SolarWinds CEO: This could have happened to anyone

In what will be the first of several public appearances this week, Sudhakar Ramakrishna says his company will be transparent about the supply chain attack it suffered as a way to help other companies prepare for the next attack.

SolarWinds Headquarters entrance By Travel_with_me shutterstock ID: 1875241378
 

In the first of several public appearances this week, the chief executive officer of SolarWinds is publicly discussing the breach of his company's software two months after reports surfaced that multiple government agencies may have been breached through a backdoor vulnerability. His message to others: This could have happened to anyone.

"Because of the narrow window in which the malware was injected into the code, the ability for our build systems to identify that did not exist. That is one of the key areas of focus that we are working towards," said Sudhakar Ramakrishna, SolarWinds' CEO, during a virtual event Feb. 22 hosted by the Center for Strategic and International Studies. "This problem exists in every company, so what happened to us can happen to any software developer in the world," he continued.

Ramakrishna was publicly announced as the next chief of SolarWinds in December just days before the cybersecurity firm FireEye notified the company that the Orion IT management software had been compromised. Since then, private and governmental investigators have found the hacking campaign used additional methods to breach nine federal agencies and approximately 100 private companies.

The group of federal agencies responding to the breach have said the hackers are "likely Russian in origin," but neither the government nor FireEye, which is credited with discovering the intrusion, have formally attributed the attack yet.

Ramakrishna said today he feels SolarWinds has an "obligation" to discuss the attack publicly because "this is not a one company issue." He said in the immediate weeks following the hack's discovery in early December, he was not considered a SolarWinds employee yet, meaning the only information he received was from press reports and outsider speculation.

It was not until closer to starting his new job on Jan. 4 that he started receiving information directly from investigators.

SolarWinds in an initial filing with the Security and Exchange Commission stated it believed around 18,000 customers may have been compromised by the breach in Orion, an IT management software. Ramakrishna today said the company believes the number of customers whose systems were damaged by the malware is much smaller.

He said that the estimate -- 18,000 -- came from the number of customers who downloaded the patch infected with malware, an update that was not automatically pushed to users. Further, not all customers that downloaded the patch immediately installed it. If a customer did download and install the patch, the software would have to be configured in such a way to provide SolarWinds Orion with access to the internet before it could contact an adversarial server and cause damage. He added that Orion is able to operate on a server without internet access.

Ramakrishna said he believes Orion was targeted because it traditionally holds high-level administrative privileges in the systems it operates within. Understanding how Orion can continue to operate with lower privilege levels is one remediation the company is currently considering.

Asked about what changes he would want to see made by Congress, Ramakrishna hit on two common issues raised by cybersecurity experts: the federal government should have a single point of contact for organizations victimized by hackers to report attacks.

The second is to create policies that reduce liability concerns for private organizations that disclose their compromises to the government.

Ramakrishna, Kevin Thompson, SolarWinds' former CEO, and executives for FireEye and Microsoft are all scheduled to testify to House and Senate lawmakers this week.