information on 21 million 
people. Now, that was only one agency. Mr. Mandia, would the 
OPM compromise be considered a serious breach?
    Mr. Mandia. I think you have to consider it a serious 
breach. When you look at these breaches, what generally happens 
is there is a successful breach. We find out about it. We take 
steps and do sprints within the Federal Government to try to 
escalate our security programs. The bottom line, there are 
threat actors out there that attack the U.S. Government on a 
daily basis, and they are feeling no risk or repercussions to 
doing it. So, we are just sitting here playing defense every 
day against an A-team that is going to have successes.
    Ms. Norton. Yes. This time around, these actors were able 
to compromise up to 3 percent of Microsoft Office email 
accounts at the Department of Justice. Again, that sounds like 
a small number until you put it in perspective. Three percent 
of email accounts at the Department of Justice translates into 
roughly 3,500 accounts. Mr. Mandia, if you were writing up a 
damage assessment for a customer and they had 3,500 accounts 
compromised for months, how would you categorize that? Would it 
be sincere even what seems to be a small number? How would you 
categorize that?
    Mr. Mandia. Well, this is obviously a group that 
compromised with collection requirements, so the damage 
assessment is going to be based on the content of the emails, 
period. And how that information is intended to be used, we 
don't know. That is the problem. We have to get our arms around 
all the content and all the potential use and misuse of all 
that content. So, the bottom line, we may never know the full 
range and extent of damage, and we may never know the full 
range and extent as to how the stolen information is benefiting 
an adversary.
    Ms. Norton. Well, we better get our arms around the full 
impact of these breaches, but we know that it has very serious 
implications for both the government--that is why I focused on 
Federal agencies--as well as the bottom sector. You have given 
us a mandate in this committee to get to the bottom of how this 
breach occurred, every entity that was affected, and how to 
protect against this type of incident in the future, and it 
looks like we have a lot of work to do. I yield back.
    Mr. Lynch. The gentlelady yields back. The chair now 
recognizes the gentleman from Georgia, Mr. Hice, for five 
minutes.
    Mr. Hice. Thank you very much, Mr. Chairman. I appreciate 
it and appreciate this hearing. As ranking member of Gov Ops, 
it has been honor working with Chairman Connolly on these 
issues over and over in the past trying to improve our 
government-wide information security. And, of course, we both 
know, and I am sure everyone on both of these committees, in 
fact, everyone involved in this hearing right now is keenly 
aware of the importance of cybersecurity, the vital nature that 
it provides for our government, and to make sure, frankly, that 
our government continues to run efficiently and effectively, 
and, most importantly, in this context, securely. I am 
certainly looking forward, in that light, to the upcoming 
FITARA hearing on the FITARA scorecard that Chairman Connolly 
is going to be bringing up, and hopefully we will be able to 
discover the level of preparedness of various agencies within 
our government.
    But in light of the massive attack, the cyberattack that 
brings us to this hearing today, these efforts around Federal 
information security are obviously extremely important and all 
the more prescient for us. And I understand, I get it, and I 
think it is probably good that our witnesses today are from the 
private sector. They certainly are able to bring some valuable 
insight to us today as to what and how we can best secure our 
IT assets in Federal Government.
    So, Mr. Mandia, let me begin with you. Beginning with your 
company's focus on cybersecurity services, I am wondering your 
opinion in regard to cloud migration, and, in particular, what 
I am talking about, or what at least I have in mind, is 
Chairman Connolly's bill, FEDRAMP, which both myself and 
Ranking Member Comer have both co-sponsored. But how do you 
view that in terms of is it a step in the right direction for 
improving cybersecurity?
    Mr. Mandia. Sir, first off, the migration cloud is going to 
happen whether we want it or not. It is rare in history where 
something costs less and is better. Cloud is actually costing 
less and is better. For example, if I wanted a server set up at 
FireEye, I could ask an IT staff to do it, or I can go to an 
infrastructure as a service provider and get it in five 
seconds. So, the cloud is coming. And then you add the pandemic 
to it and the work from home. All the major enterprises, all 
the major organizations are going to the cloud.
    The upside is it cuts both ways, but you should get better 
visibility and better controls in the cloud, and the reason why 
is you are putting all your decentralized IP and value into one 
place. It is easier to monitor it, easier to safeguard it. You 
don't have distributed security controls at that point. I think 
we are in the middle of the cloud migration, but over time, 
what we will see is organizations recognizing at least the 
infrastructure portion of the cloud will be more secure because 
these companies have to secure it, meaning the providers have 
to secure it.
    Mr. Hice. OK. OK. So, when you say, ``Whether we like it or 
not, it is going to happen,'' I get that.
    Mr. Mandia. It is going to happen.
    Mr. Hice. And you are exactly right. But with it happening 
whether we like it or not, do you feel good that that is indeed 
a safe method? Is that good for us to go there that way?
    Mr. Mandia. Sir, after 30 years in IT security, I believe 
it will be easier to secure the cloud than the last 30 years of 
us trying to secure everybody's home offices and secure inside 
four different walls all over the place. Yes, it is a good 
move.
    Mr. Hice. OK. Mr. Chairman, for whatever reason, the clock 
is not showing up on my screen, so I really don't know where I 
am on time, but if there is time, if I could have a brief 
answer from each of our----
    Mr. Lynch. The gentleman has 45 seconds.
    Mr. Hice. OK. Well, each of the witnesses real briefly, 
what needs to be done? What does the private sector have that 
we could use? If you can just give a 10-second answer, each of 
you, or whatever, just very briefly. I will start with Mr. 
Smith.
    Mr. Smith [continuing]. The cloud, but then implement the 
cybersecurity best practices that are needed to use it 
effectively. As a cloud services provider, we can enable all of 
the tools, but ultimately, it is our customers that will have 
to decide how to use them.
    Mr. Hice. Thank you.
    Mr. Ramakrishna. Congressman Hice, my recommendation would 
be to share information as fast as possible in as timely a 
manner as possible because speed and agility are key to 
addressing these issues.
    Mr. Hice. Thank you, sir.
    Mr. Mandia. And, sir, in the last 12 seconds, I will get to 
what Congressman Katko was referring to. I believe we need to 
separate disclosure of a breach to sharing of threat 
intelligence. If you can share threat intelligence from the 
private sector to the government, or government to the private 
sector confidentially, you can do it quickly without worrying 
about all the liabilities that come with public disclosure of a 
breach. So, we got to think of threat intel sharing and 
disclosure of a breach as two separate things, and threat 
intelligence sharing will defend the Nation.
    Mr. Hice. Very good. Thanks to each of you, and thank you, 
Mr. Chairman. I yield back.
    Mr. Lynch. The gentleman yields back. The chair now takes 
great pleasure to recognize someone who has done yeoman's work 
in this area for a long time. The gentleman from Rhode Island, 
Mr. Langevin, is now recognized for five minutes.
    Mr. Langevin. Thank you, Mr. Chairman, and I thank you for 
your leadership on cyber.
    Mr. Lynch. I believe the gentleman may have muted himself.
    Mr. Langevin. Yes, I think----
    Mr. Lynch. OK. Go ahead.
    Mr. Langevin. Thank you, Mr. Chairman. Again, I was saying 
I appreciate your leadership on cyber and data, the chairs of 
the two committees that are holding this joint hearing today 
and the ranking members. It is obviously a very important 
topic, and I want to thank our witnesses for being here this 
morning.
    Let me start with Mr. Smith, if I could. Mr. Smith, you 
have testified that Microsoft is aware of 60 victim 
organizations; that is to say, organizations where at least one 
Office 365 email account hosted in Microsoft's Cloud was 
accessed by the adversary. But how many accounts has Microsoft 
confirmed were accessed?
    Mr. Smith. I would have to get you the precise number of 
accounts. I will say, in general, the pattern that we saw was 
typically a relatively small or very small number of accounts 
per customer. I think that was indicative of the stealthy 
practices that this actor tends to deploy, namely, to take 
great care to be very discreet. And so I think----
    Mr. Langevin. OK. Yes, if I could just stop you. Let me 
just say my time is limited. In conversations with staff 
yesterday, Microsoft indicated that about 77 accounts had been 
confirmed to have been accessed. Does that sound about right?
    Mr. Smith. It certainly sounds like it is in the right 
range. Again, I would want to go check the specifics, but it 
sounds like it is in the right range.
    Mr. Langevin. All right. That sounds like a just incredibly 
small number to me. All right. If I could, just in CISA's alert 
detecting post-compromised threat activity in Microsoft cloud 
environments, they note that the amount of security log data in 
cloud environments is often significantly less than in on-
premises environments, which can hamper threat hunting. In 
fact, the same alert notes that in order to detect certain 
accounts that have been compromised, a special, more expensive 
Office 365 account or G5 or E5 license is required. Do you 
believe that security should be an add-on or up charge or baked 
into cloud accounts from the get-go?
    Mr. Smith. Well, the particular offer that you described, 
what we call as E5, you know, is the service that we offer that 
includes security and other advanced features. We offer a range 
of choices to our customers. E5 is absolutely what we hope and 
expect and recommend that our customers purchase. Some people 
don't want to buy it, and we honor that, but it is absolutely 
what we encourage.
    Mr. Langevin. All right. Just so that I understand and the 
committee understands, is this a profit center for Microsoft 
for this, or are the services being provided at cost that you 
are charging the customers?
    Mr. Smith. Well, you know, we are a for-profit company. 
Everything that we do is designed to generate a return other 
than our philanthropic work.
    Mr. Langevin. OK. Thank you, Mr. Smith. Mr. Ramakrishna, if 
I could turn to you. Can you shed some light on how the 
adversary initially accessed SolarWinds' network? On Tuesday, 
you testified before the Senate Intelligence Committee that 
your partners had narrowed the number of possible vectors to 
three. What are those vectors?
    Mr. Ramakrishna. Congressman Langevin, thank you for the 
question. Our investigation was segmented as to what exactly 
happened, how did it happen, and who may have done it. As it 
relates to the what, we have made a lot of progress and have 
discovered the specific injector tool that I described could 
affect any supply chain, and we have been able to publish it 
such that other companies can evaluate their security postures 
and supply chains and possibly get help from our efforts.
    As it relates to your question, we have narrowed it from 
several hypotheses. At one time, we had 15 different threads 
that we were pulling, so to speak, and we have battled it since 
to about three at this point. One is what I call a classic 
password spring type approach that we are investigating. Two is 
some form of credential theft. That can happen through various 
methods. And three is a potential vulnerability in a third-
party software that we have deployed on premises. Just like 
other companies on this witness stand, we use a lot of third-
party software as well, and we are looking at it in those three 
dimensions at this point. We are evaluating several terabytes 
of data to be able to sift through this in the hopes that we 
can pinpoint patient zero in this context.
    Mr. Langevin. OK. Thank you, Mr. Ramakrishna and Mr. Smith, 
to our witnesses. I just wanted to note for the record, Mr. 
Chairman, I know my time has expired, but I want to thank Mr. 
Ramakrishna for briefing me about a week ago, and I appreciate 
how they have been very forthcoming in helping us to get our 
arms around this. And to Mr. Smith, your team had briefed me a 
couple days ago, and I appreciate them taking some detailed 
questions there, too. So, thank our witnesses, and, Mr. 
Chairman, I yield back.
    Mr. Lynch. The gentleman yields back. The chair now 
recognizes the gentleman from Texas, Mr. McCaul, for five 
minutes.
    Mr. McCaul. Well, thank you, Mr. Chairman. You know, I have 
worked on cybersecurity for very many years along with Mr. 
Langevin. And back when I was chairman of the Homeland Security 
Committee, we authorized, stood up into law CISA to be the lead 
civilian agency to protect our networks, and then we had the 
cyber incident response teams that were authorized into law. 
You know, 80 percent of this critical infrastructure is done in 
the private sector as is most of the threat information, and 
that is why these private/public partnerships, I believe, are 
so important.
    I have had the opportunity to visit with Mr. Ramakrishna. 
SolarWinds is actually in my district in Austin, and also with 
Mr. Smith from Microsoft, but I want to just get a couple of 
just factual details on the event itself. And, Mr. Ramakrishna, 
I also want to thank you for being so forthcoming and 
transparent with the Federal Government, but do you think the 
initial intrusion began around, say, March of last year?
    Mr. Ramakrishna. Congressman McCaul, thank you for the 
question. March of last year is when we first shipped, so to 
speak, the code with the malware injected in it, so three 
releases between March 2020 and June 2020 is when the malware 
was impacting the Orion platform.
    Mr. McCaul. So, between March and June you have the 
intrusion. It is detected in December 2020. Is that correct?
    Mr. Ramakrishna. Yes.
    Mr. McCaul. So, this is very sophisticated malware that 
can, as I understand, can go in and out of your system through 
the in-door and through the backdoor without detection. Is that 
correct?
    Mr. Ramakrishna. So, that threat actor I would describe, 
Congressman McCaul, as hiding in plain sight.
    Mr. McCaul. Mm-hmm.
    Mr. Ramakrishna. They were very, very careful about 
covering their tracks, cleaning up after themselves, and the 
patience with which they worked was not similar to the run-of-
the-mill virus whose job is to spread as fast as possible and 
create as much damage as possible. This was very sophisticated. 
And, as you heard from Mr. Smith and Mr. Mandia, being in the 
security business, it still took them a long time, and in 
talking to Mr. Mandia, they looked at this as almost a last 
resort in their investigation.
    Mr. McCaul. I am sorry, but my time is limited. So, when it 
was detected in December, within two days Microsoft developed 
and created the kill switch. Is that correct?
    Mr. Ramakrishna. That is true, and within a matter of 72 
hours, our teams fixed the malware and delivered remediated 
code. And since then, we have pretty much had a 7 by 24 
operation----
    Mr. McCaul [continuing]. Report it to CISA and the Federal 
Government? At what time?
    Mr. Ramakrishna. We reported it as soon as we knew on 
December 12 to CISA and the Federal Government, and we continue 
to do so.
    Mr. McCaul. We believe that this originated out of Russia. 
Would you agree with that assessment?
    Mr. Ramakrishna. Congressman, we do not have the internal 
expertise to create attribution, but based on our investigation 
partners, it appears to be true.
    Mr. McCaul. So, this is for both you and Brad Smith. What 
is the extent of the damage, to your knowledge, and if it came 
from Russia, which I believe it did, by looking at what they 
stole, it didn't seem to be a destructive virus, but more of a 
theft and espionage type of malware. What was their motivation 
and intent here?
    Mr. Smith. Well, I would say that, based on every 
indication so far, there were probably two or three. One is 
espionage, obviously to obtain information, especially, say, 
from the U.S. Government and other agencies. Second, to learn 
more about technology because obviously technology is the plane 
on which this organization's activities take place. That is why 
50 percent of the victims that we identified are communications 
and technology companies. Third, I think there is an aspect of 
this that you would almost put in the context of 
counterintelligence. They focus on red team tools so that they 
know how to withstand attacks. They look for whether a company 
like Microsoft may be knowing about them so that they are able 
to try to circumvent what we are doing in the future. That is 
true for other tech companies as well.
    Mr. McCaul. Now, I applaud you for transparency, the kill 
switch, and the notification, but not all companies do this. 
And Mr. Langevin and I are working on a mandatory notifications 
breach of any cyber intrusions. This can be done by taking 
sources and methods and company names out to protect them as 
you have a duty to shareholders. It would just simply send the 
threat information itself to CISA so they could provide both 
industry-wide, and Federal-governmentwide, and state the threat 
information that they would need to address it on a larger 
scale. Is that something you think would be a good solution?
    Mr. Smith. I think that would be an important step. I think 
the time has come to recognize that it is probably an essential 
step, and I think the precise tailoring, something along the 
lines of what you just described, is exactly the kind of 
conversation we need to have.
    Mr. McCaul. Well, I appreciate that, and I thank you for 
testifying here today. And with that, Mr. Chairman, I yield 
back.
    Mr. Lynch. The gentleman yields back. The chair now 
recognizes himself for five minutes.
    You know, one of the weaknesses in our system is the 
endemic need for us to share information in order for it to be 
applied, and that includes classified information. One of the 
things, Mr. Mandia and Mr. Smith, that I have come across 
during 20 years of these investigations is that the worst is 
always denied. So, in this case, we are being reassured by some 
that that no classified systems were compromised. That is what 
we are being told. But if the previous patterns are followed 
here like they have in other breaches and other investigations 
that we have done, later on down the line we find out that, 
yes, in fact, classified systems were compromised.
    So, can you, Mr. Mandia and Mr. Smith, can you reassure me? 
I mean, are you willing to guarantee me that no classified 
systems were compromised? These people had at least nine 
months, and it seems to be the general consensus here that 
these were highly professional people. This was a special ops 
deal, and they cleaned up after themselves. They clearly 
intended, with the patience that they exerted, and we are 
talking about thousands of people working on this hack, you 
know. Can you assure me that our classified systems were not 
compromised?
    Mr. Smith. Well, I would say, first, I think we are 
probably the wrong people to try to answer that question. You 
know, the classified systems are obviously, you know, 
maintained by the government, and, you know, it is the 
government's----
    Mr. Lynch. That is what worries me.
    Mr. Smith. But I would say this. I mean, first, there are 
two things that one should think about, and they cut in 
opposite directions. The SolarWinds hack was one vector of 
attack by an agency that, in all probability, is engaged in 
many vectors of attack every single day of the year on a broad 
international basis. So, what we have seen here is one slice of 
activity that is always ongoing, and we should, I think as your 
question suggests, always assume that there are things that we 
don't know, and even assume that there are things that are 
worse than what we do know. That is, I think, a cause for 
concern.
    Now, I will say, on the other hand, what this actor did in 
many instances, really in all instances, is once they were in a 
network, they were able to take advantage of lapses in basic 
cybersecurity practices. The reason they got into, say, a 
particular number of DOJ email accounts, in all probability, 
was because they were able to steal the password of someone or 
some individuals who had access to those accounts. And by 
definition, I think we can count on the government to have 
higher levels of cybersecurity precautions in place for secret 
and top-secret workloads.
    You know, as a cloud services provider, Microsoft, you 
know, stands up secret and top-secret workloads for the U.S. 
Government, and, you know, what we consistently find is what 
you would expect. You know, the people in government agencies 
who are working in this space are, by definition, going to be 
more rigorous, so, you know, we should assume that there are 
more vigorous attacks or hacks. We should also count on 
stronger protection for those kinds of workloads.
    Mr. Lynch. Mr. Mandia?
    Mr. Mandia. Yes, I think, again, we are not in the purview 
to know the answer to that question. I can tell you this is an 
intruder that has collection requirements, sensitive data lost 
definitely. I did do my stint in the military. I would say it 
is unlikely that classified information was probably accessed, 
meaning classified systems, but I can't answer the question. I 
am not in a position to do so.
    Mr. Lynch. Yes. Well, thank you for your service. I 
appreciate that. Obviously, it would be valuable to us to know 
right now in designing our response. It is a whole different 
dynamic and the level of urgency if our classified systems have 
been compromised, not only, you know, for the purpose of 
plugging those holes, but also protecting, you know, sources 
and methods and other aspects of that as well, so it would be 
very, very important for us to know that as soon as possible.
    With that, I see my time has expired, and I will now 
recognize the gentleman from Wisconsin, my colleague and 
ranking member, Mr. Grothman. You are now recognized for five 
minutes.
    Mr. Grothman. Can you hear me? Can you hear me?
    Mr. Lynch. Yes, we can hear you. Go ahead.
    Mr. Grothman. OK. I think Mr. Mandia mentioned that there 
was a problem in that we don't have enough people going into 
this field. Maybe it was him, maybe it was Mr. Ramakrishna. For 
either one of you, first of all, what type of compensation do 
people, say, right out college make if they go into this sort 
of field? Could you give me an idea? I guess it is maybe an 
unfair question.
    Mr. Mandia. Yes, I think it was Mr. Smith that commented on 
that, but I would comment. I think everybody is seeking to hire 
more cybersecurity professionals. This is something that you 
don't just walk out of college great at this and proficient at 
this. You do come out of college with some background in it, 
but generally you have to do some on-the-job training as well, 
but right now there is a lot of colleges offering programs. 
There is a lot of infusion of talent into those programs, and I 
know the military is actively recruiting people into the 
cybersecurity space. So, it is something where the ranks are 
starting to grow, but right now the biggest challenge is the 1-
A enterprises are getting the talent because they can afford it 
and they have the resources for it. And I think there is a 
bigger concern for smaller agencies in the government or for 
small to medium businesses that may not have the mission or the 
money to get the talent.
