Among those who testified at the hearing was Sudhakar Ramakrishna, the new chief executive of SolarWinds, who took over weeks after the breach was discovered and has since been peeling back the layers of the intrusion. He told the Senate committee that the code had been eradicated from the company’s products. But that is little use to the government agencies and companies that were already breached, because once the hackers are inside their targeted computer networks, they are free to roam.
Mr. Ramakrishna also said that SolarWinds was still unclear on how the Russian hackers got into the software it was developing, embedding themselves there as early as fall 2019. When asked about the possibility that software tools made by JetBrains, which speeds the development and testing of code, was the pathway, Mr. Ramakrishna said there was still no evidence. The New York Times reported in January that JetBrains was under investigation, but the company’s senior executives, some of whom are Russian, said there was no evidence.
Mr. Smith, who has called for a “digital Geneva convention” that would begin to create norms barring some kinds of attacks, estimated that “at least a thousand very skilled, capable engineers” were involved in the hacking.
“This was an act of recklessness, in my opinion,” he said, because it infected thousands of systems that the Russians had no interest in to give them access to only a few. “It was done in a very indiscriminate way.”
Mr. Warner, Senator Marco Rubio of Florida, the ranking Republican on the committee, and others noted repeatedly that Amazon — which runs the C.I.A.’s network cloud services and is seeking other major federal contracts — was the only company that refused to send a senior executive to explain its role in the hacking. Amazon has said nothing publicly about what it knew about the command-and-control operation run from its servers in the United States.
That is a crucial issue, because the hackers appeared to understand that American intelligence agencies are prohibited from examining network activity in the United States. So by initiating the attack within American borders, they were taking advantage of domestic privacy protections to avoid being detected.
Several senators said they were concerned that such a technique, once known, would be widely used by others. “The bottom-line question is how did we miss this, and what are we still missing?” Mr. Rubio said.