WASHINGTON ― In the wake of a sweeping hack that may have revealed government and corporate secrets to Moscow, the U.S. must strengthen its cyber defenses and prepare a “robust menu” of responses to attacks, Microsoft Corp. President Brad Smith said Tuesday.
The breach, which hijacked widely used software from Texas-based SolarWinds Inc., has exposed the profound vulnerability of civilian government networks and the limitations of efforts to detect threats.
The U.S. must draw a lesson about danger cyberattacks pose to American civilians from the recent severe weather power grid collapse in Texas and a hacker’s botched attempt to poison the water supply of a small Florida city, Smith told the Senate Armed Services Committee.
“Think about the danger to American civilians if there is a disruption of the water supply, and then think about a future where a nation need not send missiles or planes but can simply send code to do its fighting for it,” Smith said.
“We need to strengthen the nation’s digital infrastructure and digital defenses, and that touches every part of the public sector, and every part of the private sector as well.”
Beyond modernizing dated information technology infrastructure, Smith suggested Congress address gaps in intelligence sharing between private companies and the government, and in the government’s intelligence gathering. For example, the National Security Agency’s authority allows it only to look outside U.S. borders, when it appears the SolarWinds hack used data centers of private firms inside the country.
The government, Smith said, should default to “a culture of a need to share,” though with privacy controls and divisions between the public and private sectors, using AI-assisted data aggregation.
The comments came as panel lawmakers on both sides of the aisle voiced worries about Russian hacking and that the Pentagon isn’t investing correctly to codevelop advanced capabilities to counter Chinese dominance in the tech sphere.
Experts testifying before the panel sounded the alarm that the U.S. could fall behind in semiconductors, artificial intelligence, quantum computing, biotechnology, hypersonic weapons and 5G networking. However, the SolarWinds hack surfaced repeatedly.
President Joe Biden plans to release an executive order soon that will include about eight measures intended to address security gaps exposed by the hack. The administration has also proposed expanding by 30 percent the budget of the U.S. Cybersecurity and Infrastructure Agency, now under intense scrutiny because of the SolarWinds breach.
Biden, making his first major international speech Friday to the Munich Security Conference, said that dealing with “Russian recklessness and hacking into computer networks in the United States and across Europe and the world has become critical to protecting our collective security.”
At Tuesday’s hearing, Sen. Richard Blumenthal, D-Conn., said the SolarWinds hack signaled a need to strengthen supply chain defenses and that Russia needed to “pay a price” for the hack.
“There has been no proportionate response, no response whatsoever that I’ve seen to the SolarWinds attack, and I think that making our adversaries, Russia in particular, pay a price for this attack is absolutely necessary, and that is one of the ways to establish some rules of the road,” Blumenthal said.
Smith agreed that the Biden administration, working with allies, should hold offenders accountable.
“Then there needs to be ... a range of responses for different circumstances, but it needs to be a robust menu, and we’re going to need an executive branch that has the confidence and the support of the American public to carry them out.”
Joe Gould is senior Pentagon reporter for Defense News, covering the intersection of national security policy, politics and the defense industry.