    Mr. Grothman. OK. I realize people probably pay all over 
the map and that sort of thing, but give me a general idea, and 
two questions. First of all, a general idea of the compensation 
people make, and second, what type of background you look at. I 
think like a lot of jobs, you are telling me you get hired by 
somebody and then they train you, but if that is the case, what 
type of background do you get out of college? Do you want to be 
a communications major? Do you want to be a physics major? What 
type of thing are you looking for when you hire somebody out of 
college as well?
    Mr. Mandia. For me and then, you know, I would be 
fascinated with the other witnesses' answers, it is a computer 
science background or just an unbelievable passion and desire 
to be in cybersecurity. It has got to be a fit of desire.
    Mr. Smith. Yes, I would offer a few thoughts. I mean, No. 
1, if somebody wants to go get trained in cybersecurity, they 
are likely to have a good job for the rest of their life. This 
is an area that is going to continue to grow in importance. 
Second, I would just say, you know, if you look at technology 
jobs, if you certainly look at companies like ours, you know, 
even entry-level positions, you know, have compensation at or 
north of $100,000 per year, and, you know, people make more 
money over time.
    Third, I do think that there is another important aspect of 
this, which is really thinking about the pipeline even more 
broadly than, say, computer science graduates from four-year 
colleges. At one level, I think there is a huge amount that 
community colleges can do to help accelerate the development of 
the cybersecurity work force. People who might have gotten 
their training in something else, if they want to go back, if 
they want to want to spend, say, a year taking a set of 
cybersecurity-related courses in community colleges, they can 
put themselves on a path to quickly enter this field. And then 
finally, I would say we need to keep investing even before we 
get kids to college.
    Mr. Grothman. Right.
    Mr. Smith. I grew up in the district next to yours. I grew 
up in Appleton. You know, as a company, we in Microsoft, you 
know, do work to provide computer science in high schools. We 
do it in, say, the two Oshkosh high schools in your district, 
and what we are finding is that there are young people 
everywhere who want to learn this field. They just don't have 
the opportunity that they need and deserve today. So, I think 
with the right kind of action from the Federal Government, 
state governments, private sector, philanthropy, we can move so 
much faster to create more opportunities for people.
    Mr. Ramakrishna. And, Congressman Grothman, if I may add, I 
agree with both my colleagues here on all the points that they 
made. There are a lot of free online courses and resources that 
students and kids can essentially access and start becoming 
savvy in these fields. The criticality there is that the 
internet is not accessible to everyone in the country. And to 
the degree that we can do that to ensure that, for instance, 
inner-city kids, economically disadvantaged children have 
access to the internet and we give visibility to them for these 
courses, we will have a larger, more effective, more diverse 
work force. And to your question about what can they get paid, 
I would say with a high school degree and some experience 
learning online and putting it to use, depending on where you 
are in the country because cost of living changes, you can make 
anywhere from $70,000 to $120,000 to begin with.
    Mr. Grothman. OK. Thank you. Next general question. Well, I 
will switch to another question here. This is for Mr. Mandia.
    Mr. Lynch. The gentleman's time has expired. I am sorry. 
The chair now recognizes the gentleman from New Jersey, Mr. 
Payne, for five minutes.
    Mr. Payne. Thank you, Mr. Chairman, and I would like to 
thank the chairs of the whole committees, Chairwoman Maloney 
and Chairman Thompson, for holding this hearing today. Just to 
the point my colleague just before me, to all the witnesses, 
that information that you are talking about, the opportunities 
to enter that field and have people learn online and what have 
you, I think if you could take the time to publicize that more 
somehow across your companies, that would be very helpful 
because there are a lot of times where inner-city youth don't 
know that. But if you were able to publicize it more, they 
would be able to find those opportunities, so I just wanted to 
mention that.
    The Russian Government has backed, either directly or 
indirectly, election meddling and other malicious cyberactivity 
against our interests for quite some time. During his term, 
former President Trump was reluctant to confront Russia for 
these attacks and failed to publicly condemn multiple instances 
of cyber aggression. It is clear that the former President's 
appeasement of Russian cyberattacks emboldened our adversaries 
and is partly to blame for the SolarWinds breach. The question 
is for all the witnesses. Why is it important that our leaders 
present a strong, united front in containing cyberattacks?
    Mr. Smith. Well, I will say I think this is like any type 
of offense that the world wants to stop. People will only stop 
if they are held accountable for the violations in which they 
engage. You have got to have clear rules. You have got to have 
clear standards. You have to have clear lines so that it is 
apparent to everybody when somebody steps over the line. And 
then you have to have people, especially people in government, 
who are prepared to speak up and hold others accountable. I 
think the best type of attribution takes place when it is not 
just one government, but even by multiple governments together 
when that is what the situation warrants.
    We did see that twice in 2017. I think it is right to 
acknowledge that. You know, the White House, together with 
other governments, did that vis-`-vis North Korea in the wake 
of the WannaCry attack. It did it again with Russia in the 
NotPetya attack. But we need this on a consistent basis, and I 
am very hopeful that with leadership that Anne Neuberger is 
bringing to the White House as deputy national security 
advisor, with her press conference last week, with the steps 
she's talking about taking, you will see the kind of leadership 
we need.
    Mr. Payne. OK. Thank you. Next?
    Mr. Ramakrishna. I agree with Mr. Smith's comments about 
accountability and rules of engagement. It is important to 
recognize that we do not accept attacks without some form of 
reciprocation, so to speak, and holding people to account.
    Mr. Payne. Thank you. Next?
    Mr. Mandia. Yes, and I would just agree with the other 
witnesses. It is about risks and repercussions. It is about 
understanding the rules of the road.
    Mr. Payne. Thank you. And I guess, Mr. Chair, my time is 
dwindling, so I will yield back.
    Mr. Lynch. The gentleman yields back. The chair now 
recognizes the gentleman from Texas, Mr. Cloud, for five 
minutes.
    Mr. Cloud. Thank you, Chairman, and thank you to the 
witnesses for being here. I really appreciate you taking the 
time. I want to especially thank Mr. Ramakrishna for being here 
in light of the context of what we are dealing with. Your 
transparency and involvement in this process, we are very 
grateful for that. I want to ask you, have you provided a list 
of your clients to the committee?
    Mr. Ramakrishna. Mr. Cloud, thanks for the information. 
Thanks for the question. As it relates to providing names of 
clients, we have not.
    Mr. Cloud. I serve as ranking member, along with Chair Raja 
Krishnamoorthi, on the Economic and Consumer Policy 
Subcommittee of Oversight. Could you provide a list to our 
committee?
    Mr. Ramakrishna. Congressman Cloud, I will take that for 
the record and consult with my team to see what is possible to 
disclose at this point in time.
    Mr. Ramakrishna. As you can understand, we take the privacy 
of our customers very seriously, but I will go back and work 
with my team on it.
    Mr. Cloud. OK. Thank you. Mr. Mandia, you said December of 
last year that this all began as a dry run in October 2019. You 
also indicated in December of last year and in Tuesday's Senate 
hearing that government agencies sensed something wrong in 
their systems but couldn't really connect the dots until they 
were notified by FireEye of the breach. What would have enabled 
us to connect those dots sooner, and would any of these 
proposals of a centralized agency have assisted with that?
    Mr. Mandia. You don't know. The bottom line, sir, I just 
felt, as soon as we detected our breach, we were in dialog with 
our government customers, period, first, to tell them about it. 
Regardless of laws and legal liabilities, we told our 
government customers about what we were dealing with. My 
reaction was that I didn't see surprise. Like, people were 
shuffling, thinking, and I think that there are a lot of folks 
who have various products that they had little blips on the 
radar, and we had to connect dots for many different vectors. 
This attack, because of the way it was conducted, is just 
harder to piece together. If you centralize the intel, it can 
only improve the speed at which that picture and vision will 
come together.
    Mr. Cloud. OK. One of the questions that I have is, you 
know, I wholeheartedly agree we need to invest more in making 
sure that we have the capability to defend and also to build in 
some attack capabilities certainly to respond to situations 
like this, the workflow issue being one of the primary 
indicators, so, you know, making sure students have an interest 
in engagement. But we also know from past experience that our 
universities have been a place where, especially notable actors 
like China, which I realize this is attributed to Russia, at 
least to our understanding at the moment. But how do we ensure, 
of course without creating some sort of discriminatory 
environment, that we won't be training our adversaries in this 
regard, you know, especially for something so critical to our 
national security?
    Mr. Smith. I guess I would suggest here a few things. I 
mean, one, obviously there is always a role for background 
checks in a wide variety of different situations. Two, I think 
the best way for us as a country to ensure that the people that 
we are training at our universities really support our country 
is to bring to the country people that we want to have stay 
here and to make it easier for them to stay here. Right now, 
unfortunately, it is easy to come study, but it is hard to then 
stay afterwards. So we are, almost by definition, focusing on 
training people that we expect to go back to their home 
country, and I don't think that is the right way to conceive of 
the talent strategy for the country. The last thing I would say 
is, if you want to pinpoint the greatest risks, I probably 
myself would not look to universities.
    Mr. Cloud. Right. Right.
    Mr. Smith. You know, most of what happens in universities 
gets published anyway.
    Mr. Cloud. OK. Well, yes, I appreciate that. Those are some 
good thoughts. One final thing, and you probably would be the 
best to comment on this. In Tuesday's Senate hearing, there was 
a discussion about the difference between compliance and 
excellence, especially in critical areas of our government 
cyber structure, to create some standards that ensure that we 
have a high standard of protection. But doing so in such a way, 
a lot of times when government imposes a regulation or 
mandates, it becomes a check box as opposed to continuing to 
foster this innovative spirit. How do we get that balance 
right?
    Mr. Ramakrishna. Congressman Cloud, I think I was the one 
that mentioned that distinction. There are a couple of ways we 
can do that. One is, CISA has been mentioned a few times in 
this conversation. We are dedicating resources from our team to 
work directly with CISA on sharing information. So, it is not 
just about threat intelligence, but it is also human resource, 
and human intelligence, and actual experience of building 
software that needs to be shared, such that standards bodies, 
like NIST and CMMC, can actually have examples of correct 
behavior that will put us all on a path of excellence versus 
simply checking boxes on have you done this, have you done that 
kind of question and answer. So, that is really where I was 
coming from where real examples from companies, such as the 
ones here today, can be contributed to those standards bodies 
to enrich them.
    Mr. Lynch. OK. The gentleman's time has expired.
    Mr. Cloud. Thank you all.
    Mr. Lynch. I just want to inform the members that there are 
series of five votes on, so after I recognize the next speaker, 
I will turn the gavel over to the gentlelady from District of 
Columbia, Ms. Norton, to preside while I vote. I now recognize 
the gentleman from Tennessee, Mr. Cooper, for five minutes.
    Mr. Cooper. Thank you, Mr. Chairman. Can you hear me?
    Mr. Lynch. I can, yes.
    Mr. Cooper. The testimony so far strikes me as at least 
fatalistic, if not defeatist, because here we have a number of 
prominent tech companies, and they are really not proposing 
tech solutions. They are proposing human re-engineering. So, it 
is as if they are telling us they really can't sell products 
that are completely safe, so we have to have a rule instead of 
``let the buyer beware.'' And I think that tech companies 
should continue to pursue tech solutions to make us all safer.
    But another interesting thing in the testimony that has 
been completely unmentioned so far is the fact that there is 
already a hidden, private-sector regulator of cyber intrusion, 
and perhaps it is hidden because it is private sector, and here 
I am thinking of insurance companies that sell errors and 
omissions policies. On page 25 of the stock offering that 
SolarWinds engaged in in 2018, they talk about how they have 
incurred and expect to incur significant expenses to prevent 
security breaches. Then they go on to say, ``Our errors and 
omissions insurance coverage, covering certain security and 
privacy damages and claim expenses, may not be sufficient to 
compensate for all liabilities we incur.''
    So, I would like to find out from each of the companies 
what claims you have already made to your errors and omissions 
insurance companies, how much they have paid. Have your 
premiums increased or do you expect them to increase, because 
this is the primary way insurance companies regulate behavior, 
by increasing their premiums for riskier companies. And what 
percent of the industry do you think has this sort of coverage 
to essentially inoculate yourselves, but not your customers, 
against these errors and omissions, and what are the names of 
these prominent errors and omissions insurance companies? And 
wouldn't you want to suggest to those companies that they 
perhaps have a more polite name for the coverage, because 
``errors and omissions'' seems kind of disrespectful to their 
customers. So, perhaps we can start with SolarWinds and go to 
FireEye and then to Microsoft.
    Mr. Ramakrishna. Congressman Cooper, thank you for the 
question. Since my coming on board, we have really focused on 
the investigation and addressing the safety and security of our 
customers through remediation. And to your point about the 
private sector taking on more responsibility for tech-based 
solutions, I could not agree more with you, and that is the 
reason why we came up with the notion of Secure by Design, 
which is completely a technical-based approach to enhancing and 
ensuring the safety and security of our supply chain and that 
of our customers.
    Now, specific to your question, I do recognize that we have 
insurance. However, I would like to take that question on 
record to give you the specifics, which I don't have handy at 
this point in time.
    Mr. Cooper. Mr. Mandia?
    Mr. Mandia. Sir, same answer. I would like to take that 
question on record because I am not prepared to speak to it at 
this point.
    Mr. Cooper. Mr. Smith?
    Mr. Smith. I would say two things. First, I don't know 
about the specifics here, but generally as a company, Microsoft 
self-insures. We don't rely on policies from insurance 
companies. But second, more broadly, if we have left you with 
the impression that we are defeatist, then that is the error 
and omission that we should be talking about. We are the 
opposite of defeatist. We are looking at this as an enormously 
challenging and important problem the country needs to address. 
These are major nation-states, but technology is moving 
forward. It is getting better. We are offering technology 
solutions to our customers, not just as a company, but as an 
industry. You are right that ultimately, just like an 
automobile, it takes the driver to choose to put on the safety 
belt, but we are making it easier every year. And I think we 
should be embracing this with an enormous amount of self-
confidence.
    Mr. Cooper. Well, instead of two-factor authentication, do 
we need three-factor? What is it going to be? Are we stuck with 
passwords? There has got to be a better way to do this, to 
interface with humans.
    Mr. Smith. Oh, I completely agree, but it is really a 
combination of steps, and I think that is what your question 
points to. You know, it is really some things as simple as 
putting your authentication into the cloud. You know, a lot of 
what happened here was with customers who did not have it 
there. They hadn't secured their devices with a service like 
Intune that we offer. They were not necessarily using what is 
called ``least privileged access'' so that when one person's 
password was stolen, you know, they were able to access more 
accounts than they should have been able to. A lot of the 
steps, when you really understand them, do rely on common sense 
and vigilance. And I do think it is up to us to continue to 
make that easier for our customers in this country and around 
the world.
    Ms. Norton. [Presiding.] The gentleman's time has expired. 
Next is Mr. Higgins of Louisiana.
    Mr. Higgins. Thank you, Madam Chairwoman. It is our 
understanding that Russia is responsible for this cyber 
espionage. They utilized some of our own publicly available 
hosting services to orchestrate these illegal actions. In my 
opinion, all server hosting companies, large and small, share a 
responsibility in vetting their clients, and then also play a 
part in preventing foreign interference in their operations. 
There is no daylight between private operations and government 
operations in the cyber realm. We have to work together to 
secure our systems for the citizens we serve. This was a direct 
attack on our Nation's technology infrastructure on a scale 
never seen before. Eighteen thousand SolarWinds customers 
compromised and many more thousands of systems breached in the 
private and government sectors. Russian cyber espionage gained 
full access across thousands of systems for a number of months. 
I think it is important to note that this is not the first time 
that the U.S. Government and private American cyber systems 
have been subject to major cyber espionage from Russia.
    Many years ago, two Administrations ago, the Kaspersky 
systems were approved on the GSA catalog. That security system 
was brought into Federal cyberinfrastructure. In 2015, it was 
identified as being used to steal NSA tools. In 2017, it was 
finally banned and removed from the GSA list. There are reports 
as recent as 2019 that Kaspersky software lingers in the 
government system, and beyond that, Kaspersky had a deal with 
Best Buy to preload on every computer they sold. Thus, they 
infiltrated the private systems at the same time. So, I have 
been listening to the testimony and the questions from my 
colleagues. None of us should be surprised about this, and I 
believe we should be more prepared than we are right now.
    Mr. Thompson, I have a question for you, sir. Is it true 
that you received a 23-page PowerPoint presentation from a 
former SolarWinds security advisor that listed potential 
SolarWinds breach vulnerabilities and suggested improvements 
needed to bolster security? Did you receive that briefing in 
2017? And if you did receive that briefing, what did you do 
about that, good sir?
    Mr. Thompson. Yes. I believe that we have really taken the 
security of our customers and our products seriously over the 
history of the company. We have got a unique relationship with 
our customers where we are very engaged with the individual 
users of our products. And so this----
    Mr. Higgins. Pardon me, Mr. Thompson, but that sounds like 
an answer prepared by attorneys. It is a simple question, 
respectfully. Did you receive this major briefing in 2017 that 
I am referring to? Did they recommend changes, and did you 
enact those changes?
    Mr. Thompson. So, it is my understanding, based on our 
investigation, that there was a briefing provided to some of my 
IT leadership team, and that that briefing was about security 
posture in general and about what the company could do to make 
sure that its security posture was enhanced and to make it a 
leader in security. And, yes, not as a result of that 
presentation, but beginning even before that, we began to 
invest in security and enhancing the posture of our security 
environment. In fact, we spent more than the average technology 
company of our size over the last four years on security. So, 
we have taken security very seriously, but not really as a 
reaction to that presentation because we knew security was 
important before that, and we were focused on it.
    Mr. Higgins. I appreciate your response. My time is winding 
down. Mr. Smith, can you quickly address the cloud hosting 
systems? It has been reported that threat actors in this breach 
leveraged servers from Amazon Web Services. Can you talk about 
what we can do to protect our cloud systems from further 
espionage efforts?
    Mr. Smith. Well, I am obviously not in a position to speak 
on behalf of Amazon or AWS. I do think we should take more 
steps. We certainly are always taking more steps in Microsoft 
to ensure that our cloud services, to the extent possible, 
cannot be used by a foreign adversary. I actually think it 
should start with transparency. I am here today. I am answering 
all your questions. Microsoft has published 32 blogs since this 
came to light. Amazon has yet to publish its first. So, I think 
we will all benefit if we create a culture where tech companies 
are sharing more information.
    Mr. Cooper.[Inaudible] for that point, Mr. Smith. Madam 
Chair, my time has expired. I yield.
    Ms. Norton. Yes, the gentleman's time has expired. I 
recognize Ms. Clarke of New York. Go ahead, Ms. Clarke.
    Ms. Clarke. Yes. Thank you very much, Madam Chair. I just 
wanted to, first of all, thank our panelists today for 
appearing before us. I currently serve as the chairwoman of the 
Cybersecurity Subcommittee, and I want to be perfectly clear 
that as a Nation, we cannot let this happen again. SolarWinds 
was but the latest malicious cyber campaign against our 
country, and it will not be the last. We certainly must hold 
the perpetrators of these attacks responsible, but we also must 
bolster our defenses so that they can't succeed in the future. 
So, my question is for Mr. Smith and Mr. Ramakrishna.
    Earlier this week, you both expressed your support for 
requiring critical infrastructure owners and operators to 
report cybersecurity incidents. Again, as the chairwoman of the 
Cybersecurity Subcommittee, this is something my subcommittee 
has been working on for some time. In fact, the House-passed 
version of the Fiscal Year 2021 NDAA included language that 
would require critical infrastructure entities to report cyber 
incidents to CISA. Unfortunately, that language fell out during 
the conference, but I intend to take a close look at this issue 
again, and I am heartened to see that there is so much momentum 
behind this.
    As anyone that has been working on this issue for a while 
knows, the devil is in the details. We need to figure out who 
would be subject to reporting requirements and what kind of 
incidents would trigger the requirement report. We also need to 
determine who they are reporting incidents to, whether that is 
CISA, a new agency modeled after the NTSB, or someone else. And 
finally, we need to decide what our ultimate goal is, holding 
companies accountable or are we just trying to get a better 
understanding of why our security controls fail. So, to the two 
gentlemen, can you elaborate on the reasons you believe we need 
a cyber incident reporting requirement and some of the benefits 
you expect to flow from such reporting?
