As federal agencies and private-sector critical infrastructure entities struggle to assess the fallout from what researchers are calling a hack of historic scale, the ability to fully track the intruders’ steps should come standard, not as a source of additional profit for government cloud vendors, Rep. Jim Langevin, D-R.I., said after a Congressional hearing Friday.
“I firmly believe that cybersecurity should be baked into products and services, so it concerns me when I hear that companies could view security logging as a profit center. I understand that cybersecurity isn’t free, but basics like logging shouldn’t be an ‘upcharge,’” Langevin told Nextgov after the hearing. “I certainly hope the federal government will look to use its substantial bulk purchasing power to make sure we’re not getting a raw deal with respect to the cybersecurity of cloud services we procure.”
The joint hearing of the House Homeland Security and Oversight and Reform committees allowed lawmakers to question Microsoft President Brad Smith, FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and former SolarWinds CEO Kevin Thompson about the role of private technology in the ongoing hacking campaign that compromised at least nine federal agencies and 100 companies.
“We still don’t know if they’re still in the system!” Rep. Carolyn Maloney, D-N.Y., Chair of the Oversight and Reform Committee, said. “All of the companies here today are victims of this attack, and all provide products and services to the government. That puts the government at risk.”
She said the private sector must be held accountable and that her committee plans to focus on improving federal procurement as well as examining agencies’ responsibilities and strategy under the Federal Information Security Modernization Act, or FISMA.
Rep. Bennie Thompson, D-Miss., Chairman of the Homeland Security Committee, also weighed in with concerns about government vendors putting profit before security.
“It may be time to reassess the obligations of large, highly resourced companies with outsized footprints in our economy and our government, and evaluate whether more should be expected of them,” Thompson said. “We need to find ways to change behavior in the private sector—particularly those in the government supply chain—so executives value security as much as earnings statements and fast product roll outs.”
The statement had implications for both SolarWinds—the network management company that unwittingly distributed a trojanized update to about 30,000 of its customers and reportedly had laxed cybersecurity practices—as well as Microsoft.
Except at premium levels, Microsoft’s Azure cloud service offers limited logging capabilities. This can affect organizations’ ability to determine how the hackers moved across their networks after gaining initial access, and whether they might still be present, according to a Jan. 8 alert the Cybersecurity and Infrastructure Security Agency issued on detecting post-compromise threat activity in Microsoft’s cloud environments.
“Do you believe that security should be an add on, or upcharge, or baked into cloud accounts from the get go?” Langevin asked Microsoft’s Smith. “Is this a profit center for Microsoft, or are the services being provided at cost, that you’re charging the customers?”
“Well, you know, we are a for profit company,” Smith replied, noting that except for the company’s philanthropic work, “Everything that we do is designed to generate a return.”
In addition to CISA, the National Institute of Standards and Technology has detailed the challenge cloud environments, in general, create for conducting forensics. Smith said the only reason Microsoft was invited to the hearing is because, unlike its competitors, the company reported its breach to customers, including the government.
“Unlike AWS, unlike even I think Google, at Microsoft, we let you know as soon as we find out that someone has penetrated your network, and it doesn’t matter whether it had anything to do with our service,” Smith told one lawmaker.
“You have other companies, some of the largest companies in our industry that are well known to have been involved in this that still have not spoken publicly about what they know,” he told another lawmaker, referring to AWS. “There’s no indication that they even informed customers, and I’m worried that to some degree, some other customers, or some other companies—some of our competitors even—just didn’t look very hard.”
AWS told CNN’s Brian Fung that the intruders did use its platform—along with others’—to conduct the hack, but that AWS is not a SolarWinds customer and that its systems were not affected. Microsoft has acknowledged that SolarWinds delivered malicious code—since removed—to its environment and that hackers gained access to its source code, which the company says is inconsequential because it embraces open source practices in its security approach.
Rep. Katie Porter, D-Calif., told Smith Microsoft shouldn’t expect a “scout badge” for reporting its breach and pressed him on the logging issue. She asked whether Microsoft should be liable for selling its cloud services without all the available logging capabilities.
Smith said companies should be “obliged to follow reasonable cybersecurity practices,” but told the lawmaker that’s not “the most important issue for this hearing,” and shifted focus to a need for companies like his and cybersecurity firms like FireEye to immediately communicate threat information—ideally anonymized—when their customers are breached.
The Microsoft executive also addressed questions Sen. Ron Wyden, D-Ore., previously raised about why the hackers were able to exploit a weakness in its Active Directory Federation Service, which cybersecurity researchers have warned about for years.
Although it was developed by Microsoft, the company is not uniquely vulnerable to a successful Golden Security Assertion Markup Language, or “Golden SAML” attack, as it’s called. The service allows users to move across various companies’ platforms in multi cloud environments by presenting a certified token. It can be abused if hackers are able to first steal keys or passwords of privileged administrators in order to forge the tokens.
Smith told lawmakers the standard, which is also used by Microsoft’s counterparts, is outdated and that the company encourages its customers to store certification keys in their cloud for safe keeping, instead of on their premises.
“Microsoft, like everybody in this business, supports these industry wide standards. One of the standards in particular is 13 years old, it’s called SAML,” he said. “It’s been superseded in our view by something we’ve been encouraging customers and developers to move to since. But there was a vulnerability, so to speak, in SAML, that was exploited in a small percentage, and I think that’s important to underscore as well— a small percentage—of the instances that we saw.”
During a hearing before the Senate Intelligence Committee Tuesday, Smith told Sen. Marco Rubio, R-Fla., that SAML was only relevant in about 15% of the cases they investigated.
Testimony CrowdStike CEO George Kurtz provided during that hearing laid responsibility for addressing the Golden SAML weakness squarely with Microsoft.
“Unfortunately, based on flaws in the authentication architecture itself,” he said, hackers can “bypass multi-factor authentication entirely and, every bit as devastating as it sounds, have the ability to sign in as a compromised user no matter how many times that user resets their password. The only silver lining to the Golden Ticket/Golden SAML problem is that, should Microsoft address the authentication architecture limitations around Active Directory and Azure Active Directory, or shift to a different methodology entirely, a considerable threat vector would be completely eliminated from one of the world’s most widely used authentication platforms.”
The researcher who first outlined the Golden SAML attack said organizations should adopt an “assume breach” mentality and advocated close monitoring of Active Directory Services.
Following initial reports of the widespread breaches, Crowdstrike, which is helping SolarWinds respond to its compromise, released a free tool and blog to assist organizations with identifying and mitigating risks in Microsoft’s Azure Active Directory. This also raised the issue of the cloud providers’ logging and tracking services. In a blog to release the tool, CrowdStrike said they saw customers struggling to audit Azure Active Directory permissions due to a complex and time consuming process where “many of the steps required to investigate are not documented.”
“It is our every hope and, I imagine, the hope of the entire cybersecurity community,” that Microsoft is able to address the flaws that will no doubt lead to more Golden SAML attacks, Kurtz said, “or that we can move to a more community-driven approach to authentication.”