Leaders from Microsoft, FireEye and SolarWinds answered questions on the Hill last month. Noticeably absent from the hearing was a representative from Amazon Web Services.
AWS said because it wasn't a SolarWinds customer, the company was not impacted by the Orion compromise. However, during the hearing Senator Richard Burr, R-NC, said AWS likely hosted most of the adversary's secondary command and control nodes during the hack; the White House previously disclosed the attack took place on U.S. soil.
The absence of one of the information technology industry's biggest players stands in contrast to other companies involved in SolarWinds response.
AWS' top cloud rival, Microsoft, has been under pressure as it was one of the victims of the hack. However, President Brad Smith called for cyberattack disclosure regulation to enforce information sharing between companies and the federal government — a relationship the sectors struggle to cultivate and sustain.
Because the private sector owns the majority of the attack surface, brand-name IT and security companies have the ability, and a degree of responsibility, to contribute their expertise to the national narrative.
"I was concerned that [Amazon wasn't] there because they're an important player. The cloud may well be an important solution as part of the technical problem," said Senator Angus King, I-ME, during a press briefing on Wednesday. "We need them at the table, and I was disappointed. I know that they had a statement, but I didn't find it entirely persuasive."
The cloud has also contributed to a sense of "security amnesia," said Peter Tran, CISO and head of cybersecurity/DevSecOps solutions at InferSight and former Naval Criminal Investigative Service special agent. "Security vendors knew how to deal with the old environments and had a higher degree of visibility to openly share and collaborate with government."
The security community had to navigate a "maze of barbed wire-like" IT efforts while modernizing and migrating to the cloud. They also had to overhaul decades-old on-premise security strategies, according to Tran. Sharing security responsibilities with cloud and managed service providers made security a "bolt-on afterthought."
It's only now industry is beginning to adapt to a modern infrastructure and the resilience it provides.
Industry input
The White House is emphasizing supply chain and software security in at least two executive orders, one still in development. The directives are an effort to generate transparency, especially when the federal government's reliance on private industry was made obvious when the SolarWinds hack began to unfold in December.
The Cyberspace Solarium Commission (CSC) and the Cybersecurity & Infrastructure Security Agency (CISA) are proponents of enabling a cross-sector partnership. The organizations say reliable participation is the cornerstone of information sharing.
"The private sector should be, in military terms, the 'main body' to which all forces and defense units are assigned to protect," said Mike Wilkes, CISO at SecurityScorecard. "The government itself must come to understand that the government is not the main body."
CISA has garnered private industry support, but many in the community are waiting for President Joe Biden's nomination for the national cyber director, a Senate-confirmed position. The position will serve as a liaison between federal agencies and private industry. The longer it takes to fill the role will add to the investigation time and delay future defense policies, said King. "It may be that we're losing valuable time."
The national cyber director, established in the National Defense Authorization Act (NDAA) and recommended by the CSC, is a new but strategic position. Though Deputy National Security Advisor Anne Neuberger was tapped for leadership in the SolarWinds response, "her position could disappear tomorrow," said King, just as President Donald Trump eliminated the national cyber coordinator position, held by Rob Joyce, in 2018.
In cybersecurity, there's no real wait time that comes without a price. It's the reason major companies take rapid ownership.
"Being transparent and sharing that information earned FireEye a great deal of respect in my eyes. The power and value of the exfiltrated red team tools was diminished significantly when FireEye published the details of the breach," said Wilkes. In the immediate aftermath of FireEye's breach, the company published the found indicators of compromise and CVEs for other companies to use.
Microsoft took the same rapid response for Exchange vulnerabilities. The company published remeditations designed for security organizations lacking a robust, dedicated security team. "Taking on that burden and lowering the total cost to the infosec ecosystem is a great way to conserve limited resources," and hasten protection efforts, said Wilkes.
But when a company like AWS does not come to the table, it could indirectly send a message of indifference to other companies. AWS did not immediately respond to requests for comment.
"I do feel big tech, as a whole, does have a responsibility for 'reasonable due care' to the public and private sector consumers of their products and services," said Tran. The information security community has an unspoken higher standard in regards to defense "beyond the corporate walls whether informally sharing threat intelligence, technical collaboration or more formal public and private sector joint task force efforts."
The SolarWinds and Microsoft Exchange hacks illuminated a dilemma for the tech industry: determining "whether or not big tech is truly too big to fail," said Tran.
Every major IT and security company undergoes a degree of introspection following major incidents, but it's coupled with hesitation. "They may not like what they see," he said.