    Mr. Smith. Well, I would say we really appreciate the 
leadership that you have been bringing to this, and I think you 
provided a checklist of some of the most important questions 
that need to be answered. But to address the one that you posed 
at the end, which perhaps is the most important of all, what 
are we trying to accomplish, I think our top priority is to 
make the country more secure. And the reason that we should 
want companies in the private sector, companies that, as you 
mentioned, are in the area of critical infrastructure, it is to 
provide information about threats so that one entity is in a 
position to scan the entire horizon and connect the dots 
between all of the attacks or hacks that are taking place.
    I think Kevin Mandia who described it really well earlier--
you know, you really cannot oftentimes determine exactly what 
is going on until you connect all of those dots, and today, 
this information is in separate silos. So, I would say let's 
solve the problem that needs to be solved, which is the 
cybersecurity protection for the country.
    Ms. Norton. Mr. Ramakrishna?
    Mr. Ramakrishna. Congresswoman Clarke, thank you again for 
your leadership and for your question. Having a single entity 
to which all of us can refer to will serve the fundamental 
purpose of building speed and agility in this process. Too much 
time is wasted in communicating across agencies where 
information is very fragmented, and oftentimes the dots are not 
connected because they are separate. That is the fundamental 
reason why I think having a singular agency to which all of us 
can communicate to and have two-way communication with them is 
fundamental to improving our speed and agility around these 
topics.
    Ms. Clarke. We have a few seconds left, but I would be 
interested in your thoughts on how Congress should scope this 
new reporting requirement. Who should it be subject to, who 
should be required to report, and who within the Federal 
Government is best positioned to receive and make use of such 
reports?
    Mr. Ramakrishna. Congresswoman Clarke, you mentioned CISA a 
few times. We have been engaged with CISA and other government 
agencies. We are also offering our human resources to work with 
CISA as well. That could be an initial starting point, and 
obviously you are more qualified to decide if that is the 
established entity to take this on and going public. So, our 
belief is all private enterprises should be instructed with 
reporting requirements and be made part of this community 
vision where public and private sectors can work together to 
tackle this issue.
    Ms. Norton. The gentlewoman's time has expired.
    Ms. Clarke. Very well. I have run out of time. I yield 
back. I look forward to our conversation as we continue to 
address this issue. Madam Chairwoman, I yield back.
    Ms. Norton. I thank the gentlelady from New York, and I 
call on Mr. Norman of South Carolina.
    Mr. Norman. Thank you. Two of the most, I guess, disturbing 
things that I have heard this morning during this testimony is, 
one, that it took nine months, that the Russians or whoever was 
involved had access to our most valuable intelligence. And I 
agree with Congressman Lynch: our next hearing ought to be with 
those that can answer the questions, what has been compromised, 
because national security is at risk. The other thing that 
really has shocked me is, Mr. Smith, your testimony that, 
really, we are at a shortage of cyber experts to connect the 
dots. I guess my question, we can't wait to train somebody out 
of high school, college, junior college. What group can we go 
to? Is it those that have been successful at breaking the 
system and are incarcerated, that are street smart, I guess, to 
know how to get to making sure this doesn't happen again? Your 
thoughts.
    Mr. Smith. Well, I think it is a key question, and I would 
point to two things that I think we can do to move faster as a 
country. No. 1, really harness the power of our community 
colleges. We don't need to send somebody back for four years of 
education. You know, there is a set of eight or ten courses 
that an individual can take over, say, a year or a bit more if 
they want to go full time, or they can, you know, take some 
courses while they are holding a full-time job. And I think 
that is probably the fastest way for us to expand the 
cybersecurity work force.
    I think the second thing is really for us in the tech 
sector ourselves. You know, we are doing more, we are investing 
more, but I think we can and should do more, and, you know, 
that is a good point of learning for somebody like me and for a 
company like Microsoft. You know, we have LinkedIn. That is 
part of Microsoft. And so, you know, it is an opportunity for 
us to harness the power of, say, LinkedIn Learning and the 
connections not just with community colleges, but with 
employers. We are also focused on, you know, how we can add 
cybersecurity curriculum to, you know, the training programs of 
employers of all sizes so that if there is somebody who needs 
to learn, you know, six extra things, they don't need to go 
back to school. They don't even need to take a course to do it. 
We can take the training to where they are, and we can build it 
into their workflow on the job. That is something that we are 
using our own technology to do.
    So, I think this is a lot like anything. Once you 
understand the importance of the problem, you can really 
harness all of the available resources to address it. And I 
think it is right that we make this one of the priorities that 
comes out of this.
    Mr. Norman. So, as a Member of Congress, what should we do 
to get the Amazons on board? You know, you are one company. You 
are a big company in Microsoft. But what can we do to get 
private sector, the other large companies that, you know, 
basically have monopolies, how do we get them activated, or 
what is your advice to us?
    Mr. Smith. Well, look, I am not the best person to give you 
advice on how to get Amazon to do something. There will be 
others who will be more insightful than me. What I would say is 
if I were in your shoes and I really wanted to have the 
broadest impact as quickly as possible, you know, I would look 
at opportunities to provide, you know, incentives for 
individuals who want to go study at community colleges so they 
can do so. And I would look at, say, tax credits for smaller 
businesses so that if they want to invest in the training of 
their people, they can do that as well, so that you would 
target, you know, the limited budget, the limited taxpayer 
dollars to the places where they would have the greatest impact 
in the shortest possible time.
    Mr. Norman. Well, that is just what we need to hear, and a 
lot of times in politics, we don't know what we don't know. We 
are going to have to depend on y'all to give us a roadmap on 
how we can do it. We simply cannot take another nine months to 
let countries that don't have our best interests at heart 
damage us, and I would be interested in anybody else, any other 
comments any of the other panelists have, I would be interested 
in.
    Mr. Ramakrishna. Congressman Norman, if I may suggest one 
area where the Congress may be able to help us also is by 
encouraging us and incentivizing us to come forward with more 
of these intelligence aspects and share them more broadly. In 
addition to litigation risk, some of us may be worried about 
reputational risk that it causes where the victim is victimized 
for coming forward, and those should stop so that we can all 
come together and really build our efforts to thwart these 
major issues going forward.
    Ms. Norton. The gentleman's time has expired. I will call 
on Mr. Connolly of Virginia next.
    [No response.]
    Ms. Norton. Is Mr. Connolly there?
    [No response.]
    Ms. Norton. If Mr. Connolly isn't there, I am looking for 
the next Democrat. Please give me the name of the next 
Democrat. I think you are the next Democrat, sir.
    Mr. Krishnamoorthi. Were you talking to me, Chairwoman?
    Ms. Norton. Yes. Yes.
    Mr. Krishnamoorthi. OK.
    Ms. Norton. I am moving to you, yes.
    Mr. Krishnamoorthi. OK. OK. Very good. Thank you so much 
for all of you testifying today, and thank you for your 
transparency and for giving us some very insightful 
information. So, my first question is to Mr. Smith. Mr. Smith, 
you gave an interview with ``60 Minutes'' recently, and in that 
interview, you said that essentially the supply chain tech 
attack was ongoing currently. One question I have right out of 
the box is, are you aware of whether that malware and that 
attack is potentially present on computers in the U.S. House of 
Representatives?
    Mr. Smith. We are not aware of this being focused on the 
U.S. House of Representatives, so no. The answer is, no, I am 
not aware of that.
    Mr. Krishnamoorthi. How about the U.S. Senate?
    Mr. Smith. I am not aware of any use of this tactic on the 
U.S. Senate either. We have seen cyberattacks, you know, in the 
past on members of the House and members of the Senate, and 
whenever we have detected them, we have let either the 
Sergeant-at-Arms or the Speaker or members know.
    Mr. Krishnamoorthi. Sorry. My time is limited, Mr. Smith, 
so I am just to ask you to respond briefly.
    Mr. Smith. OK.
    Mr. Krishnamoorthi. How about the Office of the President?
    Mr. Smith. I am not aware of any attack using this vector 
on the Office of the President.
    Mr. Krishnamoorthi. Now, in that ``60 Minutes'' interview, 
you also mentioned that perhaps the only way--because you have 
to understand this. The way I kind of picture this is that it 
is almost like the burglar is in the home while we are all 
here. And one of the things that you said that really struck me 
in your ``60 Minutes'' interview is that you said that perhaps 
the only way to make sure that we get rid of this attack or 
this intruder is to ``rip and replace every single piece of 
network equipment and computer that may have been affected.'' 
Do you still stand by that quote that you gave to ``60 
Minutes''?
    Mr. Smith. Yes, I don't believe that I am the one who said 
that. If I did, I referred to the thought that some have that 
that may need to be done. I don't----
    Mr. Krishnamoorthi. OK. Let me stop you there for a second. 
Have you done an assessment of what that might require? 
Because, at the end of the day, we need a foolproof way to 
eject the intruder from our homes. We cannot be in a situation 
where the intruder has carte blanche espionage capability on 
us. So, talk to me a little bit about that. What type of, you 
know, effort would be required if we were to undertake that?
    Mr. Smith. Well, we have not been asked to do it. To the 
best of my knowledge, we have not undertaken an analysis of 
what it would take to rip and replace all of the, say, 
technology infrastructure of a particular agency or part of 
government. It is actually not what I believe needs to be done. 
I think that efforts are better focused on other approaches.
    Mr. Krishnamoorthi. Well, here's my concern, which is, what 
is the foolproof way to get rid of the intruder from our 
collective home at this point, because we are tired of hearing 
that the intruder is here. We have no idea what that person, 
that intruder is doing, but we should just kind of move on to 
the next subject. We need to eject the intruder from our 
computers right now, whether it is in the private sector or in 
the public sector. So, what is the foolproof way that would 
come short of ripping and replacing all this network 
infrastructure?
    Mr. Smith. Well, I would say two things. No. 1, one always 
needs to identify how someone got in or is getting in in order 
to get them back out. So, you know, that is in the realm of the 
kind of cybersecurity sort of forensic investigation that, you 
know, a company like Microsoft can help with, a company like 
FireEye does, you know, every day. You know, among the best, we 
are the best in the world. That is one part. The second thing 
is, there are five really straightforward cybersecurity steps 
that we believe, put together, will strengthen protection 
across the board: move authentication into the cloud, secure 
each of your devices, ensure that you are using anti-malware 
software across the board, use multi-factor authentication, 
apply privileged access. If you do those five things following 
a review by a company like FireEye, you should be in a much, 
much stronger position.
    Mr. Krishnamoorthi. I guess my final question is to Mr. 
Ramakrishna. You know, you are the new CEO and you are coming 
into a pretty bad situation. The NSA is not allowed to surveil 
private networks. It is only allowed to surveil foreign 
networks. Is the FBI and current agencies capable of doing what 
is necessary to surveil private sector networks in the U.S.?
    Mr. Ramakrishna. Congressman Krishnamoorthi, I wish I were 
an expert in being able to give you a yes or no answer on that, 
but I am not particularly qualified to address that. Does some 
level of surveillance and sharing of information between 
private and public sector need to happen at a level that is not 
happening today? My belief is absolutely yes, but with regards 
to surveillance, I am not the expert to address it.
    Mr. Krishnamoorthi. Fair enough. Thank you.
    Ms. Norton. I thank the gentleman for his questions. His 
time has expired, and I call on Mr. Biggs of Arizona next.
    Ms. Biggs. Thank you, Madam Chair. Because of the scope of 
this attack, I am concerned. It looks like it may take years 
before we fully understand its impact. Mr. Smith, my first 
question is for you. How likely is it that these attacks are 
continued, and, if so, how can we best determine who is still 
being attacked?
    Mr. Smith. Well, the first thing I would say is this 
agency's attacks or hacks did not start with the use of 
SolarWinds software, and it did not and will not end there. I 
think we should assume that this is an agency, and this is one 
of a relatively small number of very well-resourced governments 
that are focused on these kinds of threats against the country 
every single day, and they will be for the rest of our lives. 
And so I think what we need to do is just continue to 
strengthen the cybersecurity defense of the country, and we 
need, in part, to couple that with the better sharing of threat 
intelligence so that we are better able to spot the attacks or 
hacks as early as possible after they begin.
    Ms. Biggs. So, one of the concerns I have is that Congress 
is going to say, well, let's just create another layer of 
bureaucracy in there and then call it good. We will have done 
something until the next time we have an episode like this that 
we need to deal with. And I am wondering, and I will just turn 
to all the panelists, real briefly if you would. Would you tell 
us whether you see the solutions to prevent future attacks 
coming from government, or are they going to come from the 
private sector? So, let's start with Mr. Smith and then just 
move on down the panel.
    Mr. Smith. Well, I think we each need to play our role and 
do it well. I think that the public sector, the government has 
a unique role to play in establishing rules of the road, strong 
laws and holding foreign governments accountable. I think the 
government has a unique role to play, both in and securing the 
government's own infrastructure and in collecting threat 
intelligence in a centralized way and putting it to good use. I 
think those of us in the private sector have an enormous role 
as well. We need to continue to strengthen the technology. We 
need to continue to make it easier for people to use the 
technology. We need to share the information we have, something 
that is not yet happening nearly to the extent that it needs to 
happen across the tech sector.
    Ms. Biggs. Thank you. Mr. Ramakrishna, if you would go next 
please.
    Mr. Ramakrishna. Congressman Biggs, I agree with my 
colleague, Brad Smith's, comments here and the work that he, 
and Kevin Mandia, and our colleagues at CrowdStrike and others 
are doing. As it relates to your question, the picture I would 
like to paint is, we are dealing with intruders, not an 
intruder, in this case. They behave like Transformer toys in 
many ways where they are constantly morphing and changing their 
tactics and procedures on us. So, to that end, we have to be 
nimble as well in working between the private and public 
sectors, and shaping our policies and shaping our information 
practices to adapt to this changing set of intruders and go on 
the offensive.
    Ms. Biggs. Thank you. Mr. Mandia?
    Mr. Mandia. Yes, I agree with both witnesses, both Sudhakar 
and Brad, on this one. It comes down to the government exists 
to have a proportional response and deterrence. The private 
sector will most likely be building the technology to safeguard 
in cyberspace working with the government, and you meet in the 
middle with the threat intelligence sharing.
    Ms. Biggs. So, all of you at one point, either in answering 
this question or other times today, have talked about 
information sharing. I just want to know, are there any legal 
or regulatory barriers to information sharing that you see that 
currently exists? Back to you, Mr. Smith.
    Mr. Smith. Well, I would say there are two barriers today. 
The first is, it is not always entirely clear to whom we should 
be sharing the information or sharing it with. But then second 
is, the one thing that we have noticed that we have mentioned 
publicly that is a legal barrier, is today, it is a fairly 
standard aspect of Federal contracting practices that agencies 
restrict a company, like Microsoft, from sharing with others in 
the Federal Government when a particular agency has been hacked 
in this way. So, one of the specific things that we had to do 
in December was go to each agency, tell them that we had 
identified that they were a victim of this. And then we had to 
say, you need to go over to this person in this other part of 
the government to let them know. Please do that. We cannot do 
that for you. And the good news is that people did that. They 
did it quickly. But I think it is a barrier that is an 
impediment.
    Ms. Biggs. In what little time I have left, I would urge 
the chairs of these two committees to take us into a classified 
hearing because I think there are some things, like, I would 
like to know, how do we know it was Russia. I would like to 
know what China's involvement was. A classified hearing would 
allow us to get more of that information, and I would look 
forward to that. And I thank all the panelists, I thank the 
chair, and I yield back.
    Ms. Norton. Well, that, I think, is certainly an idea. The 
gentleman's time has now expired, and I call on Mrs. Watson 
Coleman of New Jersey now. Mrs. Watson Coleman, you are 
recognized for five minutes.
    [No response.]
    Ms. Norton. Mrs. Watson Coleman appears to have stepped 
out. Mrs. Demings of Florida, you are recognized for five 
minutes.
    Mrs. Demings. Thank you so much, Madam Chair, and thank you 
so much to those who are with us today. It has been a very good 
discussion. As I listened to the line of questioning from Mr. 
McCaul from Texas, those were particularly some areas that I 
certainly was interested in. I believe during that line of 
questioning, there was an indication that the malware was 
hiding in plain sight, and I've also heard that in order to 
keep up, that we have to constantly change and adapt and 
improve, I guess, our capabilities. What I am particularly 
interested in is a better understanding of how the transition 
to iCloud services, like Microsoft, affects a customer's 
visibility related to network activity. Although the cloud 
environment was not the initial entry point for malicious 
actors in this campaign, it is where they were able to access 
data and proliferate through iCloud assets undetected for the 
better part of the year.
    So, Mr. Smith, have any of Microsoft's cloud customers 
informed Microsoft that their cloud environment was accessed as 
part of this campaign, or has Microsoft had to inform its 
customers?
    Mr. Smith. Yes, it is an excellent question. The first 
thing I would say is the right way to think about what happened 
here is that each and every one of these attacks, hacks, that 
we have seen happened on premise, meaning it was on a server, 
say, that was in the server room or onsite. Now, once the 
attacker was in the network, one of the things it did was it 
looked for the keys or the passwords to get into cloud 
services, like email or documents, or other things. Once they 
did that, then they were able to go up into the cloud and 
access those kinds of cloud services.
    Once they did that, we were able to see them because we 
scan the services that we run every day with a specific eye 
toward some particular threats. We have a Threat Intelligence 
Center that does that. So, in each of the 60 instances where 
there were Microsoft customers that were victims, we identified 
that they were the victim and we notified them. We have a team 
called the Detection and Response Team, DART. It is their 
mission to every day take this kind of information and let 
customers know if they are being victimized in this way. And, 
yes, it is one thing that we do. I think it is something that 
the tech sector more broadly needs to do.
    Mrs. Demings. OK. Thank you so very much for that. And for 
my kind of breaking it down as a former law enforcement 
officer, I kind of liken what you just said as to a burglar 
going around trying the doors. You are looking for that 
unlocked door or the key, and then they are able to access, as 
you just indicated. Can a cloud customer identify unauthorized 
access to their Office 365 accounts with their own logs? Can 
they do it themselves, the customers?
    Mr. Smith. I think the short answer is, yes, they can do it 
in a variety of ways. They can do it either by themselves or, 
you know, some customers may want to rely on the help of a 
third-party service provider, a cloud service provider and the 
like, you know, that is working with them. So, yes, they don't 
need to rely exclusively on the infrastructure or, you know, a 
company like Microsoft to do that, but it is an added service 
that we do provide both in terms of detection and letting 
people know.
    And then I will also say we also try to offer advice. In 
some ways, what happened here was, you know, for example, it is 
like leaving your keys on the kitchen table, and when you do 
that, somebody can go steal your car, you know. The cloud may 
be, in this case, you know, your email that they access.
    Mrs. Demings. Right. And, you know, Mr. Smith, what bothers 
me so much about that is we are talking about nine governmental 
agencies, right?
    Mr. Smith. Well, that is why we say don't leave your keys 
on the kitchen table.
    Mrs. Demings. Yes. Yes. Yes.
    Mr. Smith. We give people advice and secure ways to store 
their keys.
    Mrs. Demings. What steps have been taken, finally? I have 
14 seconds. What steps have been taken or discussions that have 
taken place to really review the cloud environment logs and 
prepare for the next breach?
    Mr. Smith. Well, I think that work is ongoing. Any time 
something like this happens, it should cause all of us to step 
back and say what have we learned and how can we get better 
because we continually must. We are definitely working through 
an effort like that here at Microsoft, and, yes, I would hope 
it is taking place at other companies in the cloud services 
business as well.
    Mrs. Demings. Mr. Smith, and to all of our witnesses----
    Ms. Norton. The gentlelady's time has expired. The 
gentlelady's time has expired. I call on for five minutes Mr. 
Van Drew of New Jersey.
    Mr. Van Drew. Thank you, and I want to thank the chairs and 
ranking members for doing this. This is good work. You know, 
America is under constant attack from adversaries looking to 
damage our businesses, our hospitals, our municipalities, and 
critical infrastructure using cyber warfare. Like the witnesses 
have already stated, we face serious threats from Iran, China, 
Russia, North Korea, and other bad actors in the global 
landscape. The SolarWinds campaign was a devastating attack 
that showed how vulnerable we are to those types of attacks. 
The integrity of our critical infrastructure is not as robust 
as we thought it was.
    The Federal Government needs to do better and so does the 
tech industry. With close to 80 percent of Fortune 500 
companies utilizing SolarWinds technology, there needs to be 
collaboration obviously between public and private entities to 
protect America. We owe it to our constituents, our 
municipalities, and our country to ensure that we are 
adequately prepared for these harmful actions.
    In my district, two years ago, the Atlantic County 
Utilities Authority, located in Egg Harbor Township, New 
Jersey, was the victim of a cyberattack. The Utilities 
Authority reported an incident in which perpetrators gained 
unauthorized access to sensitive data of customers. 
