WASHINGTON — Microsoft called it "an attack that is remarkable for its scope, sophistication and impact."
At least six U.S. government departments, including energy, commerce, treasury. and state were hacked in the sweeping Russian cyberattack discovered in December.
Malicious code was snuck into updates to a popular software called Orion, made by the company SolarWinds, which provides network monitoring and other technical services to organizations around the world, including most Fortune 500 companies and government agencies in North America, Europe, Asia, and the Middle East.
"For almost a year, Russian actors burrowed into networks, hiding their tracks and patiently stealing data," said Rep. Bennie Thompson (D-Mississippi), Chairman of the House Homeland Security Committee. "The task before us is, to zero in on how can we mature our defenses to match the capabilities of our adversaries."
During a House Homeland Security Committee hearing this week, Rep. Elaine Luria (D- Virginia, 2nd District) discussed two recent Hampton Roads cyber breeches.
In November, 2020, malware infected the Hampton Roads Sanitation District's business systems and led to delays in billing.
There was also a rasonsomware attack on Virginia Wesleyan University in 2019.
Former Trump Administration Director of Cybersecurity Chris Krebs discussed whether there are sufficient resources to counter all the threats.
He said government can't do it alone, and private industry must do its part.
"Are we going to stop every attack?," Krebs asked, answering, "No, but we can take care of the most common risks and make the bad guys work harder and limit their success."
Krebs continued, “As long as the tools are available, vulnerabilities exist, money and secrets are to be had, and the lack of meaningful consequences persist, there will be malicious cyber actors.”
Krebs said it won't end anytime soon, with attacks from China, Russia, Iran, and North Korea likely to continue “until the leadership has decided that it cannot tolerate further behavior."
Krebs said his agency had a $2.2 billion budget, but only $1.2 billion of that was directed specifically at cybersecurity programs.