Hearing on Hack Prompts Call for Review of Government’s Cloud Procurement

vdb photos/Shutterstock

A key lawmaker highlighted a profit motive for “basic” cybersecurity as problematic following an exchange with Microsoft President Brad Smith.

As federal agencies and private-sector critical infrastructure entities struggle to assess the fallout from what researchers are calling a hack of historic scale, the ability to fully track the intruders' steps should come standard, not as a source of additional profit for government cloud vendors, Rep. Jim Langevin, D-R.I., said after a Congressional hearing Friday.  

“I firmly believe that cybersecurity should be baked into products and services, so it concerns me when I hear that companies could view security logging as a profit center. I understand that cybersecurity isn’t free, but basics like logging shouldn’t be an ‘upcharge,’” Langevin told Nextgov after the hearing. “I certainly hope the federal government will look to use its substantial bulk purchasing power to make sure we’re not getting a raw deal with respect to the cybersecurity of cloud services we procure.”

The joint hearing of the House Homeland Security and Oversight and Reform committees allowed lawmakers to question Microsoft President Brad Smith, FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and former SolarWinds CEO Kevin Thompson about the role of private technology in the ongoing hacking campaign that compromised at least nine federal agencies and 100 companies.

“We still don’t know if they’re still in the system!” Rep. Carolyn Maloney, D-N.Y., Chair of the Oversight and Reform Committee, said. “All of the companies here today are victims of this attack, and all provide products and services to the government. That puts the government at risk.” 

She said the private sector must be held accountable and that her committee plans to focus on improving federal procurement as well as examining agencies’ responsibilities and strategy under the Federal Information Security Modernization Act, or FISMA.

Rep. Bennie Thompson, D-Miss., Chairman of the Homeland Security Committee, also weighed in with concerns about government vendors putting profit before security. 

“It may be time to reassess the obligations of large, highly resourced companies with outsized footprints in our economy and our government, and evaluate whether more should be expected of them,” Thompson said. “We need to find ways to change behavior in the private sector—particularly those in the government supply chain—so executives value security as much as earnings statements and fast product roll outs.”

The statement had implications for both SolarWinds—the network management company that unwittingly distributed a trojanized update to about 30,000 of its customers and reportedly had laxed cybersecurity practices—as well as Microsoft. 

Except at premium levels, Microsoft’s Azure cloud service offers limited logging capabilities. This can affect organizations’ ability to determine how the hackers moved across their networks after gaining initial access, and whether they might still be present, according to a Jan. 8 alert the Cybersecurity and Infrastructure Security Agency issued on detecting post-compromise threat activity in Microsoft’s cloud environments.

“Do you believe that security should be an add on, or upcharge, or baked into cloud accounts from the get go?” Langevin asked Microsoft’s Smith. “Is this a profit center for Microsoft, or are the services being provided at cost, that you're charging the customers?”

“Well, you know, we are a for profit company,” Smith replied, noting that except for the company’s philanthropic work, “Everything that we do is designed to generate a return.”

In addition to CISA, the National Institute of Standards and Technology has detailed the challenge cloud environments, in general, create for conducting forensics. Smith said the only reason Microsoft was invited to the hearing is because, unlike its competitors, the company reported its breach to customers, including the government.   

“Unlike AWS, unlike even I think Google, at Microsoft, we let you know as soon as we find out that someone has penetrated your network, and it doesn't matter whether it had anything to do with our service,” Smith told one lawmaker. 

“You have other companies, some of the largest companies in our industry that are well known to have been involved in this that still have not spoken publicly about what they know,” he told another lawmaker, referring to AWS. “There's no indication that they even informed customers, and I'm worried that to some degree, some other customers, or some other companies—some of our competitors even—just didn't look very hard.” 

AWS told CNN’s Brian Fung that the intruders did use its platform—along with others’—to conduct the hack, but that AWS is not a SolarWinds customer and that its systems were not affected. Microsoft has acknowledged that SolarWinds delivered malicious code—since removed—to its environment and that hackers gained access to its source code, which the company says is inconsequential because it embraces open source practices in its security approach. 

Rep. Katie Porter, D-Calif., told Smith Microsoft shouldn’t expect a “scout badge” for reporting its breach and pressed him on the logging issue. She asked whether Microsoft should be liable for selling its cloud services without all the available logging capabilities.

Smith said companies should be “obliged to follow reasonable cybersecurity practices,” but told the lawmaker that’s not “the most important issue for this hearing,” and shifted focus to a need for companies like his and cybersecurity firms like FireEye to immediately communicate threat information—ideally anonymized—when their customers are breached. 

The Microsoft executive also addressed questions Sen. Ron Wyden, D-Ore., previously raised about why the hackers were able to exploit a weakness in its Active Directory Federation Service, which cybersecurity researchers have warned about for years

Although it was developed by Microsoft, the company is not uniquely vulnerable to a successful Golden Security Assertion Markup Language, or “Golden SAML” attack, as it’s called. The service allows users to move across various companies’ platforms in multi cloud environments by presenting a certified token. It can be abused if hackers are able to first steal keys or passwords of privileged administrators in order to forge the tokens. 

Smith told lawmakers the standard, which is also used by Microsoft’s counterparts, is outdated and that the company encourages its customers to store certification keys in their cloud for safe keeping, instead of on their premises.   

“Microsoft, like everybody in this business, supports these industry wide standards. One of the standards in particular is 13 years old, it's called SAML,” he said. “It's been superseded in our view by something we've been encouraging customers and developers to move to since. But there was a vulnerability, so to speak, in SAML, that was exploited in a small percentage, and I think that's important to underscore as well— a small percentage—of the instances that we saw.”

During a hearing before the Senate Intelligence Committee Tuesday, Smith told Sen. Marco Rubio, R-Fla., that SAML was only relevant in about 15% of the cases they investigated.

Testimony CrowdStike CEO George Kurtz provided during that hearing laid responsibility for addressing the Golden SAML weakness squarely with Microsoft.

“Unfortunately, based on flaws in the authentication architecture itself,” he said, hackers can “bypass multi-factor authentication entirely and, every bit as devastating as it sounds, have the ability to sign in as a compromised user no matter how many times that user resets their password. The only silver lining to the Golden Ticket/Golden SAML problem is that, should Microsoft address the authentication architecture limitations around Active Directory and Azure Active Directory, or shift to a different methodology entirely, a considerable threat vector would be completely eliminated from one of the world’s most widely used authentication platforms.”

The researcher who first outlined the Golden SAML attack said organizations should adopt an “assume breach” mentality and advocated close monitoring of Active Directory Services. 

Following initial reports of the widespread breaches, Crowdstrike, which is helping SolarWinds respond to its compromise, released a free tool and blog to assist organizations with identifying and mitigating risks in Microsoft’s Azure Active Directory. This also raised the issue of the cloud providers’ logging and tracking services. In a blog to release the tool, CrowdStrike said they saw customers struggling to audit Azure Active Directory permissions due to a complex and time consuming process where “many of the steps required to investigate are not documented.” 

“It is our every hope and, I imagine, the hope of the entire cybersecurity community,” that Microsoft is able to address the flaws that will no doubt lead to more Golden SAML attacks, Kurtz said, “or that we can move to a more community-driven approach to authentication.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.