Additionally, operational information was withheld as the 
criminals demanded ransom. Fortunately, the overall function of 
the Authority was minimally impacted, but the fallout could 
have been far, far worse. I applaud the previous 
Administration's efforts to increase our Nation's cyber 
defenses and improve gaps in our framework, and I implore the 
Biden Administration to take this issue seriously and 
prioritize the safety and well-being of Americans.
    For Mr. Smith, in your written testimony, you discuss 
Microsoft's relationship with other technology companies and 
their role in Microsoft's response to the attacks. How is 
Microsoft's relationship with the Cybersecurity and 
Infrastructure Security Agency, CISA, and do you feel we are 
safe from future cyberattacks of this nature?
    Mr. Smith. Well, I think it is an excellent question. We 
feel very good about the progress that CISA has been making. It 
is a young agency. It has moved far, and it has moved fast. It 
is going to need, I think, to move farther and faster in the 
future, and that will require additional resources as we 
continue to build the role of CISA in protecting the country. I 
also think it is just worth noting, your examples, I thought, 
were so important because so often we see two things. We see 
the most sophisticated cyberattacks begin with nation-states, 
and then we see their tactics copied by cybercriminal 
organizations, and then they go to the weakest point. And the 
kind of ransomware attacks that you have experienced in your 
district, they were experienced in Baltimore, in New Orleans, 
by hospitals across the country.
    And if there is one thing I consistently find today, it is 
that many of the public sector computers and information 
systems software, especially at the state and local level, are 
not as modern as they should be. Just to give you one example, 
one department of health at the state level that we are working 
with on the distribution of vaccines, we went to help them 
strengthen their work. And when our consultants looked at the 
manual for the software program they were using, it was for a 
company that Microsoft acquired more than 20 years ago, so the 
software was more than two decades old. So, part of what I 
think we need to do is strengthen CISA, but I think part of 
what we need to do is really, across the country at the state 
and local level, embrace the modernization of our IT 
infrastructure, and, in so doing, embrace the modernization of 
our cybersecurity protection.
    Mr. Van Drew. So, thank you for a very good answer. Do you 
know what they are doing with localities? Are they specifically 
working? Like, I know, for example, in our utility, there was 
ransom, the ransom was paid, it went through insurance, and 
then they still didn't have a key to get them out. They 
actually had to figure it out on their own.
    Mr. Smith. Yes. No, that is often a problem. We oftentimes 
work with hospitals and municipalities that have been the 
victims of these kinds of ransomware attacks. There are times 
when consultants like ours can go in and solve the problem, and 
there are times when it is not possible because of the 
effectiveness of the attack. I do think CISA does an important 
job in providing advice, but this also comes down to really 
state and local government budgeting for modernization, and, I 
would say, decisionmaking so that you integrate the decisions 
of the IT team with the needs of, say, in vaccines, the 
epidemiologist, for example, that need the technology to help 
them do their jobs. You know, we need to just think anew about 
how we manage technology across the public sector.
    Mr. Van Drew. Real quick. Are we going in the right 
direction?
    Mr. Smith. We are going in the right direction. We need to 
move much faster.
    Mr. Krishnamoorthi.[Presiding.] Thank you, Mr. Van Drew. I 
would like to now recognize the distinguished gentleman from 
Virginia, Mr. Gerry Connolly.
    Mr. Connolly. Thank you, Mr. Chairman. Can I be heard?
    Mr. Krishnamoorthi. Yes.
    Mr. Connolly. Thank you. I want to talk about threat 
hunting and cyberdefense, and I am going to ask all the 
witnesses when I pose a question to be as succinct as you can 
because I have a lot of them. Last month, Mr. Ramakrishna 
announced SolarWinds intends to increase threat hunting 
capabilities to bolster the company's security. Mr. Thompson, 
did SolarWinds routinely employ threat hunting before the 
discovery of the attack in December?
    Mr. Thompson. We had a number of security defenses at the 
company before the discovery of the SUNBURST malicious code. 
So, we leveraged a lot of the technologies that other companies 
leverage, and I think that we were doing more than the average 
software company to protect our environment.
    Mr. Connolly. The question was threat hunting capabilities 
specifically.
    Mr. Thompson. And I don't recall whether we were doing 
threat hunting specifically.
    Mr. Connolly. Mr. Smith, Microsoft provides threat hunting 
as part of its cybersecurity services. Why did Microsoft's 
threat hunters fail to discover the SolarWinds compromise?
    Mr. Smith. We do have a large number of threat hunters. I 
would say we did not detect this intrusion as quickly as we 
might because, first, it was very limited on Microsoft's own 
network, and second, until we heard from someone else, like 
FireEye, you know, we didn't have the specific threat to hunt 
for. You know, it is definitely a capability that we are 
continuing to invest in to expand at Microsoft.
    Mr. Connolly. Has Microsoft learned any lessons from its 
investigation of the compromise that could improve hunting for 
this type of threat in the future?
    Mr. Smith. Absolutely. I mean, I think whenever something 
like this happens, we need to learn a lot, and you need to take 
a little bit of time and let the dust settle. You know, there 
is the kind of threat hunting that needs to take place every 
day, and that includes the work of our Threat Intelligence 
Center to scan the horizon. I think one of the things that we 
learned is when you have an adversary that is this focused, 
this determined, and this well-resourced, there will be major 
cyber incidents that require you to expand overnight the number 
of individuals who are engaged on response or threat hunting.
    We did that in this instance. We expanded to more than 500 
engineers who were pretty much on this 24 by 7, but we are 
asking ourselves how we build the capability in the future to 
grow to even a larger number if that is what we need to do.
    Mr. Connolly. OK. I am sorry. I am going to run out of 
time, but let me ask one more question in this series. How can 
the government support private companies that have been engaged 
to threat hunt on Federal networks?
    Mr. Smith. Well, I think the single most important thing 
the government can do is create a centralized point of intake 
so the threat intelligence, the information that is found from 
threat hunting, can go to a central place, but there is a 
second step that is needed as well. The government then needs 
to decide when and how to share information it is finding back 
with companies, like FireEye or Microsoft, so that we can act 
using that information in an appropriate way.
    Mr. Connolly. The National Defense Authorization Act 
provided cybersecurity agencies with increased authorities to 
do threat hunting across the Federal civilian networks. Do you 
believe those provisions in the National Defense Authorization 
Act would do what you just suggested?
    Mr. Smith. I think the NDAA that was just passed goes far 
in adding additional tools and layers of protection. I think 
there is more that we need to do to add to what was passed last 
year. In this area of, you know, information about threat 
intelligence, I think, you know, this is a specific topic that 
it is good we are talking about here. I think it is an area 
where additional legislation would be helpful.
    Mr. Connolly. Mr. Ramakrishna, you indicated, in response 
to Mr. Langevin, three theories you have about the attack, but 
the third one intrigued me, that you were a victim of supply 
chain attack. What is the evidence to support that?
    Mr. Ramakrishna. Congressman Connolly, my point on the 
third hypothesis that we laid out was a potential vulnerability 
in a third-party software that we are deploying at our company. 
So, I wasn't referring to necessarily a supply chain attack on 
a third party as much as a vulnerability that we are yet to 
discover.
    Mr. Connolly. And my final question is to Mr. Mandia. Based 
on your experience in the Air Force and the Pentagon, what are 
the limitations from your perspective about threat hunting when 
used by the Federal Government, and then I will yield back, Mr. 
Chairman.
    Mr. Mandia. First, I think threat hunting is something that 
is probably a decade old. Not every company does it. We are 
talking about an attack that impacted 17,000-plus 
organizations, and nobody detected it until we reversed the 
whole thing. So, you are going to see threat hunting gain in 
popularity, but it is a high-skill-set thing. Government 
agencies that we have worked with are well trained, can conduct 
threat hunting, and I think it is all about authority. Do they 
have the authority to do it or not?
    Mr. Connolly. Does the NDAA give broader authority?
    Mr. Mandia. I am not prepared today to speak to that. I 
haven't read the whole document.
    Mr. Connolly. Maybe you could get back to us with that for 
the record.
    Mr. Krishnamoorthi. The gentleman's time has expired.
    Mr. Connolly. Thank you, Mr. Chairman. I yield back.
    Mr. Krishnamoorthi. Thank you, Mr. Connolly. Now I would 
like to recognize Mr. LaTurner from Kansas. Mr. LaTurner, you 
are on the clock.
    Mr. LaTurner. Thank you. My question is for Mr. Smith, and 
I would like to discuss cyber deterrence as it relates to the 
private sector. This is a discussion that you had some on 
Tuesday, but I want to talk about the frustration that does or 
does not exist in the private sector that the U.S. Government 
just isn't doing enough to deter these attacks. Could you speak 
to that?
    Mr. Smith. I think that there is a need for additional 
deterrence or accountability measures, and I think it probably 
needs to fall into three categories. First, in certain areas, 
there is an opportunity to strengthen the rules of the road 
and, in particular, with respect to three issues: something 
that puts this kind of software supply chain or hardware supply 
chain disruption off limits, especially for these kinds of 
disproportionate and indiscriminate attacks; second, something 
should put attacks on hospitals and the public health service 
off limits; and third, it should put attacks on the electoral 
system off limits. That is step one.
    Step two, I think we then need a consistent government 
policy that says that when these lines are crossed, the 
government, whenever it finds sufficient information, is going 
to have public attribution, and that public attribution, where 
possible, should be with our allies as well so it has 
multinational effect. And third, the government needs a set of 
tools so that there are consequences for when these lines are 
crossed.
    Attribution is the first step, but there may be instances 
where there are sanctions. There may be instances where there 
are other steps. I think this is fundamentally a question for 
the government itself, but it is like anything. If you catch 
somebody who is engaged in an offense, you need to hold them 
accountable, and you need a variety of ways to do that.
    Mr. LaTurner. I appreciate that, and I want to talk about 
information sharing and how that can enhance the ability to 
address some of these threats. And specifically, does Microsoft 
contracts prevent you from sharing threat intelligence with the 
government? What kind of restrictions does that put on you?
    Mr. Smith. Well, the government's contracts impose 
restrictions on Microsoft and other government contractors in 
this kind of situation. So, that was the specific limitation 
that we encountered when we wanted to notify different parts of 
the U.S. Government of what we were seeing. And we found that 
we could only inform the agency that was the victim itself, and 
we had to ask them to go talk to another person, or individual, 
or part of the government, which they did. But it struck us as 
a barrier that is not serving the government itself very well.
    Mr. LaTurner. But no issues with private sector contracts. 
Is that what you are saying?
    Mr. Smith. No. I mean, it is very interesting to me how 
varied the practice is across the tech sector. At Microsoft, 
when we see one of our customers that are attacked, I think it 
is our first responsibility to let the customer know. We have 
done this more than 13,000 times in the last two-and-a-half 
years with nation-state attacks, and yet there are other 
companies that, to the best of my knowledge, have not even 
alerted their customers or others that they were a victim of 
the SolarWinds-based attack. These are companies where their 
own infrastructure was used to launch the attack, and somehow 
they don't think it is part of their responsibility to let 
these victims know that they are victims. And that needs to 
change, and it needs to start in the tech sector. I think we 
need to come to terms with this.
    Mr. LaTurner. Thank you for your testimony today. Mr. 
Chairman, I yield back.
    Mr. Krishnamoorthi. Thank you very much, Mr. LaTurner. 
Congresswoman Kelly?
    [No response.]
    Mr. Krishnamoorthi. Congresswoman Kelly?
    [No response.]
    Mr. Krishnamoorthi. Congresswoman Kelly, can you hear me?
    [No response.]
    Mr. Krishnamoorthi. Robin? She just responded. 
Congresswoman Kelly, you are recognized for five minutes.
    Ms. Kelly. Oh my goodness. I can't believe it. OK. Let me 
get the thing up. Thank you so much, Mr. Chair, and thank you 
to the witnesses. Can you hear me?
    Mr. Krishnamoorthi. Yes.
    Ms. Kelly. OK. The SolarWinds hack reflects a disturbing 
new paradox for the security of U.S. computer and information 
technology systems. Regular software updates and patches are 
often critical for correcting known vulnerabilities and 
preventing cyberattacks. Many of my colleagues will recall the 
March 2017 Equifax data breach that resulted in the loss of 
massive amounts of personal and sensitive data. In that case, 
the hackers exploited a widely known vulnerability that should 
have been patched several months earlier. Mr. Mandia, can you 
tell us why regular software updates and patching is important 
for protecting an individual or a business's systems and 
networks?
    Mr. Mandia. Absolutely. When you are patching, what you are 
trying to do is close the window of vulnerability, period. You 
know, software, there is always first-to-market versus secure-
to-market, and a lot of times it is hard to find security 
imperfections in software ahead of time because it is hard to 
predict the thousands of different ways people may use your 
software. So, I have heard people say building software is like 
building a bridge. It is not. Bridges follow the laws of 
physics. Software does not. But the bottom line is this: there 
is always a gap between what attackers can do and the 
capability and the safeguards that we have. When you get a 
patch, the faster you patch it, you are reducing your window of 
vulnerability.
    Ms. Kelly. Thank you. In the case of SolarWinds, a software 
update itself, a trojan horse, ended up installing malware on 
the victims' computer networks. I am concerned that at a time 
when regular software updates are as important as ever, the 
SolarWinds attack might deter individual customers and systems 
administrators alike from installing needed software updates. 
Mr. Mandia, what would you say to customers or systems 
administrators who may be concerned or reluctant to download 
updates or patches for software for fear that updates might 
contain malware?
    Mr. Mandia. Well, I can tell you even in the SolarWinds 
breach, we have to remember the funnel. Over 17,000 companies 
were stage 1 victims, but the attacker only accessed 100. This 
was a manual attack, not an automated virus. There is a human 
on a keyboard. This is a threat group that doesn't target 
everybody all the time, so the risk is far less based on the 
constraints that the hacker had or the attack group had based 
on manual labor. The bottom line is everybody is now 
recognizing the rules of the road are that foreign intelligence 
services are hacking the supply chain, and everybody is 
wondering is there another implant in some other software. So, 
I think that there is going to be more inspection, where the 
capability to inspect exists, for all updates on a go-forward 
basis, and the industry is going to change both how software is 
created and how software is vetted.
    Ms. Kelly. Thank you so much. Mr. Ramakrishna, SolarWinds 
has reported that the company has 33,000 Orion users. You later 
identified that 18,000 had downloaded an effective version of 
Orion during a three-month period. My question is, customers 
have to manually download updates from you, correct?
    Mr. Ramakrishna. Congressman Kelly, that is true, yes.
    Ms. Kelly. This would suggest that just over half of your 
customers downloaded an update during three months, to say 
nothing of whether or not they actually installed it, correct?
    Mr. Ramakrishna. That is correct.
    Ms. Kelly. And then at the same time, the customers that 
did download the update exposed their systems to this malware.
    Mr. Ramakrishna. That is a potential, yes, Congresswoman. 
As Mr. Mandia described it, once the patch with the affected 
code is installed at a customer site, in certain installations, 
not everywhere, not in every place, they try to connect back to 
essentially their home server to see if they can actually get 
connectivity and then potentially start doing some things 
manually to break through the defenses once they have gotten 
in, which is----
    Ms. Kelly. OK. I got you. Mr. Smith, let me turn to you 
quickly. Does it concern you that users may think twice about 
downloading an update, and can you explain?
    Mr. Smith. I think it should concern us all. I think Kevin 
Mandia put it well. I mean, I do think that this will 
strengthen the process that is used to build and vet software, 
but I would still say the message to the consumers of America 
should be clear: you are far safer if you update your software. 
It is a little bit like thinking----
    Ms. Kelly. And what----
    Mr. Smith. Well, one seat belt may have a defect, but you 
should still put on your seatbelt. You are going to be far 
safer every day if you update your software.
    Ms. Kelly. Thank you so much, and thank you to all the 
witnesses. And I yield back the balance of my time.
    Mr. Krishnamoorthi. Thank you, Congresswoman Kelly. Next, I 
would like to recognize the gentlelady from Tennessee, 
Congresswoman Harshbarger. You are on the clock.
    Mrs. Harshbarger. Thank you, Mr. Chairman. I guess I just 
have a statement first, and then I will go into a question. 
Since we don't know how the malicious code was inserted into 
the software updates, which is unbelievable, and several of you 
have said that the U.S. Government needs a national strategy to 
strengthen how we share threat intelligence between the U.S. 
Government and the private sector, you know, we are constantly 
patching and adopting continuous updates, and it has been a 
standard of cybersecurity best practices measures for years. I 
guess I was looking at testimony from Tuesday, and, Mr. Mandia, 
in your testimony, you mentioned that the adversary was able to 
disarm some of your sensors as part of the intrusion. Can you 
tell us what you mean by that?
    Mr. Mandia. Absolutely. When the implant in the SolarWinds 
software ran, one of the first things it did, 11 days after it 
installed--mind you, it slept for the first 11 days--is it 
looked at the system it was running on, and it looked for 
common safeguards, like Windows Defender, like CrowdStrike, 
like FireEye's Endpoint, and it shut them off. And, again, the 
implant ran at system level. It had the permissions to do 
whatever it needed to do, so it just said, ``What security is 
running? Kill it,'' and that is why we couldn't detect it in 
the first stage of the attack.
    Mrs. Harshbarger. Thank you for that. Also, Mr. Smith, in 
your testimony on Tuesday, you said that while the adversaries 
had gained access to your source code, you don't consider the 
code to be particularly sensitive. And I guess from media 
reporting, it has been suggested that this effort by the 
adversary allowed it to exploit the identity and authentication 
features of Microsoft in other breaches of entities. Can you 
tell me a little bit about that?
    Mr. Smith. Yes, there are two different concepts in your 
question. I mean, first, you know, we share our source code 
broadly. We share it with all of our employees, and the secrecy 
and the security protection of our technology is not based on 
the secrecy of the code itself. We live in a world where, you 
know, much code is published, you know, to the world on the 
internet in open source form. The second part of your question 
then goes to, you know, our services overall, and I would say a 
couple of things. In no instance did we identify any action or 
case where anyone was able to use Microsoft's services as a 
vector of attack, as a means to attack any other customer. 
There are, you know, discussions that, you know, have ensued, 
rightly so, about the use of some industry-standard approaches 
for the authentication of accounts. Microsoft, like everybody 
in this business, supports these industry-wide standards. One 
of the standards, in particular, is 13 years old. It is called 
SAML.
    It has been superseded, in our view, by something we have 
been encouraging customers and developers to move to since, but 
there was a vulnerability, so to speak, in SAML that was 
exploited in a small percentage--and I think that is important 
to underscore as well--a small percentage of the instances that 
we saw. And it was only exploited after someone had already 
basically gotten elevated privileges, for example, by stealing 
a key or breaking a password. But nonetheless, I think this is 
quite rightly raising questions, how do we address this issue 
in the future. We are focused on that. Others are focused on 
it. I do think it is something that we will want to continue to 
work to address.
    Mrs. Harshbarger. You know, honestly, coming from the 
private sector to the government sector, you know, we trust 
that those apps that we are installing, those updates on our 
Apple phone, on our watch, on anything that we do in a business 
environment or the government environment, we assume that it is 
safe because it has been vetted. I guess my question is, how 
can we be assured in the future that these software updates are 
going to be safe, and, in your best estimate, you know, how 
soon are we going to be attacked again, I guess is my question. 
We update every day something, and that makes me a little 
fearful going into the future.
    Mr. Smith. Well, I think there are two things that we need 
to do to better secure this kind of software updating. The 
first, as Kevin Mandia was saying before, is we are going to 
need to work with everyone who creates software to secure what 
is called their build process and to vet the software that is 
built. You know, at a company like Microsoft, we have an 
extraordinary range of controls to address that, but, you know, 
software is being built by companies and other organizations, 
large and small. And second, I think this is why it is so 
important for the government itself to send a message to the 
world that this type of indiscriminate and disproportionate 
tampering with the software supply chain is a violation of 
international norms and rules, and there will be accountability 
when foreign governments do this.
    Mr. Krishnamoorthi. Thank you. The gentlewoman's time is 
up.
    Mrs. Harshbarger. Thank you, Mr. Chairman.
    Mr. Krishnamoorthi. Let me now turn to Congressman Eric 
Swalwell, the distinguished member from California. You are on 
the clock. You are muted.
