Microsoft President Brad Smith: SolarWinds Attack Violated ‘Norms And Rules’ Of Government Activities

In keynote remarks at CES 2021, Smith slammed the Russia-linked breach as an ‘indiscriminate global assault on the tech supply chain’ and called on world governments to be held ‘to a higher standard.’

Microsoft President Brad Smith called on governments to be held “to a higher standard” in the wake of the widespread cyberattack stemming from the breach of SolarWinds Orion, which federal officials have attributed to Russian intelligence efforts.

“Governments have spied on each other for centuries. It would be naive to think or even ask them to stop,” Smith said in a pre-recorded keynote address at the digital CES 2021 conference Wednesday. “But we’ve long lived in a world where there were norms and rules that created expectations about what was appropriate and what was not. And what happened with SolarWinds was not.”

[Related: Hackers Compromise Mimecast Certificate For Microsoft Authentication]

Sponsored post

Redmond, Wash.-based Microsoft is among the companies that have been ensnared in the colossal U.S. government attack that leveraged the SolarWinds Orion network monitoring platform.

An estimated 18,000 organizations installed malicious SolarWinds Orion code into their network, and the hacking campaign has involved U.S. agencies including the Departments of Defense, Commerce, State, Energy and Homeland Security.

Microsoft disclosed Dec. 31 that an account compromised by the hackers had been used to view source code in a number of source code repositories, but none of the code itself was altered. Meanwhile, CrowdStrike has disclosed that the hackers had attempted to breach the company through a Microsoft reseller’s Azure account but were ultimately unsuccessful.

The SolarWinds hacking campaign is believed to have been carried out by the Russian foreign intelligence service, or APT29.

Smith said the attacks raise questions about what sort of “rules of the road” are “going to guide us all as a planet” going forward.

With SolarWinds, “this wasn’t a case of one nation simply trying to spy on or hack its way into a computer network of another. It was a mass indiscriminate global assault on the technology supply chain that all of us are responsible for protecting,” Smith said in his remarks at CES 2021.

“It represented a vector of attack that first distributed roughly 18,000 packages of malware on organizational networks, literally around the world,” he said. “It is a danger that the world cannot afford.”

Ultimately, Smith said, “we need to come together as an industry and we need to use our collective voice to say to every government around the world that this kind of supply chain disruption is not something that any government or any company should be allowed to pursue.”

Hackers first accessed SolarWinds in September 2019 and went out of their way to avoid being detected by the company’s software development and build teams, the new CEO of SolarWinds, Sudhakar Ramakrishna, said this week.

The attack “appears to be one of the most complex and sophisticated cyberattacks in history,” Ramakrishna wrote in a blog post Monday. “We recognize the software development and build process used by SolarWinds is common throughout the software industry, so we believe that sharing this information openly will help the industry guard against similar attacks in the future.”

While the tech industry will need to work with both government and non-governmental agencies to address critical cybersecurity issues such as this, “I think it starts with us,” Smith said in his keynote at CES.

“Because if we don’t use our voice to call on the governments of the world to hold to a higher standard, then I ask you this—who will?” Smith said. “So I hope we’ll come out of this CES and move forward with this as one of our clarion calls for the future.”

Hackers invested a lot of effort to ensure their code was properly inserted and remained undetected, prioritizing operational security to avoid revealing their presence to SolarWinds developers, CrowdStrike wrote in a blog post Monday. SolarWinds is working with CrowdStrike, KPMG, its legal counsel DLA Piper and other industry experts to perform a root cause analysis of the attack, according to Ramakrishna.

Data sharing and collaboration will be critical as the tech industry and government seeks to prevent future cyber attacks of this magnitude, Smith said.

“The last month has shown us how we’re all going to need to work together in new ways--how we’re all going to need to change in some ways to protect the cybersecurity of the planet,” Smith said. “Because when you look at the issues around SolarWinds and its malware, and how things spread, it’s a powerful reminder that threat intelligence data about cyber attacks really exists in so many silos today … It is so clear that the only way to protect the future is to understand the threats of the present. And that requires that we share data in new ways.”