By Raphael Satter
WASHINGTON (Reuters) – Cybersecurity executives are due to face their second round of Congressional questions on Friday over their companies’ roles in the sprawling series of digital intrusions blamed on the Russian government.
Texas software company SolarWinds Corp’s Chief Executive Sudhakar Ramakrishna, Microsoft Corp President Brad Smith, and FireEye Inc Chief Executive Kevin Mandia were due to address a joint hearing of the House Committees on Oversight and Reform and Homeland Security.
Their appearance comes three days after the trio testified before U.S. senators over the massive breach, which has ensnared nine American government agencies and more than 100 other organizations. SolarWinds’ former chief executive – Kevin Thompson, who stepped down shortly before the breach was announced – was also due to testify.
Hackers allegedly working for Moscow surreptitiously subverted SolarWinds’ software to infiltrate their targets, spending months inside government networks before they were identified.
Other techniques – including some still unknown – are believed to have been used as well. Lawmakers and executive branch experts alike are puzzling out how far the hackers got and who might be to blame.
Some have alleged that lax security practices at SolarWinds led to the breach. Others have laid blame at Microsoft’s door, saying that a failure to fix known problems with its cloud software authentication infrastructure helped speed the hackers’ progress across networks. [L1N2KV071]
Speaking to senators on Tuesday, Microsoft’s Smith blamed poor configurations and other controls on the customer’s part, including cases “where the keys to the safe and the car were left out in the open.” [L1N2KT1QK]
CrowdStrike Holdings Inc Chief Executive George Kurtz – who addressed senators Tuesday but will not be returning Friday – said Microsoft’s “antiquated” architecture was partially responsible.
(Reporting by Raphael Satter; Editing by Stephen Coates)