    Mr. Swalwell. Thank you, Mr. Chairman. Thank you, 
panelists. This attack, I think it is pretty clear, was done by 
Russia, likely its intelligence services. That is what public 
reporting has shown. So, Mr. Smith, we know that Russia does 
not have much use for economic espionage. They are just not a 
country that is stood up in a way that they can benefit like 
our other adversary, China, who commits economic espionage 
every single day. However, this attack does touch not only on 
public-sector networks, but also private-sector networks. How 
much worse could this have been if an adversary, like China, 
had gone as far down the stack as Russia?
    Mr. Smith. I don't know that I have the best answer to that 
question. I guess I would say we need to recognize that we live 
in a world where there are multiple governments that are 
investing in these kinds of cyber intrusion capabilities. They 
may act based on different motives, and they may use what they 
obtain for different purposes, and we do see that in a somewhat 
diversified way around the world. I guess you could say, you 
know, it can always be worse. It could have been worse, and 
obviously it could have been much better. I think the most 
important thing is that we learn from this, recognize that it 
is a dangerous world in which we live, and we are going to have 
to strengthen our defenses.
    Mr. Swalwell. Mr. Smith, earlier my colleague, Mr. 
Krishnamoorthi, who is also on the Intelligence Committee with 
me, asked you whether the House of Representatives, Senate, or 
Office of the President's systems had been penetrated that had 
Microsoft platforms, and I believe you said no. How about in 
the last election cycle, in the current cycle we are in? 
Microsoft was quite helpful in actually being the first to 
report that, I think, some campaigns had been breached even 
before the U.S. Government had told Congress. Have you seen any 
recent attacks against members of the House or the Senate and 
against their campaigns?
    Mr. Smith. I am not aware of anything since the last 
election ended. That doesn't mean that there hasn't been 
anything, but nothing has crossed my desk. You know, we 
certainly did see a series of intrusions, hacks, attacks, if 
you will, during the last electoral cycle, as you mentioned. 
You know, we did bring that information forward. You know, we 
have created an offering called AccountGuard that we provide 
free of charge to every Member of Congress, every political 
campaign, to think tanks, to the political parties, if they are 
using Office 365. We provide this at no additional cost, and 
what we do is employ our Threat Intelligence Center to 
constantly look for these kinds of attacks and then let people 
know if we find something, and we do that immediately.
    Mr. Swalwell. Thank you, Mr. Smith. Mr. Ramakrishna, you 
alluded earlier that you believe that having some sort of, not 
incentive, but safe harbor to disclose breaches would likely 
result in more cyber companies or companies writ large 
disclosing breaches. Can you elaborate on that? How could we 
make sure that, one, consumers are able to hold companies 
accountable if there is a breach that the company was 
responsible for, but that we would still be able to see 
companies disclose breaches early to protect consumers? And I 
think in tort law, for example, you know, if your restaurant is 
being sued because a deck collapsed and the restaurant took 
measures to fix the deck, they could still be sued for the 
injuries of the deck collapse, but it could not be used against 
them if they sought to fix the deck collapse. Can you just talk 
about how can you make sure consumers are protected, but 
industry is still disclosing and has an incentive to do so?
    Mr. Ramakrishna. Congressman, thanks for that question. 
Where we are coming from on this topic is that, as companies 
discover malware and other vulnerabilities, the fact of the 
matter is no matter how many resources any one of our companies 
have, no matter what level of controls we have, all of our 
software has some form of vulnerabilities or another. When we 
discover those, we should be able to not only fix them, but 
also share them with others such that each one of us are not 
discovering the same issues over and over again and, in that 
process, losing time. So, where we are coming from is the early 
disclosure so that we don't have to repeat the same situation 
over and over again, both at the customer level as well as at a 
software supplier level, must be eliminated.
    So, the challenge here is one of potential litigation and 
one of, as I described it, victimizing the victim itself for 
coming out. And those are things that need to be eliminated or 
those stigmas need to be eliminated for more of us to come out 
and speak openly. Obviously, today, three of us have come and 
spoken about it. We should get more vendors and more customers 
to speak up so that we can together solve this problem. It is 
not purely one of resources. It is one of how resources use 
information and share it for our collective benefit.
    Mr. Swalwell. Thank you. I yield back.
    Mr. Krishnamoorthi. Thank you so much, Mr. Swalwell. Next, 
I would like to recognize the gentlewoman from Iowa, Mrs. 
Marionette Miller-Meeks.
    Mrs. Miller-Meeks. Thank you so much, Mr. Chair. I want to 
also thank the extraordinary knowledge of our witnesses' 
testimony. And also, as a former Army veteran, or as an Army 
veteran, I want to thank Mr. Mandia specifically for his 
service. This is a tremendously important hearing, and as I 
have listened to the testimony of our witnesses and both the 
insightful questions from my colleagues and the answers 
provided by our expert witnesses, I am reminded of pulling a 
single thread which then unravels an entire garment. You know, 
we are all a weak link in this system.
    So, like many people, I am a doctor. I interface with a 
hospital system and have protected health information that I am 
concerned about and concerned about my own financial 
information. But when I have to change my password every two 
months and when I have to do my security training every year, I 
perceive it as a nuisance, and I don't think I am alone in 
that. However, what you all have brought to our acute awareness 
and alarm, we are all each individually a weak link as we 
interface and interact both in our private lives and with state 
and Federal Governments.
    So, Mr. Ramakrishna, as the CEO of SolarWinds, and, 
granted, only a very brief time, and I can only imagine coming 
into an organization as the CEO with this overhanging your new 
tenure, you have been very forthright about some of SolarWinds' 
security culture challenges from the past and how you have 
leaned into improvements to the security culture, particularly 
around software development practices. We need to use events 
like these as collective learning moments to raise the overall 
tide level for everyone. The stakes are just too high to stand 
idly by. What role do you think companies like SolarWinds have 
to use their experiences and past challenges to promote better 
practices ecosystem-wide?
    Mr. Ramakrishna. Congresswoman, thank you for your 
question. We take our obligation to be a very active 
participant in this. While we were subject to this attack, we 
have learned a lot as well, and I will elaborate on one 
specific thing. I am happy to elaborate further as you please. 
As it relates to supply chain, one of the key challenges that 
we have uncovered as part of this attack is, typically all of 
us as software vendors use our certificate to sign the product 
that we deliver as the mark of integrity of the software that 
we deliver. Obviously, in this particular unique supply chain 
attack, that mechanism is not sufficient.
    So, one of the improvements that we are making, which we 
are also publishing both to CISA and others as well as our 
industry colleagues, is a different way and an enhanced way of 
building software that gives more confidence and trust to 
customers as to how it needs to be done that does not only rely 
on age-old ways of signing with our certificates, and instead, 
having parallel build environments that are managed and 
accessed by different sets of engineers. And that is an 
investment that we are making in that process to ensure that, 
across parallel build environments, the integrity of what we 
deliver is assessed and not compromised. So, that is a unique 
way of doing things and an extended way of doing things based 
on this very specific learning that we intend to publish 
externally as well.
    Mrs. Miller-Meeks. Thank you so much for that. And, Mr. 
Smith, before my time expires, you alluded to this earlier when 
you spoke about training your customers. And so do we need to 
have more broad-based security training for all of us as 
individuals, again, as we interact and interface with both 
local, state, and Federal Government entities? As I mentioned, 
it has been raised to my alarm that we are all a weak link, and 
I am going to have better security measures going forward.
    Mr. Smith. Well, I first want to say we really appreciate 
the leadership you have provided in focusing on state and local 
needs, and, you know, highlighting some of the kinds of 
ransomware attacks in a place like Iowa, because I do think 
that that really highlights that this happens in, you know, 
every part of the country. I hope we don't need to ask every 
individual as a consumer to, you know, suddenly spend a lot 
more time than they do today. Our goal is to make it easy and 
simple for individual consumers to simply, you know, turn on 
something like Microsoft Defender and let it go to work. But I 
think when we get to organizations--a hospital, a school, a 
municipality, a state agency--you know, that is where we need 
more personnel. We do need more training, and we are going to 
need more tools, which we are absolutely committed to 
providing.
    Mrs. Miller-Meeks. Thank you so much. I yield back my time.
    Ms. Norton. [Presiding.] We will take a recess at this 
time. We are not through. Excuse me. There is somebody there 
ready to go, so excuse me. I understand that Miss Rice of New 
York is prepared to come forward at this time. Miss Rice, you 
are recognized for five minutes.
    Miss Rice. Thank you so much, and I want to thank our 
witnesses today. This is incredibly enlightening at a critical 
time. But I also want to thank my colleagues on both sides of 
the aisle because the one message that I am getting loud and 
clear is that we can be doing better. It is one thing to have 
all of our witnesses here talking about what they are doing, 
but we need to actually act as well.
    So, Mr. Smith, a consistent theme in today's conversation 
has been that the U.S. Government needs to improve and 
incentivize intelligence sharing between Federal agencies and 
the private sector. I believe that you have called for the 
Federal Government, and forgive me, I had to
    [inaudible] so I left for a little while. I don't know if 
you addressed this. But you have called for the Federal 
Government to impose clear cyberattack reporting requirements 
on the private sector, and you have pointed to the EU's law 
requiring digital service providers to notify authorities of 
incidents as a model to follow. Would you consider the EU the 
gold standard around the globe, and are there any other 
countries we can look at to emulate what they are doing and 
recreate it here?
    Mr. Smith. Well, I definitely think we should learn from 
what the European Union is doing. I don't know if I would call 
them the gold standard, and there are others worth looking at 
as well, and I should do some more homework and get you some 
more examples. I think we need something that works for the 
United States, and I think we can put something like that 
together. Yes, I think we have had good conversation here on 
some of the specifics. You know, it is not something that needs 
to apply to everyone in the country, but it definitely should 
apply, at a minimum, to, you know, those entities like my own 
that are part of the critical infrastructure for the country 
and that are obtaining this kind of information. I think we can 
put together a gold standard ourselves as a Nation in terms of 
reporting the right information to the right people as rapidly 
as possible, and then I think, critically, sharing back the 
right information in an appropriate way as well so that we are 
better informed about what to look for.
    Miss Rice. Well, I hesitate to speak for every one of my 
colleagues on this hearing, but I, of course, stand ready to 
work on that with you. Mr. Mandia, in a similar vein, you have 
argued that the U.S. should establish a confidential 
information sharing solution to encourage public/private 
communication after breaches. And I believe you pointed to the 
FAA's Aviation Safety Reporting System, which uses non-punitive 
anonymous reporting to encourage the private sector to 
communicate about threats. To your knowledge, do any countries 
take a similar approach to encouraging the private sector to 
identify and address threats?
    Mr. Mandia. I think nobody does it exactly right. I have 
seen a lot of nations go through a lot of different evolutions, 
you know. I look at the U.K. They do a better job, in my 
opinion, of private and public partnership. They have more 
centralization of how they respond to incidents such as this. 
You look at Israel, much smaller scale, but, you know, they 
have their Iron Dome in how they approach threat intelligence 
sharing there.
    But my remarks were basically about if the threat 
intelligence sharing is not confidential, then as a reporter of 
threat intel, you have to get your arms around all the 
liabilities first, and it just creates too much delay, too much 
time, and the intel won't be actionable. So, I believe threat 
intelligence needs to be shared quickly, and I think you can 
define first responders in the industry, folks who respond to 
unauthorized, unlawful, or unacceptable behavior. If you do 
that for a living or provide those services and you see 
something, you can report that very confidentially. You can 
defend the Nation. You can get it to the right government 
entities, and, quite frankly, let the company get their arms 
around, ``So, what did we lose?''
    And realize this: a lot of disclosure creates fear, 
uncertainty, and doubt that is unnecessary. Most organizations, 
when they have a breach, lack the expertise to get a full scope 
of what did we lose and what should we do about it. They can't 
do it, and they are just going to scare the heck out of 
everybody by saying, ``Hey, we had a breach,'' and everybody 
goes, ``Well, what does that mean? What does it mean to me?'' 
And it could just be a small thing, a small matter that doesn't 
impact the consumers. So, every organization will need some 
time.
    Miss Rice. So, let me just ask you, Mr. Smith and Mr. 
Mandia, you know, what we are talking about today shows a level 
of human weakness and bad cyber hygiene. What steps could we 
take here in Congress? I mean, I am calling for all of the 
members to be required to have cyber education, which we are 
not required to do. How can we improve our cyber hygiene at the 
Federal level?
    Mr. Smith. Kevin, do you want to go, or do you want me to 
go first?
    Mr. Mandia. Brad, you can go first.
    Mr. Smith. OK. Well, I would say, first of all, I think 
your question is very important in the sense that everybody 
talks about technology, but, ultimately, it is always about 
people. And I think what it really connects with is the need to 
have, you know, consistent training, consistent implementation 
of what we all recognize today, our best practices, and 
ultimately an expansion of the work force in the cybersecurity 
field so that we have more trained people who can support all 
of the organizations and customers across the country.
    Ms. Norton. The gentlewoman's time has expired. The 
witnesses have asked for a 10-minute recess. They are really 
entitled to that. This is a long hearing because there are two 
committees meeting and asking questions, but we don't want it 
to go on forever, so we will take a 10-minute recess at this 
time.
    [Recess.]
    Ms. Norton. The committee will reconvene. We have a very 
large set of members because there are two committees. This is 
a joint hearing. That is why this is going on for so long. I 
want to call on the next member on my list. It is Mr. Clyde of 
Georgia. You are recognized for five minutes.
    Mr. Clyde. Thank you, Madam Chairwoman. As a Navy officer, 
a Navy combat veteran, I am quite aware that our military is 
tasked with protecting our Nation, and we take that very 
seriously and have been very successful in doing that for over 
a century. But cyberattacks on our country are something that 
literally can go right through whatever military protections we 
have, and can affect especially our civilian population in ways 
that can be devastating for medium businesses, large 
businesses, and even small businesses. So, several of you have 
said that the U.S. Government needs a national strategy to 
strengthen how we share threat intelligence between the 
government and the private sector. So, would each of you give 
me an idea of how you would see this playing out? What role do 
you see CISA playing to help support this, especially when it 
concerns the private sector? And I guess we could start with 
the CEO of SolarWinds.
    Mr. Ramakrishna. Congressman Clyde, thank you again for the 
question. In terms of CISA, there are a few things that we can 
work with CISA on as part of a private sector entity. One is 
CISA can essentially be the clearinghouse of all threat 
information that is given to it by the public sector. That is 
No. 1, and the converse is true from a private sector 
information gathering standpoint as well. Once it has got a 
coordinated set of information, it can take the responsibility 
to disseminate it to all impacted and potentially impacted 
parties as well. That will ensure that we are all coordinated, 
that we are fast and agile in learning and responding. The 
other major area that I would suggest is CISA can be a big 
influencer in establishing best practices and disseminating 
best practices across the entire value chain, not just in the 
threat aspect of it, but in the standardization of it, such 
that as things become more standard and more of us in the 
private sector follow, then potential for leakage across 
private sector entities is significantly reduced and 
diminished.
    Mr. Clyde. Thank you. I appreciate that. Mr. Thompson, any 
comments from you, sir?
    Mr. Thompson. Yes. The only thing I would add to what 
Sudhakar said is I do believe that CISA has an opportunity, 
based on where it sits in the government, to really coordinate 
resources from both the private and public sector. I think as 
private sector software companies, we would be willing to 
dedicate some amount of resources to work with CISA in coming 
up with cybersecurity strategies for both the private and 
public sector. But someone is going to have to be the 
coordinator of that, and I think CISA might be, if resourced 
appropriately, be in the right position to be able to do that.
    Mr. Clyde. Thank you very much. Mr. Mandia?
    Mr. Mandia. Yes, not too much to add to that other than 
when I think about intel sharing, if there is intel in, it 
makes sense that it goes to a single entity and the government. 
If there is intel out, that has got to be communicable to all 
the technology companies that safeguard the Nation in the 
private sector, public sector. And then there has got to be a 
prioritization, that there is probably different industries--
healthcare, utilities, telecom--that rise above some of the 
others that you got to make sure abide by certain legislation 
standards or regulations, and most of those are regulated 
industries. But that is how I think about it: intel in, then 
intel has got to get out, and then we get a Nation that can put 
shields up a lot faster than it can today.
    Mr. Clyde. Thank you. Thank you. And last, Mr. Smith.
    Mr. Smith. Yes, I think these provided good perspectives. 
The one thing I would add is, obviously this is a paradigm 
where CISA would be responsible for the assessment of threat 
data that is being reported domestically from companies inside 
the United States. You know, at the same time, you still have 
the NSA, which has this critical responsibility and role with 
respect to data, that it is able to identify from outside the 
United States. And then for the government as a whole, you need 
to have, you know, both of these sources to get the full 
picture of the threats to the country.
    Mr. Clyde. OK. Thank you very much. We had quite a serious 
ransomware attack in my district to a private company that 
basically shut them down for five weeks and cost them almost 
$10 million, so this is very, very important what we are doing 
here. Thank you, Madam Chairwoman, and I yield back.
    Ms. Norton. I thank the gentleman for his questions, and 
his time has expired. I call on Ms. Tlaib of Michigan now. Ms. 
Tlaib, you are recognized for five minutes.
    Ms. Tlaib. Thank you so much, Chairwoman. Mr. Thompson, you 
served at SolarWinds for 14 years, including 10 as its CEO, so 
I just want to make sure it is fair to say that you know this 
company better than anyone. I think Bloomberg News said two 
former employees viewed your company's security lapses as so 
significant that they said they viewed a major breach as 
inevitable. So, one of those employees, Mr. Ian Thornton-Trump, 
said that he warned the company in 2017 of security risks, but 
found the company's executives were, and I quote, ``unwilling 
to make the corrections.'' So, Mr. Thompson, I am sure you were 
expecting this question, but, you know, did you all take 
immediate action when these concerns were raised?
    Mr. Thompson. So, I believe we have taken this security of 
our customers, of our company, of our products seriously my 
entire tenure at SolarWinds. I believe we have invested at the 
appropriate level. In fact, over the last four years, we were 
spending at a level meaningfully higher than the industry 
average.
    Ms. Tlaib. When did you all start investing in security?
    Mr. Thompson. We have been investing in security since we 
got here, but obviously that security investment has grown as 
the company has grown. But if you look back to 2016, in 2016, 
we really looked at the business. We looked at where it was, 
and we began to invest at a higher level. We brought in a CTO 
who had been a CIO for many years. In early 2017, we brought in 
a very experienced CIO. We then added a VP of security who 
deals with product security----
    Ms. Tlaib. And this all happened in 2016?
    Mr. Thompson. In 2016 and 2017.
    Ms. Tlaib. So, Mr. Thompson, is it true, and this is 
something when the committee told me, I was kind of in 
disbelief. If all that was going on, then why in 2019 it was 
said that you could easily access your server by simply using 
the password ``SolarWinds123?''
    Mr. Thompson. So, that related to a mistake that an intern 
made, and they violated our password policies, and they posted 
that password on their own private GitHub account. As soon as 
it was identified and brought to the attention of my security 
team, they took that down.
    Ms. Tlaib. Yes. You know, it just doesn't, you know, invoke 
a lot of confidence when many of us when we hear it is an 
intern could have done that, and, again, that same password was 
used to access your server. The other one, is it true that 
SolarWinds did not create a role of a vice president of 
security until 2017?
    Mr. Thompson. So, we did not have a role for vice president 
of security, but as I have said, we had a very sophisticated 
CIO and a CTO who had been a CIO at a very large Fortune 500 
company, and we had a security team, and we had a security 
process. We just didn't have a VP of security prior to that 
day.
    Ms. Tlaib. So, with all those people, two years later, 
2019--I don't know if they were in place--you know, how fast 
did you fix the issue with the ``SolarWinds123'' password to 
access your servers?
    Mr. Thompson. As soon as it was identified to us, it was 
fixed almost----
    Ms. Tlaib. Days, weeks, months? How long?
    Mr. Thompson. Faster than days once we found out about it.
    Ms. Tlaib. Well, it also has been reported that back in 
October, another security company, Palo Alto Networks, raised 
concerns with SolarWinds about--am I saying it right, Orion 
product--based on behavior that they had observed, which is now 
believed to be related to the cyberattack. What steps did you 
all take to ensure that this issue was investigated, Mr. 
Thompson?
    Mr. Thompson. So, I will pass that to Sudhakar because I 
have not been the CEO since December 31 of 2020, and there have 
been a lot of investigation work done since then. So, I will 
let Sudhakar respond to that.
    Mr. Ramakrishna. Thank you, Kevin.
    Ms. Tlaib. You got any interns messing up, Mr. new CEO? So, 
I would love to hear about what you all are doing about these 
concerns raised in October.
    Mr. Ramakrishna. We heard about it from Palo Alto as a 
possible victim of the malware that was delivered as part of 
the Orion code and related issues. It wasn't about the security 
hygiene or security posture of SolarWinds itself. In fact, we 
are a customer of Palo Alto's, and we have 44 pairs of Palo 
Alto infrastructure protecting us, not just from a firewall 
standpoint, but also doing some threat hunting within our 
environments today.
    Ms. Tlaib. Well, I appreciate all of that. I just want my 
colleagues to understand it is not only that we need to find 
out what they were able to access, but the fact that, you know, 
SolarWinds did have a weak security culture that, you know, ran 
right up against this attack. And we need to acknowledge that 
because, I mean, I understand that there was just a recent post 
on LinkedIn for different security positions you guys may have 
posted recently. And so I just really want to make sure that, 
again, my colleagues, that we are all doing our due diligence 
in regards to some of these companies that we contract out to, 
to protect the privacy and protect our country from these kinds 
of attacks. With that, I yield. Thank you so much.
    Ms. Norton. The gentlewoman's time has expired, and I thank 
her for yielding. Mr. Fallon of Texas is next.
    [No response.]
    Ms. Norton. Mr. Fallon, are you there?
    Mr. Fallon. Yes, ma'am. Can you hear me?
    Ms. Norton. I can hear you. You can proceed.
    Mr. Fallon. Well, thank you very much, and I want to thank 
the witnesses for bearing with us in a joint committee. I know 
it has been a long day thus far. You know, what alarmed me when 
I was reading through sourcing material was the fact that, and 
it really got my attention, was the fact that the Secretary of 
Homeland Security's own email had been compromised. Mr. Mandia, 
thank you for your service to our country. I wanted to ask, in 
your opinion, what would have happened and how much more damage 
would or could have been done if your company hadn't discovered 
this breach in December 2020?
    Mr. Mandia. Well, you know, I think over time, people would 
have come across enough smoke to find the fire, so it would 
have been discovered in time and people would have connected 
the dots. We just happen to be a forensic firm and, you know, 
special ops met special ops. We responded appropriately with 
the right skill sets, found the implant. In regard to what 
could have happened, the attacker had unfettered access to over 
17,000 different organizations and nobody saw it. So, this 
attacker stayed laser focused on stealing specific information. 
They showed, arguably, constraint, and they didn't do anything 
destructive, but in reality, sir, it would have been easier for 
this attacker to destroy data than do the operations that they 
did. So, I think there was a range of options for the threat 
actor to behave like, and they behaved in a manner to steal 
emails and documents that they were targeted in collecting.
    Mr. Fallon. Just to followup on that, if they chose to 
start destroying data, would that have, in and of itself, kind 
of raised red flags, and would they have discovered it then? Is 
that the reason why they wanted to do that?
    Mr. Mandia. I think there is a line of, you know, you are 
going to start noticing if machines get shut down or if data 
starts getting deleted. My observation on the rules of the 
playground in cyber, maybe we don't have written rules that 
everybody follows all the time, and maybe it is hard to get 
people to agree as to what is fair game for espionage, but here 
is one thing I do know. I don't think any modern nation wants 
to see modern nations' A-teams break in and start changing 
data, deleting data, putting industrial control system malware 
in place, and doing certain things that I still haven't seen 
done by those threat actors that are representing a foreign 
intelligence service. So, there are still another couple levels 
of escalation that have not, at least I haven't witnessed yet 
in cyberspace.
    Mr. Fallon. OK. Thank you. Mr. Thompson, in retrospect, was 
this breach, in your opinion, preventable, and if so, what 
should SolarWinds have done differently?
    Mr. Thompson. So, I will answer part of that question, and 
I will let Sudhakar answer some of it because, as I said, I 
have been gone since December 31. But this attacker designed 
this attack to be very, very difficult to find. They were 
incredibly patient. They moved very slowly. And the software 
was of tremendous complexity, and so it was designed in a way 
that made it very difficult for anyone to detect whether it was 
us or whether it was FireEye or Microsoft, which is why it took 
as long as it did. And I will let Sudhakar add what we have 
learned since December.
    Mr. Fallon. Thank you.
    Mr. Ramakrishna. Congressman Fallon, in addition to Mr. 
Thompson's comments, the way we looked at it is, given the 
novelty of the supply chain attack and, as I described it, the 
attacker hiding in plain sight, the fundamental things that we 
are looking at is what do we learn from this. How do we protect 
supply chains of companies like SolarWinds and our industry 
peers going forward? That led us to build the initiative that 
we call Secure by Design internally, which provides specific 
guidelines and execution tactics of how to protect internal 
environments, how to make build systems a lot more robust, 
including access to the build systems, and then how to evolve 
software development life cycles to be much more secure 
development life cycles where you are not testing security 
after something is delivered, but designed as you build it. And 
I believe that is the responsibility of the industry to take 
more ownership of and share that not just amongst us, but also 
with our government colleagues who also build software.
    Mr. Fallon. Thank you. And I have one quick last question 
for Mr. Mandia. While the experts seem to think that this was a 
nation-state-sponsored attack, I am guessing because of the 
complexity of it all, but I am a lay person. I just look at it 
in layperson's terms. Why are we so sure that it was nation-
state-sponsored attack and not just a group of highly talented, 
albeit nefarious, cybercriminals?
    Mr. Mandia. So, I started responding to breaches in the 
United States Air Force by 1995. Back then, most of the 
breaches we responded to were not attractive nuisances. It was 
dot-gov against dot-gov, dot-mil against dot-mil. I have got 
about seven reasons why I believe it is a foreign intelligence 
service. I will give you two. FireEye was attacked by over 20 
different IP addresses, and we were a Stage 2 victim of this 
attack after we did a SolarWinds update. The systems used to 
attack us were used in exactly zero other breaches. That is 
very uncommon, sir. What normally happens, if I am a threat 
actor and I am doing ransomware, I have the same infrastructure 
for every attack I do. We went through our partners Microsoft, 
our partners in the intel community. None of the systems are 
used to attack anybody but FireEye. I have got six other 
technical reasons. I am happy to take them offline with you.
    Mr. Fallon. Thank you.
    Mr. Mandia. I have virtually no doubt, 10 minutes into the 
first briefing I got on our incident, this was a foreign 
intelligence hack, and I had a good idea which one.
    Mr. Fallon. Thank you very much. Thank you, Madam Chair. I 
yield back.
    Ms. Norton. Yes, the gentleman's time has expired. Mr. 
Correa of California.
    [No response.]
    Ms. Norton. Mr. Correa of California, are you----
    Mr. Correa. Can you hear me OK, Madam Chair?
    Ms. Norton. I can hear you now, sir.
    Mr. Correa. Thank you, ma'am. I want to thank all of our 
chairs and ranking members for this most important hearing. I 
wanted to ask a question of all our guests, Mr. Ramakrishna, 
Mr. Smith, Mr. Mandia. The question is as follows: Is this a 
political diplomatic issue, or is this a technical issue? And I 
ask this question because, Mr. Smith, during your presentation 
you said that we needed to strengthen international law and the 
consequences for violation of international law. Yet I recently 
read a report that talked about the Chinese intelligence, that 
they had stolen our espionage code and essentially customized 
it and were using it against us. So, those folks overseas, are 
they better than we are now? Are Russia, China, and others 
better than we are in this cyber battlefield, and if they are, 
how do we stop them? So, again, my question is, is this an 
international law consequences issue, or is this a technical 
issue? To all our guests, please.
    Mr. Smith. Well, I am happy to field that first. You know, 
I think you framed the question well. Is it a diplomatic issue 
or is it a technical issue? Yes. That is a way of saying it is 
both, and we need to deal with it on both levels. And I don't 
believe for a moment that we live in a world where our 
adversaries are more capable than our own government, but we do 
live in a world where there is an asymmetry. It is easier to 
play offense than it is to play defense. When you play offense, 
you can scan the horizon and look for the weakest point, and 
then that is where you direct your energy. And when you are on 
the defensive, that means you need to scan and secure the 
entire horizon.
    So, on the technical side, that means that there this 
enormously important work to strengthen all of our cyber 
defenses, and it equally makes it a critical diplomatic and 
international legal issue because it simply must be the case 
that there are certain acts that are put off limits and for 
which there are international and diplomatic consequences. And 
this kind of indiscriminate and disproportionate attack on the 
software supply chain is and should be one of them.
    Mr. Correa. Mr. Ramakrishna, Mr. Mandia, go ahead.
    Mr. Ramakrishna. Congressman Correa, I agree with my 
colleague, Brad Smith, that it is a technology as well as a 
political diplomatic issue. Especially as it relates to the 
private sector, we have to learn and anticipate issues like 
this and collaborate together on coming up with best practices 
similar to the ones that we are trying to do at SolarWinds with 
our Secure by Design and some new things that our colleagues at 
Microsoft and FireEye, CrowdStrike, KPMG are doing. 
Additionally, I think internally within the United States, we 
need to look at our disclosure rules and, as we have all been 
saying, encourage more of us to come forward and disclose 
without fear of being punished either in the public or legally. 
So, that is as it relates to us in the U.S.
    And then diplomatically, setting some ground rules, holding 
people accountable, and driving consequences is, I would say, 
the help that we can get from the government. And last but not 
least, the point I have highlighted a couple of times today 
with regards to the need for speed and agility in terms of 
information sharing and information dissemination might require 
some help from lawmakers such as yourself.
    Mr. Correa. Thank you. Mr. Mandia?
    Mr. Mandia. Yes, I think everything both the witnesses have 
said is exactly right. It is a diplomatic issue. It is a 
technical issue. What I have learned over 20 years-plus in 
responding to security breaches, sir, is that all the threats 
we respond to literally mimic real-world geopolitical 
conditions and really economic alliances as well. So, when you 
look at what the threat is to the United States in cyber, it is 
North Korea, it is Iran, China cyberespionage, it is Russia, 
and then it is just folks who are safe harbors for ransomware, 
so it is going to take diplomacy. It is going to take 
technology. It will be both.
    Mr. Correa. In my last seconds I have, Mr. Smith, you 
talked about a community college being enough to get cyber 
education. Do you have a list of community colleges that offer 
that education now?
    Mr. Smith. I will see what we have.
    Mr. Correa. Do you know of any? Do you know of any?
    Mr. Smith. Oh yes.
    Mr. Correa. It is not a ``gotcha'' question. Are you 
showing us how far we have got to go?
    Mr. Smith. No, actually the community colleges of the 
country have created the kinds of courses that we need. They 
have become a much more common part of the curriculum. You 
know, we have a robust cybersecurity profession in the United 
States. We just need to make it larger. And so I think we can 
harness what exists and expand the capacity and basically make 
it financially easier for people to go get these courses and 
education.
    Ms. Norton. The gentleman's time has expired, and I thank 
the gentleman for his questions. Mr. Gimenez of Florida?
    [No response.]
    Ms. Norton. Mr. Gimenez of Florida, are you there?
    [No response.]
    Ms. Norton. You are recognized for five minutes.
    [No response.]
    Ms. Norton. You are recognized for five minutes. I see you, 
but I don't hear you.
    [No response.]
    Ms. Norton. I will go to the next person. Mr. Donalds of 
Florida.
    [No response.]
    Ms. Norton. Mr. Donalds, are you there?
    [No response.]
    Ms. Norton. Let us then go to Ms. Porter of where?
    Ms. Porter. I am from California, ma'am.
    Ms. Norton. All right. Ms. Porter of California. Sorry.
    Ms. Porter. Thank you so much. Mr. Ramakrishna, we are here 
today to talk about a major security breach. Why are security 
breaches a problem? Very briefly just in a few words, what are 
we worried about?
    Mr. Ramakrishna. They could impact people at a personal 
level through theft of credentials. They could impact companies 
with regards to breach of sensitive information and data, and 
they could impact----
    Ms. Porter. Wonderful. Mr. Ramakrishna, do you want to 
please provide your home address for the committee today and 
the American public?
    Mr. Ramakrishna. I am happy to provide it, Representative. 
I would like take down record and provide it offline.
    Ms. Porter. So, you don't want to share it with the whole 
world, like with Russia.
    Mr. Ramakrishna. Yes.
    Ms. Porter. So, you would agree that the information that 
got hacked is national security information that is damaging to 
national security implications. It could literally put lives at 
risk. You don't want to even give out your address, much less 
personal security information. What kind of legal liability is 
SolarWinds facing for this hack?
    Mr. Ramakrishna. Congresswoman Porter, we have our standard 
end user licensing agreements that we signed with every one of 
our customers, including our Federal customers, and we are 
bound by those.
    Ms. Porter. So, your customers can sue you? There is a law 
that makes you legally liable for this data breach.
    Mr. Ramakrishna. I do not have the details of it, 
Congresswoman. I am happy to find out those specifics from our 
teams and furnish them to you.
    Ms. Porter. OK. Mr. Ramakrishna, does this look familiar to 
you?
    Mr. Ramakrishna. Yes.
    Ms. Porter. ``SolarWinds123.'' Is it true that some servers 
at your company were secured with this Cracker Jack password, 
``SolarWinds123?
    Mr. Ramakrishna. Congresswoman, I believe that was a 
password that an intern used on one of his GitHub servers back 
in 2017, which was reported to our security team and it was 
immediately removed. And that particular----
    Ms. Porter. Mr. Ramakrishna, reclaiming my time, I have got 
a stronger password than ``SolarWinds123'' to stop my kids from 
watching too much YouTube on their iPad. You and your company 
were supposed to be preventing the Russians from reading 
Defense Department emails. Do you agree that companies like 
yours should be held liable when they don't follow best 
practices? Yes or no.
    Mr. Ramakrishna. Congresswoman----
    Ms. Porter. Should there a national breach law?
    Mr. Ramakrishna. We believe we take our security as well as 
the security of our customers very, very----
    Ms. Porter. Reclaiming my time, Mr. Ramakrishna. I am sure 
you take everything seriously. You seem like a very serious 
person. But I am asking you, should there be a breach law. 
Let's move on. Mr. Smith, should there be a law requiring 
companies to notify Federal law enforcement when they have had 
a cybersecurity breach, yes or no?
    Mr. Smith. Yes, I believe there should be a law that 
applies to some, and then we should decide who they notify. I 
am not sure it should be law enforcement. It could be an 
organization like CISA.
    Ms. Porter. Excellent. Mr. Smith, thank you for that. 
Earlier this week, you told the Senate Intelligence Committee 
that it took ``courage'' for FireEye and SolarWinds to reveal 
this hack to authorities. What did you mean by that?
    Mr. Smith. What I mean is you have three companies here 
today because we have chosen to share information. At 
Microsoft, we have published 32 blogs about what we observed 
and what we have seen. If I take my colleagues at Google and 
Amazon and put them together, they have published one blog. 
They didn't get an invitation here as a result.
    Ms. Porter. OK. So, Mr. Smith, I appreciate that, but you 
are not really saying we should give you some kind of Scout 
badge for telling the Federal Government that the Russians are 
waist deep in your source code. I mean----
    Mr. Smith. No, I did not ask for any kind of badge.
    Ms. Porter. Well, that is good because I am not going to 
give you one, so we are in agreement.
    Mr. Smith. I didn't think you would.
    Ms. Porter. Do engineers or people at Microsoft, to come 
forward and reveal these kinds of breaches, do they have 
protection? Can they do so without fear of retaliation?
    Mr. Smith. Within our company? It is their job to bring 
this kind of information----
    Ms. Porter. Is that true at every company, Mr. Smith? 
Should it be true at every company?
    Mr. Smith. I think it should be true at every company. Yes, 
I believe that.
    Ms. Porter. There should be whistleblower protection so 
that companies don't have to rely on corporate courage.
    Mr. Smith. Well, I think that you need whistleblower 
protection, but, more important than that, we need to pay more 
people to make it their mission in life, their job, to do this 
kind of threat hunting, find these kinds of problems, surface 
them so then companies can solve them.
    Ms. Porter. Thank you very much. My time has expired.
    Mr. Smith. Thank you.
    Ms. Norton. I thank the gentlewoman for her questions. I 
recognize Mr. Meijer of Michigan for five minutes.
    Mr. Meijer. Thank you, Madam Chair, and ranking member, and 
to our witnesses who are here today, and I just want to kind of 
echo my gratitude for actually stepping forward. I am not sure 
it is within our congressional prerogative to offer merit 
badges, but I just want to thank you. You know, on February 17, 
Deputy National Security Advisor for Cyber and Emerging 
Technology Anne Neuberger announced that hackers had launched 
the attack from obviously inside the United States using our 
own infrastructure. This is a question for the panel. Can you 
explain the unique challenges that are presented when we are 
having to mitigate the efforts of a foreign actor, but one that 
is using our own internal systems or domestic-based systems?
    Mr. Smith. Well, I will offer a couple of thoughts. We are 
in, like, hour five now, so we are sort of taking turns. You 
know, we have a well-established ability as a government, as a 
country through the National Security Agency to look at what is 
going on beyond our borders. You know, the question is, how do 
we take stock of what is going on inside the United States, 
especially when a foreign government can basically use a credit 
card and a false ID to get access to a server, you know, in the 
U.S. data center. It is not an easy problem to solve. I think 
we all would recognize we don't want to live in a country where 
there is, you know, extraordinary domestic surveillance, so we 
have to ask ourselves, well, how do we collect the information 
when there are these kinds of threats. And I think the first 
thing we should do is call on what I would hope would be, you 
know, sort of the loyalty of companies in the country to step 
forward voluntarily and share information.
    But clearly that is not sufficient. It is not doing the 
job. And so I think we should put in place a legal obligation 
that certainly applies to, you know, companies that are in the 
critical infrastructure business, people that are the first 
responders. At Microsoft, we are a first responder. That is why 
we would say we would recognize that it is reasonable for this 
kind of law to apply to us. That creates the data that goes to 
the government. There needs to be careful thought to how it is 
used, with whom it is shared, when it is shared back with 
others in the private sector.
    Mr. Meijer. Thank you, Mr. Smith. I would hope that, you 
know, that sense of shared collective self-interest, not 
necessarily originating from a patriotic impulse, but at least 
just an awareness and understanding that when we are dealing 
with cybersecurity, the contagion component of it is essential. 
I mean, we are obviously referring to this as the ``SolarWinds 
hack,'' and I know many have referred to it and are looking to 
kind of change that to ``Holiday Bear,'' you know, the shift of 
the name. The tainting of the reputation all too often goes 
toward those who are willing to acknowledge what had occurred 
and to share it rather than not. And I guess on that point, Mr. 
Ramakrishna, I guess if you can just put it simply, I mean, why 
did you come forward to testify today?
    Mr. Ramakrishna. Congressman, we believe it is our 
obligation to learn from incidents such as this and be an 
active participant in the recovery and the remediation. As we 
heard earlier today, we need to bounce forward from this, not 
so much bounce back only. So, we have taken our learnings very 
seriously and have created an initiative within our company 
that we are sharing very publicly, and so I considered it my 
obligation to be very active in the bouncing forward aspect of 
this.
    Mr. Meijer. Thank you. And then just one kind of, I guess, 
more specific question, Mr. Ramakrishna. You know, I think it 
was determined by analysts that 30 percent of the victims had 
no direct connection to SolarWinds, but were still targets of 
the broader campaign. Can you share, you know, what methods 
were used to arrive at this understanding and, I guess, why 
they weren't targeted in a separate effort, why they were 
targeted using the SolarWinds access?
    Mr. Ramakrishna. That is not a study that we conducted, so 
I don't really have the specifics as it relates to the numbers. 
But the way I would describe this is, as I engage with national 
defenders across the world--for instance, we have spoken to the 
U.K. Cybersecurity Center--and as we were discussing other 
matters with them, they said they are actively investigating 
other supply chain attacks within the U.K. and other places. A 
few days ago, a French company reported a supply chain attack 
as well, so the point here being, multiple different vectors 
are being used. SolarWinds was one of them, but there are many 
different ways that threat actors are coming into various 
systems.
    Earlier in the conversation today, I described the 
intruders as behaving like Transformer toys where they are 
changing their personalities and personas constantly, and that 
is the reason why I am urging all of us to share information as 
quickly as possible so we can together thwart these attacks.
    Mr. Meijer. Thank you, Madam Chairwoman. My time has 
expired.
    Ms. Norton. The gentleman's time has expired. I thank him 
for his questions. Mr. Gimenez of Florida.
    Mr. Gimenez. Thank you. I hope everybody can hear me now. 
Thank you so much. I have got a couple of questions. Mr. 
Ramakrishna, you said that you are an American-based company 
and you talk about the supply chain. When you are developing 
software, especially
    [inaudible], is it a bunch of people in a room developing 
the software, or do you, you know, sub that out to other parts 
of your supply chain, many of which could be offshore?
    Mr. Ramakrishna. Congressman, in this particular context, 
when we refer to supply chain, these are employees of ours that 
may be globally deployed. So, like many American companies, we 
have a global work force, and we have employees all over the 
world that contribute to the development of our software, which 
essentially is part of a supply chain that we deliver.
    Mr. Gimenez. Where in the supply chain was this malware 
embedded?
    Mr. Ramakrishna. It was on a platform which we call the 
Orion platform. That is a product of ours.
    Mr. Gimenez. No, I understand that, but where exactly? You 
said this software is developed from all around the world. 
Where was this malware embedded? Where did it come from?
    Mr. Ramakrishna. It is difficult for me to pinpoint a 
location, Congressman. This particular software is built in a 
combination of our various development centers, including in 
the U.S. and in non-U.S. locations.
    Mr. Gimenez. So, somebody got access to your software 
development platform?
    Mr. Ramakrishna. Basically, what has happened is somebody 
got access to one of our build servers and hid a piece of 
malware on it that was observing when products were being 
built. And as products were being built, in one particular 
file, they were able to replace that and keep it in the 
building process.
    Mr. Gimenez. Did you run the software through security 
checks before you introduced it into the general public?
    Mr. Ramakrishna. There are secured development practices 
that we had been adopting that were part of our standard 
software development processes, Congressman, which we have 
since learned on what else we can do. So, that is the 
initiative that I was describing earlier called Secure by 
Design.
    Mr. Gimenez. Mr. Smith, you said that everybody should 
adhere to best practices. Are you saying that those Federal 
agencies that were infected do not adhere to best practices?
    Mr. Smith. I don't want to speak to any specific Federal 
agency. I will say that across 60 customers, you know, we saw 
typically a failure in one area or another to adhere to best 
practices. You know, we saw, for example, that, you know, 
passwords or keys were not kept in a secure location. We saw 
that there wasn't a practice called-least privileged access 
where you really try to give an individual access to only a 
limited part of the network. We saw instances, you know, for 
example, where there might not have been the use of multi-
factor authentication. We definitely saw lapses which could 
have prevented the impact among certain customers of what 
happened.
    Mr. Gimenez. Thank you. I appreciate that. Would it be fair 
to say that China, Russia, North Korea, Iran are the major 
players in this cyberwar that we are engaged in?
    Mr. Smith. Well, at Microsoft, we publish what we call a 
security defense report--I am forgetting the precise name; it 
came out in September--and we catalogued all the nation-states, 
and all, except one nation-state actor, was from those four 
countries.
    Mr. Gimenez. From those four countries, right?
    Mr. Smith. Yes, that is right.
    Mr. Gimenez. OK. How would you gauge our United States 
offensive capabilities in cyberwarfare?
    Mr. Smith. I am definitely not the expert on that.
    Mr. Gimenez. Fair enough. OK. And, sir, at Microsoft, are 
you in China? Are you in Russia?
    Mr. Smith. We do have personnel in both countries, yes.
    Mr. Gimenez. In the Chinese subsidiary, are there Chinese 
interests that have an ownership stake in Microsoft?
    Mr. Smith. Not that I am aware of. We do certain work with 
joint ventures, but we operate through Microsoft Corporation 
and we operate through wholly owned subsidiaries. I am not 
aware of any other kind of structure.
    Mr. Gimenez. Because, I mean, I have been made aware that 
if you are doing business in China, they need to have 51 
percent ownership to do business in China. That doesn't apply 
to you?
    Mr. Smith. It certainly doesn't apply to Microsoft. I would 
want to go back. You know, it is a big company, and there are 
other companies we have acquired in recent years, and I would 
want to go back and look specifically at the ownership 
structure for each of those. We run through our own company.
    Ms. Norton. The gentleman----
    Mr. Gimenez. Thank you, Madam Chair. I know my time is up, 
and I yield my time.
    Ms. Norton. I thank the gentleman for his questions. Next 
would be Mr. Johnson of Georgia.
    Mr. Johnson. Thank you, Madam Chair.
    Ms. Norton. You may be muted, Mr. Johnson.
    [No response.]
    Ms. Norton. Mr. Johnson, can you hear me?
    [No response.]
    Ms. Norton. He may be having bandwidth problems. We may 
have to go on to another member while we wait for Mr. Johnson 
of Georgia, but just a moment, please, until I see who is next. 
Witnesses are in and out with votes, so it is difficult to know 
who is available. Just a moment, please.
    [Pause.]
    Ms. Norton. Let us take a five-minute recess to see if 
there are members available. I apologize to our witnesses, but 
with the rolling votes, we are having this difficulty seeing 
who is available, but we will back in five minutes. Thank you.
    [Recess.]
    Ms. Norton. I believe Ms. Porter of California is 
available. Ms. Porter, you are recognized for five minutes.
    Ms. Porter. Thank you so much, Ms. Norton, but I don't see 
Mr. Smith in the hearing. Is he available?
    Ms. Norton. There he is.
    Ms. Porter. Thank you so much, Mr. Smith. I see you now. It 
seems like one of the takeaways from this hearing is that 
successful cyberattacks are really a matter of when, not if. 
When investigating a cyber breach, it is helpful for companies 
to have comprehensive logs to review so that they know who 
accessed what, what settings were changed, and so on. Is that 
right? Those logs can be helpful.
    Mr. Smith. Generally, logs can be helpful. That is correct.
    Ms. Porter. And it is the cloud companies like Microsoft 
who keep those logs. The attacker who first got into 
SolarWinds' network did so in September 2019. How long does 
Microsoft keep network logs for?
    Mr. Smith. Well, logs are kept in a variety of 
circumstances, and they are kept by all kinds of companies, and 
they are kept by IT administrators, so I cannot give you a 
specific----
    Ms. Porter. Mr. Smith, how long do you keep logs for at 
Microsoft?
    Mr. Smith. I don't know. I would have to go ask, you know, 
and it would depend on which service and the like.
    Ms. Porter. So, based on my information, what I understand 
is that the range is fairly short, something between seven days 
and 60 days, and it depends, as you just said yourself, on what 
services the client has purchased, they can purchase to keep 
the logs more as part of a package. Everyone on this panel has 
said that successful attacks are basically inevitable, but you 
didn't sell the DOD the logs that they would need to be able to 
fully assess the damage?
    Mr. Smith. Well, I think the premise of that question is a 
little bit off, to be honest. First of all, there was no 
indication, to my knowledge, that the DOD was attacked. Second, 
I don't know what the DOD has purchased, you know, from us. 
Third, I don't know how long the logs would go back, you know, 
for services that we do provide to the DOD.
    Ms. Porter. Mr. Smith, do you own a toaster?
    Mr. Smith. I sure do. I own one.
    Ms. Porter. When you use that toaster, do you expect it to 
catch fire?
    Mr. Smith. I sure as heck don't. No, I do not.
    Ms. Porter. So, imagine you were selling toasters, Mr. 
Smith, and you knew that toasters you were selling were going 
to explode 1 day. It was a matter of when, not if, but you sold 
those toasters anyway. What would happen to the company that 
you were running that sold those toasters?
    Mr. Smith. Well, look, we are not in the toaster business 
and we are not talking about toasters, but I would not want to 
work at a toaster company that had toasters that they knew were 
going to explode 1 day.
    Ms. Porter. Toaster companies are held--You are lawyers. 
You know the standard of strict liability. They are legally 
liable if they sell a product knowing that there is a 
likelihood that it will become defective or not work, if it 
doesn't have all the necessary safety features, for example. 
Why should Microsoft, or should Microsoft, let me ask you, be 
held to a similar liability standard, maybe not strict 
liability, but at least negligence, if you are selling server 
services and not selling sufficient logs as part of that in 
order to really do the work of stopping and identifying 
cyberbreaches?
    Mr. Smith. Well, let's separate two things. One, the 
specific, what logs are we providing, et cetera, that is a 
factual question that neither you nor I right now have the 
information about. I do take your broader question, and I think 
it is basically this: should companies be held to a duty of 
care? Should they be obliged to follow reasonable cybersecurity 
practices? Yes, we do, and I think it is important to recognize 
that every one of these hacks didn't take place in the cloud. 
They took place on premise, on the networks, in the server 
rooms of these customers. They were the ones that had the logs, 
not us, for those intrusions.
    Ms. Porter. OK. So, you would agree that we need a national 
breach law, some kind of standard that sets out what the 
standard of care is, and that if you don't follow the standard 
of care, you could be held liable.
    Mr. Smith. Well, I would separate that from what I actually 
think is the most important issue in this hearing, which is, 
for certain companies, first responders, critical 
infrastructure providers, to let the government know whenever 
there is an attack. This is more like letting 9-1-1 know that 
someone has broken into a house. It doesn't matter whether a 
duty of care was followed or not. There is a burglar in the 
house. We need to go, you know, send the police to get them 
out.
    Ms. Porter. So, but, Mr. Smith, reclaiming my time. If we 
want people to do that notification, to make that 9-1-1 call, 
do you support whistleblower protection for employees who make 
those disclosures?
    Mr. Smith. Look, I haven't thought about that. I would be 
happy to think about it. I don't think you need whistleblower 
protection. We just need to create a system that puts the 
obligation on the companies themselves that have this 
information, and I think if that obligation is in place, other 
companies will follow. Look, we at Microsoft have been 
reporting this kind of information sharing. We have been 
publishing blogs without any legal duty to do so.
    Ms. Norton. The gentlelady's time has expired. I believe 
she was able to speak again because somebody yielded her time 
to speak again. I want people to understand that. I call on Mr. 
Garbarino of New York. You have five minutes, Mr. Garbarino.
    Mr. Garbarino. Thank you very much, Madam Chairwoman. To 
the two witnesses from SolarWinds, the committee is concerned 
that many of the current governmental procurement certification 
regimes are only check-the-box exercises and don't actually buy 
down risk. Can you discuss the various certification regimes 
that SolarWinds products were required to meet in order to be 
to be put on the GSA scale and made available to government 
agencies? Either Mr. Thompson or Mr. Ramakrishna.
    Mr. Ramakrishna. Sorry. Go ahead----
    Mr. Thompson. No, go ahead, Sudhakar.
    Mr. Ramakrishna. Congressman, we comply to the standards 
that we have to comply to to ensure that the Federal Government 
can deploy our products. For instance, the FIPS certifications 
are required by the government and we comply to those. So, as 
it relates to Federal agencies, their compliance requirements, 
we have conformance working with our partners and directly with 
our customers themselves across the board. If you would like a 
full list of our compliance certificates, I am happy to furnish 
them to you as well.
    Mr. Garbarino. Well, what were you required to do? What was 
SolarWinds required to go through in order to be put on the 
list? What is GSA requiring? You know, is it enough? Should 
they require more before something can be made available to 
government agencies?
    Mr. Ramakrishna. To the best of my understanding, it is not 
so much a set of requirements that need to be added. Coming 
back to the issue at hand, I would doubt if more specification 
may have helped this particular case as much as an 
understanding of how these supply chain attacks are evolving, 
and for us as the private sector to take corrective steps and 
learnings from this experience and implement them and obviously 
pass that on from a software development and a secure 
development standpoint as well. To me, it does not appear to be 
a requirements thing at this point.
    Mr. Garbarino. OK. Mr. Thompson, anything additional?
    Mr. Thompson. The only thing I would add is that different 
areas of the Federal Government require different levels of 
certification, and in every area of the Federal Government 
where we were allowed to sell, we had the required 
certifications. Whether that was COE, whether that was APL, 
Common Criteria, we had the required certifications. But I 
would agree with Sudhakar. Some of those certifications, while 
they do have security testing requirements that our products 
went through, and I think that that helps to ensure the 
security of the products, I think as you think about this 
particular breach and what happened, I don't think those 
certification requirements are designed to capture something 
like this.
    Mr. Garbarino. OK. So, is it fair to say we should now 
update to try to address it so this doesn't again or so other 
things don't happen again?
    Mr. Thompson. Yes, I think that is a good question for CISA 
to ask them in terms of what could be done because I don't 
really have all the answers there. But I do think we have to 
think about together, private and public sector, how we do we 
work together more closely to make sure products are secure. 
And a lot of the panelists have talked about how do we share 
information very, very quickly so we can address issues as they 
occur, because nation-states will come up with new vectors of 
attack. They will come up with a new one tomorrow, and they 
will come up with a new one the day after, and the only way to 
protect ourselves is to let everyone know what those vectors 
are so that we can respond to them.
    Mr. Garbarino. I appreciate that. Thank you. Mr. Smith, a 
question for you. Can you help the committee understand 
Microsoft's statement: ``We found no evidence of access to 
production services or customer data. The investigation also 
found no indications that our systems at Microsoft were used to 
attack others.'' What exactly are you saying here? Can you help 
us understand what did and didn't happen in your view? In your 
testimony on Tuesday, you mentioned that some Office 365 
accounts were compromised through simple password guesses and 
sprays. How were the other accounts compromised?
    Mr. Smith. Sure. Well, what that statement says is three 
things. It says that our build systems were secure and they 
were not penetrated in any way, that we had no customer data 
that was touched in any way, and that we found no evidence that 
any of our services or products were used as a vector of attack 
to launch an attack against anyone else. What we did find in 
certain instances was once this intruder was inside a network 
of, say, a customer, you know, say a Federal agency, one of the 
things it was able to do was get access to an account that had 
what we call elevated privileges, like an IT administrator. It 
was able to find the password or get the key to get into that 
account. When it was in that account, they found that that 
individual had access, say, to the Office 365 email of a 
portion or all of several customers. And so once they were 
there, then they went into the Office 365 cloud service and 
that is when we identified their presence.
    Ms. Norton. The gentleman----
    Mr. Garbarino. Thank you very much. I yield back.
    Ms. Norton. The gentleman's time has expired. I thank him 
for his questions. I recognize Mr. Johnson of Georgia.
    Mr. Johnson. Thank you. Can you hear me now, Madam Chair?
    Ms. Norton. I can, and you are recognized for five minutes.
    Mr. Johnson. Thank you. Technology advancements have 
created a world that looks unrecognizable compared to our lives 
just 30 short years ago, but Americans have grown accustomed to 
these changes. They have adapted. The average person not only 
may not understand the nuts and bolts of technology, but they 
do understand the risk of not being careful with it. Many of us 
use two-point authentication for our email, a third of 
Americans change their passwords annually, and we all know 
better than to make our passwords ``JohnSmith123.'' Companies 
that work with millions of individuals' personally identifiable 
information should be held to a high standard that at least 
reflects what ordinary people employ in their day-to-day 
affairs using technology.
    The SolarWinds preparedness and response to this hack were, 
at best, incredibly negligent and, at worst, criminal. And 
unfortunately we have seen a lot of data breaches that have 
dealt with the lack of protection for sensitive data. 
Hospitals, governments, county and local governments have been 
held hostage, hospitals, even government agencies. I believe 
eight or nine government agencies using SolarWinds software 
were able to be hacked into. Mr. Mandia, why was the SolarWinds 
breach so dangerous to our national security?
    Mr. Mandia. Well, that is a great question. First, I would 
like to comment that even if you are compliant, and almost 
every one of the 1,000 victims we respond to every year are, I 
am not convinced compliance in any standard regulation or 
legislation is going to stop a Russian foreign intelligence 
service from successfully breaching an organization, which is 
what happened here. The reason that the breach that we are 
describing was so entrenched is the fact that it was 
surreptitious and clandestine for nine months, and the threat 
actor behind it looks to be a foreign intelligence service. 
That is why. I don't think it impacts the general consumer that 
goes home every day. They are not thinking about this, but the 
government agencies that were impacted and the companies 
impacted are thinking about it. So, I think----
    Mr. Johnson. Well, what can our enemies who hacked into our 
national data base, what can they do with the information that 
they obtained, or what is possible that they could do with that 
information?
    Mr. Mandia. That is going to be one of the most complex 
questions to answer in this, sir, is that emails and documents 
were taken, and, quite frankly, the people targeted, all that 
information that was taken, I believe the threat actor is still 
learning how they can use that information. It is going to 
emerge over years, and it is going to take months and months 
for organizations to get their arms around all the possible 
uses of the stolen documents. You know, this breach, to me, 
from what I can observe, and I was a first-hand victim of it, 
wasn't about stealing the information of consumers' PII. This 
is about stealing documents that were relevant to the 
collection requirements of another nation.
    Mr. Johnson. Well, it is national security secrets that can 
affect the lives and indeed the freedom of Americans and the 
safety of Americans, the physical well-being of Americans. 
Isn't that correct?
    Mr. Mandia. What can happen from this breach is yet to be 
told. Each victim had a different----
    Mr. Johnson. A lot of damage to our national security could 
have been done and probably was done as a result of this 
breach. What standard should we build for our most precious 
infrastructure, like our voting systems, our hospitals, our 
electricity grids, our government secrets? What kind of 
national standards should there be in place to protect those 
secrets and guard against successful attacks like this one that 
are bound to occur in the future?
    Mr. Mandia. That is the question for me. You know, when you 
think about modern cyberdefense, first and foremost, every 
airplane has a data flight recorder. Overall, if you capture 
everything all the time, which is very hard to do, mind you, 
with encryption and other things, but it is always good to have 
something there that recorded everything in case something gets 
missed. Modern cyberdefense is going to take learning systems--
AI--and it is going to take machine learning, and it is going 
to take expertise on the frontlines constantly being automated 
by systems. We are going through that transformation, sir, now 
in the industry. The bottom line is we can't have stagnant 
defense. We have to have defense that evolves at computer 
speed, not the signatures of yesterday, but the AI of tomorrow.
    Mr. Johnson. Thank you. I yield back.
    Ms. Norton. The gentleman's time has expired. I thank him 
for his questions. Mrs. Cammack of Florida.
    Mrs. Cammack. Thank you so much, Madam Chair. Good 
afternoon. Thank you to our witnesses for hanging in there. I 
know it has been a lengthy day, but I do appreciate your candid 
comments and your patience as we work through this. Just a few 
weeks ago, the Homeland Security hearing that we had, we looked 
at cybersecurity threats facing our Nation today and how we 
must improve our resilience in this area. The SolarWinds attack 
was one of the issues discussed in that hearing, so I am very 
glad that you are all with us here today to discuss this again.
    As you all know, cybersecurity is only growing in 
importance for our national security as more of our everyday 
lives move into a cyber world, such as committee hearings. 
Normal operations for areas ranging from critical 
infrastructure to consumer products are all moving to 
cyberspace, especially in the wake of the COVID-19 pandemic. 
This shift simultaneously exposes all of these operations to 
greater cybersecurity threats. So, I want to focus now on the 
relationship between the Federal Government and the private 
sector with regards to cybersecurity. In this area, 
cybersecurity is a unique landscape for private/public 
partnerships in information sharing and collaboration, which 
depends on mutual coordination. All levels of government and 
the private sector are targets now for our adversaries, non-
state actors, and several of you have touched on the need for a 
national strategy to share intelligence between government and 
U.S. businesses.
    So, I want to open this up to the panel. You all have 
touched on the importance of intelligence sharing between the 
public and private sector moving forward and the barriers in 
this area. So, in short, how can we make this information 
sharing easier for businesses, but also for government? What 
concrete steps can we take as legislators to facilitate this 
process? And I will start with Mr. Brad Smith with Microsoft.
    Mr. Smith. No, it is a really important question, and I 
think, to some degree, it starts with identifying who needs to 
report, what they need to report, to whom they need to report 
it, and how. I do think one thing that is worth touching upon 
that we really haven't perhaps talked about at this hearing is 
the critical need to enable people who have this information to 
report it easily and in a streamlined manner, because we are 
acting as the first responders. And, in a sense, when an 
incident is unfolding, you know, we are fighting a fire, and 
you don't want to take people away from the fire so they are 
filling out a lot of forms and doing things that are going to 
detract from their ability to respond. So, I would hope that 
one design principle that would be built into this would be the 
need to do it simply, efficiently, and in a manner that is 
sensitive to the work that is needed while an incident is 
unfolding.
    Mrs. Cammack. Excellent. Thank you, Mr. Smith. And as you 
know, government is not known for their efficiency or their 
ability for data bases across agencies to talk to one another, 
so I appreciate your comments and actually would love to 
followup with you at a later time, but I am short on time. So, 
Kevin, can you elaborate on that a bit?
    Mr. Mandia. Yes, I think Mr. Smith got it right. I would 
add to it the confidentiality of it. If it is not confidential 
threat intelligence sharing, people are going to be worried 
about the liabilities to it, period. And, by the way, whether 
you did everything right on security or everything wrong, 
everybody's security program, to some extent, is a Maginot 
Line, period. And what we have learned with this one is hacking 
the supply chain was the blitzkrieg around the Maginot Line in 
the United States, so we will widen the line. We will broaden 
it. We will create our learning systems. Tech is getting better 
every single day. But whether somebody deserves to be 
compromised or not, however people interpret that, it takes 
time to figure out what you lost, so that confidentiality of 
the threat intelligence data sharing is critical.
    Mrs. Cammack. Excellent. Thank you. I have got about a 
minute remaining, so really quickly, and again, I will open 
this up to the panel. What specific supply chain 
vulnerabilities should be addressed to limit exposure to these 
threats that we are seeing in cyberspace? Total free-for-all. 
Go for it.
    Mr. Ramakrishna. I would be happy to start on this one 
because we are in a unique position to apply our learnings to 
the broader industry here. And we have defined some very 
specific things that need to be done in the context of secure 
software development as it relates to the supply chain issues 
that we discussed in this hearing, and we plan to publish those 
as well. It is not one specific thing that may impact the 
supply chain, and we need to look at it holistically across the 
build environments, and also stress test our methodologies to 
date of delivering integrity in software and improve those. I 
am happy to share the details of those. We have published 
those, but we will share more details with you offline.
    Mrs. Cammack. I appreciate that. Thank you so much. And I 
know I am out of time, so with that, I yield back. Thank you.
    Ms. Norton. I thank the gentlelady for her questions. Ms. 
Barragan of California.
    Ms. Barragan. Thank you, Madam Chairwoman, for holding this 
very important hearing. Mr. Smith, Microsoft has stated that it 
has spent over $1 billion in security investments annually, but 
you recently also stated in an interview with the New York 
Times that you first learned of the attack when you were 
contacted by FireEye. How did Microsoft miss this attack, and 
how can customers like the U.S. Government trust Microsoft to 
uncover future vulnerabilities when Microsoft missed the worst 
intrusion of U.S. Government agencies, as quoted by Reuters?
    Mr. Smith. Well, I think to put it in its simplest terms, 
all 60 of the Microsoft customers who were attacked had their 
networks penetrated on premise, meaning in their server room in 
their building. It was not in our cloud services. It is like, 
you know, if someone broke into your house, but not my house, I 
would not know until you told me, or, in this case, what they 
did was they went into your house, they found the keys, the 
passwords, so that they could go into the service in the cloud. 
Once they got that, once they stole your keys, once they 
entered our cloud service, we saw them, and then we called you, 
and we said, ``Did you know that they are in your house? Did 
you know that they have stolen your keys? Did you know that 
they have now entered the service that we can see, and did you 
know that, unlike AWS, unlike even, I think, Google, at 
Microsoft we let you know as soon as we find out that someone 
has penetrated your network?'' And it doesn't matter whether it 
had anything to do with our service.
    Ms. Barragan. Well then, Mr. Smith, if it had nothing to do 
with Microsoft, what did the billion dollars that you spent go 
to?
    Mr. Smith. Oh, it goes to better technology to protect the 
Microsoft products that you use. It goes to the Microsoft 
Threat Intelligence Center so that we can find these kinds of 
services. It goes to the Microsoft Detection and Response Team. 
It goes to the Microsoft Digital Crimes Unit. It goes to all 
the work that we do to protect the cybersecurity of our 
customers, of this country, and of the other countries that we 
support. And believe me, the billion dollars a year, that is 
just scratching the surface. We spend more than that every 
year.
    Ms. Barragan. Thank you, Mr. Smith. You know, I represent 
the Port of Los Angeles, and cybersecurity is very important, 
and one disturbing fact from this breach is that Microsoft and 
FireEye products and services exist in most organizations. This 
breach and security could happen to the many thousands of other 
entities that utilize the software. Mr. Smith, you are now 
saying, ``It wasn't us, it was somebody else,'' and so it kind 
of begs the question, you know, what have Microsoft and FireEye 
done to ensure that source codes are not compromised?
    Mr. Smith. Well, we do work every day to protect every 
aspect of cybersecurity. The first thing I would say is, 
fundamentally, cybersecurity today does not turn on the secrecy 
of source code. Most source code is published. It is in open-
source form, and even when a company like ours uses source code 
that isn't published publicly, we make it widely available, so 
there are a wide variety of other practices that are critical 
for cybersecurity. And I think the message for the Port of Los 
Angeles----
    Ms. Barragan. OK. Mr. Smith, I don't want to interrupt you. 
I do want to give a chance for Mr. Mandia to chime in here. Has 
FireEye done any anything to ensure that the source codes are 
not compromised? Given Mr. Smith's answer, I don't think I got 
one to the source code question. Do you have anything to add on 
this?
    Mr. Mandia. Yes, in our intrusion, the primary focus from 
this attacker was all about the documents and the 
communications of folks that did work for the U.S. Government, 
and our red team tools, which do proactive security 
assessments. We, like many companies, do everything we can to 
safeguard all our information, not just our source code, but 
our email and everything else.
    And I would like to remind folks that this was a foreign 
intelligence service that hacked into 17,000 different 
organizations. I would ask the Members of Congress to think, is 
it reasonable for our companies to defend themselves from a 
foreign intelligence services, is that the bar that we want to 
set for this Nation's private sector?
    Ms. Barragan. Well, thank you. It is important that we find 
out what happened, and where the issue is, and what we can do 
because, as Congress, we need to ensure that we are finding out 
that information to say, hey, something needs to be fixed, 
something needs to be done better. Sure, we are going to have 
those outside threats, but we also need to look to see where it 
went wrong. And I appreciate the discussion today and look 
forward to working with everybody to make sure we are able to 
secure, you know, the software and our agency data. With that, 
Madam Chairwoman, I yield back.
    Ms. Norton. The gentlelady's time has expired. Ms. Pfluger 
of Texas. I recognize Ms. Pfluger of Texas for five minutes.
    Mr. Pfluger. Thank you, Madam Chairwoman. Thanks for the--
--
    Ms. Norton. I am sorry. Mr. Pfluger.
    Mr. Pfluger. That is OK. I don't take offense to that right 
at this second. Thank you very much. You know, thank you all 
for a good discussion on this. As a military officer for two 
decades, you know, protecting every single piece of your 
architecture obviously is very, very difficult. I do want to 
talk a little bit, however, about our national strategy, and 
specifically I want to take it back to my own home district 
where we have a Cyber Center of Excellence that is in 
development at one of the universities, Angelo State 
University, led by a former general officer in the Air Force, 
Ronnie Hawkins, who is doing amazing things in a Hispanic-
serving institution, minority-serving institution in a very 
rural part of our country. So, I would like you from the 
corporate side to comment on what role education plays in our 
national strategy to make sure that we have the right people 
that are learning the skills that they need to learn to enter 
the work force and be a part of cybersecurity. So, we will just 
go down the line and start with Mr. Smith.
    Mr. Smith. Well, I would say two things. First, I think the 
kind of initiative that you have recently pursued at Angelo 
State points the way for the role that a number of colleges and 
universities and community colleges can play, you know. So, 
what you have been doing there around the cybersecurity 
intelligence program, I think it can be built and expanded and 
help us get the cybersecurity work force the Nation needs. The 
other thing I would point to is this extraordinary resource 
that we have as a Nation in terms of veterans coming out of the 
military every year. You know, every year there are about 
200,000 people who leave the military. They enter the private 
work force.
    One of the things that we have done at Microsoft is create, 
in partnership with the Department of Defense, what we call the 
Microsoft Software and Systems Academy. And so it has already 
worked with more than 2,000 individuals leaving the military. 
We have worked with partners across the industry. We provide 
education in the last couple of months, say, of somebody's tour 
of duty, and it guarantees an individual a job interview, a job 
interview with one of 600 partners that we have brought 
together. So, that is another way, I think, to add to the 
cybersecurity work force of the country.
    Mr. Pfluger. Thank you very much. Mr. Ramakrishna, do you 
have any thoughts on whether or not you believe that our 
college graduates, are we resource limited right now on the 
number of graduates who have the requisite skills?
    Mr. Ramakrishna. Congressman Pfluger, first of all, I hope 
everyone in your family and your community is safe given the 
events in Texas. Related to your question, I would say that 
looking at only college grads in this context is restrictive. I 
was mentioning earlier that the internet has to be made more 
available to every child, every person that is interested in 
learning and accessing, especially focused on inner-city kids 
and socioeconomically backward populations, because there is a 
lot of talent in those circles that need to be unleashed and 
exposed to these types of topics so that we can have a more 
aware and a more diverse work force and a set of people that 
can be brought into society at a higher level from a capability 
and contribution perspective. I think that is our contribution 
or our responsibility as private sectors as well.
    One specific thing that I would like to offer up there is 
that as the government facilitates those, as part of the 
private sector, we could have a buddy system that we could 
provide to some of those young children to give them better 
exposure to these technologies and techniques, get them into 
internships and potentially into employment as well, and not 
hold the degree requirements on them because not everybody may 
be able to, or be able to afford afford, to go to colleges.
    Mr. Pfluger. Thank you very much. I appreciate that, and I 
also want to make sure that we acknowledge the fact that access 
to internet in the form of rural broadband is extremely 
important in communities like mine that may not have that 
ability. Very quickly, 30 seconds, Mr. Thompson, your thoughts 
on this issue?
    Mr. Thompson. One of the challenges that we have had in the 
past, we have tried to work with colleges and universities on 
different programs to provide skill sets that we are in 
shortage of in the technology field in the United States. I 
think one of the challenges we had is just the speed at which 
colleges and universities can move. Getting them to add a new 
program because of the bureaucracy they have to go through is 
quite a lengthy process. So, I think if we can find a way to 
accelerate that and let them develop a cybersecurity training 
program or a data intelligence program, we need to do that 
quickly to be able to get more sophisticated workers in the 
work force to help solve these problems.
    Mr. Pfluger. Thank you very much, and with that, I yield 
back. Thank you.
    Ms. Norton. The gentleman's time has expired. I thank him 
for his questions. Next would be Ms. Bush of Missouri.
    Ms. Bush. Thank you, Chairs Maloney and Thompson, for 
convening this hearing, and I want to start off. So, the number 
of SolarWinds customers who were potentially affected in this 
attack, it is extremely concerning. At least 18,000 customers 
downloaded this malicious update to the SolarWinds product that 
infiltrated their devices. One concern coming out of the 
SolarWinds hack is that the attackers could use the foothold 
that they gained inside these companies and these agencies to 
then access other companies and, in turn, people. As we have 
been discussing, the risk is not theoretical. Mr. Mandia, as I 
understand it, FireEye first disclosed the breach. Chairman 
Thompson and others have mentioned that cyberbreach 
notification legislation is urgently needed, and we see that, 
but I want to be sure I understand. Were you required by law to 
do so, to disclose?
    Mr. Mandia. Right now, ma'am, most of the disclosure laws 
protect the personal identifiable information of American 
citizens, which is not something that we lost. So by law, we 
weren't, but I just want folks to know that literally within 
the first 36 to 48 hours, we were telling our government 
customers we have got a challenge here. We call it Ring Zero. 
Who do you go to first when you know there is something? As I 
was first briefed on the intrusion into FireEye, I recognized I 
doubt we were the first pick. And, in fact, the number in my 
head was we are probably the 40th organization compromised by 
this group, so who else is at risk. We did go to the intel 
communities. We did go to the DOD. We did go to CISA. Long 
before we went public with public disclosure, we were working 
with the U.S. Government.
    Ms. Bush. So, do you think that you should be required by 
law to do so?
    Mr. Mandia. I think if you are a first responder, like we 
are, to intrusions, because we recognized right away, you know, 
we are set up for this sort of thing, and it happened to us. 
You know, I took the oath to defend the Constitution of United 
States, you know, I think 30 years ago. It just hits you. I 
didn't even want the government to communicate with me at that 
point. I didn't know the scope and scale of this. But I think 
for first responders, absolutely getting the threat 
intelligence, because at the time we were telling people about 
it, ma'am, we really didn't know what had happened other than 
something had happened. But that was enough that we had to tell 
the government entities that we work with.
    Ms. Bush. So, the answer is no basically. So, would you 
say----
    Mr. Mandia. Yes, we didn't have a legal disclosure to, but 
we felt an obligation to.
    Ms. Bush. OK. So now, would you say anything has changed 
since the hack that would make us trust private companies like 
SolarWinds more now?
    Mr. Mandia. Well, I think when you see a breach like this, 
you don't want the attacker to win twice once they broke in. 
Well, actually, it would be three times. They broke into 
SolarWinds. They had what looks to be a very successful deep 
blast zone type of cyberespionage campaign, and then they 
harmed American companies both in shareholder lawsuits, 
liabilities, and investigations. It is like a trifecta for the 
adversary against us.
    Ms. Bush. Yes.
    Mr. Mandia. So, we got to think of a way where we play team 
ball as a Nation where we all come together. And I do believe 
the fastest thing we can do, we have been talking about a lot 
today, ma'am, get the threat intelligence into an agency in the 
government, and then from there it gets pushed out to the 
security community so we can go shields-up a lot faster. Best 
we can do, ma'am, is maybe somebody is a victim, but we are all 
as secure as the very last victim in cybercrime.
    Ms. Bush. Thank you. Given that this hack has been traced 
back from many months, it may be possible that other companies 
knew about this and didn't tell anyone because they didn't have 
to. So, Mr. Smith, are you aware of any other companies that 
may have known about this breach and did not report it?
    Mr. Smith. We notified 60 Microsoft customers, and we have 
said that 50 percent of those, so call it 30, are 
communications and technology firms. And we provided that 
information first to them, so we told them, and we have shared 
that information to the government. But most of those companies 
have not disclosed publicly that they were attacked in this 
way. And, in fact, you have other companies, some of the 
largest companies in our industry, that are well known to have 
been involved in this that still have not spoken publicly about 
what they know. There is no indication that they even informed 
customers, and I am worried that, to some degree, some other 
customers or some other companies, some of our competitors even 
just didn't look very hard. If you don't look, you won't find, 
and you will go to bed every night being blissfully ignorant 
thinking you don't have a problem when, in fact, you do.
    Ms. Bush. Thank you, and I yield back.
    Ms. Norton. The gentlewoman's time has expired. I am 
passing it over now to Ms. Porter to continue to chair the 
committee.
    Ms. Porter. Thank you, Ms. Norton. I am going to hand it 
back to you. I believe we have no more members to recognize. 
Does anyone else wish to be recognized?
    Ms. Norton. Well, we have been here for a long time, and 
unless someone speaks up with this double hearing, of this 
hearing involving two committees, I am about to sign off and 
thank our witnesses for testifying. I find members who had to 
come back and forth, but it looks like we have reached the 
limit of members who wish to testify. I want to thank the 
witnesses again, and at this point----
    Ms. Porter. Ms. Norton?
    Ms. Norton. Yes? Yes, indeed, Ms. Porter.
    Ms. Porter. I see that my colleague, Mr. Torres, has 
joined.
    Ms. Norton. Ms. Porter, will you take over the hearing from 
here?
    Ms. Porter. Yes, ma'am.
    Ms. Norton. All right.
    Ms. Porter. [Presiding.] Mr. Torres, the gentleman from New 
York, is now recognized.
    Mr. Torres. Thank you, Madam Chair. I have a question for 
the new CEO of SolarWinds. Has your company conducted a post-
mortem of what went wrong, the mistakes that your company might 
have made, and the lessons learned from those mistakes?
    Mr. Ramakrishna. Congressman, thank you for the questions. 
As I came into the company, given my cybersecurity experience 
from previous companies and having had to deal with cyber 
incidents in the past, I had to first look at our cyber hygiene 
and cybersecurity posture as well as our cybersecurity 
investments. As Mr. Thompson highlighted previously, this did 
not appear to be or does not appear to be an investment issue. 
We spent enough on cybersecurity, in fact, more than the 
average company----
    Mr. Torres. Just in the interest of time constraints, so 
you have done a post-mortem, but in your judgments, do you 
believe your company made mistakes? Yes or no.
    Mr. Ramakrishna. I think there are opportunities to 
improve, Congressman.
    Mr. Torres. It is a straightforward question. I am a 
straightforward person. It is a straightforward question. Did 
you make mistakes? Yes or no. You can say no, but----
    Mr. Ramakrishna. We all make mistakes and----
    Mr. Torres. OK. You made mistakes. Tell me, what mistakes 
did you make?
    Mr. Ramakrishna. As I look at what we have done in the 
past, and I am looking at it from the standpoint of where we go 
from here. I haven't looked at specifically----
    Mr. Torres. We have to learn from past mistakes in order to 
know how to move forward so----
    Mr. Ramakrishna. Yes.
    Mr. Torres. We want to concrete examples. Is it true that 
SolarWinds had no chief information security officer in the 
lead-up to the SolarWinds breach?
    Mr. Ramakrishna. So, the way we have organized ourselves is 
that instead of calling the person a chief information security 
officer, we call him a VP of security for a very specific 
reason. Instead of looking at only infrastructure security, 
that person is also responsible for looking at product 
security. That way we are able to get the best of both worlds 
and help us all build products as well as take care of our 
infrastructure. So, it is a----
    Mr. Torres. So, I just want to be clear, you had a VP for 
security in the lead-up to the SolarWinds breach?
    Mr. Ramakrishna. Absolutely, and we have had it since 2017.
    Mr. Torres. You know, so here is the concern I have. The 
cybersecurity failure of SolarWinds led to a supply chain 
breach that compromised nine Federal agencies. It is arguably 
the greatest cybersecurity failure in the history of the United 
States, and your company is at the heart of it. Given the 
seismic nature of that cybersecurity failure, can your company 
be trusted to ever do business with the Federal Government?
    Mr. Ramakrishna. Congressman, we take the security and 
protection of our customers very, very seriously. This 
particular issue was much more than just SolarWinds. It was a 
very sophisticated nation-state attack, as we have been 
discussing here. It has got very little relevance to a security 
hygiene of a particular company or the security investments of 
a particular company. It was a coordinated, patient, persistent 
attack that neither one company, no matter large it is or how 
many resources it is deploying, or one Federal Government 
agency is able to coordinate it, which is the subject of 
today's hearing that we came here to apply our learnings and 
contribute our learning.
    Mr. Torres. I am going to move on. So, I have a question 
for FireEye. FireEye managed to do something that the entire 
cybersecurity apparatus of the Federal Government failed to do. 
You detected SolarWinds. So, my question for the CEO of 
FireEye, what does the Federal Government need to do to be more 
effective at detecting breaches like SolarWinds?
    Mr. Mandia. Well, I think, first, it is team ball. You 
know, we had talked about the area of responsibility for some 
of the best capabilities we have, like the NSA's, outside of 
the Nation. All the fingerprints of this attack actually were 
inside the Nation. So, you have to expect that the government 
is going to detect some things, the private sector is going to 
detect some things, hence, all the dialog, sir, to bring it to 
one entity that has got purview into both sides of the fence.
    I think the government was catching a whiff of it. They 
were seeing streams of smoke because when I started talking to 
government agencies, no one was surprised. They were starting 
to go, oh, I get it. We were all piecing together the same 
crime scene, but we all had different pieces of evidence. It 
took us finding the SolarWinds implant and Microsoft's help 
from the top down, cloud down, looking to start scoping this 
thing.
    Mr. Torres. I just want to squeeze this in because we have 
the EINSTEIN system, which operates on a data base of known 
cyber threats, right?
    Mr. Mandia. Yes, right.
    Mr. Torres. Do you have technology that is effective at 
detecting anomalous threats that could benefit the Federal 
Government----
    Mr. Mandia. We do, and there is a lot of other technologies 
that do as well, but the problem was, you have to have a little 
bit more visibility than that. So, there were blips on the 
radar sir, but nobody could tell what they meant without more 
context. The implant, when we found that, that was kind of the 
homerun for context and everybody went ``aha.'' That was the 
eureka moment.
    Mr. Torres. Thank you. Thank you, Madam Chair.
    Ms. Porter. Thank you, sir. With that, I want to thank our 
panelists for their remarks, and I want to commend my 
colleagues for participating in this important hearing.
    With that, without objection, all members will have five 
legislative days within which to submit additional written 
questions for the witnesses to the chair, which will be 
forwarded to the witnesses for their response. I ask our 
witnesses to please respond as promptly as you are able.
    Ms. Porter. This hearing is adjourned.
    [Whereupon, at 2:01 p.m., the committee was adjourned.]