Skip to main content

tv   Software Executives Testify on Solar Winds Hack - Part 2  CSPAN  March 7, 2021 5:29am-6:14am EST

5:29 am
what we all recognize today are best practices. and ultimately an expansion of the work force in the cybersecurity field. so that we have more trained people who can support all of the organizations and customers across the country. ms. norton: the gentlewoman's time has expired. the witnesses have asked for a 10-minute recess. they're really entitled to that. this is a long hearing because there are two committees meeting and asking questions. but we don't want it to go on forever. so we'll take a 10-minute recess at this time. [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit] [captions copyright national cable satellite corp. 2021] ms. norton: we have a very large set of members because there are two committees. this is a joint hearing. that's why this is going on for so long. i want to call on the next
5:30 am
member on my list. it is mr. cline of georgia. you're recognized for five minutes. mr. cline: thank you, madam speaker. chairwoman norton. as a navy officer, navy combat veteran, i am quite aware that our military is tasked with protecting our nation and we take that very seriously and have been very successful in doing that for over a century. mr. clyde: but cyberattacks on our country are something that literally can go right through whatever military protections we have and can affect especially our civilian population in ways that can be devastating. for medium businesses, large
5:31 am
businesses, and even small businesses. so several of you have said that the u.s. government needs a national strategy to strengthen how we share threat intelligence between the government and the private sector. so would each of you give me an idea of how you would see this playing out? what role do you see cisa playing to help support this? especially when it concerns the private sector. i guess we can start with the c.e.o. of solarwinds. mr. ramakrishna: congressman collide, thank you again for -- clyde, thank you again for the question. in terms of cisa, there are a few things that we can focus on as part of a private sector entity. one is the clearinghouse of all
5:32 am
threat information that is given to it by the public sector. that's number one. the converse is from a private sector information gathering standpoint as well. once it has got a coordinated set of information, it can take the responsibility to disseminate it to all impacted and potentially impacted parties as well. that will ensure that we're all coordinated, that we are fast and and aisle in learning and -- agile in learn and responding. the other major area i would suggest is cisa can be a big influencer in establishing best practices and disseminating best practices across the entire value chain, not just in the threat aspect of it, but in the standardization of it such that as things become more standard and more of us in the private sector follow them, the potential for leakage across
5:33 am
private sector entities is significantly reduced and diminished. mr. clyde: thank you. i appreciate that. mr. thompson, any comments from you, sir? mr. thompson: the only thing i would add to is i believe cisa has an opportunity based on where it sits in the government to really coordinate resources from both a private and public sector. i think as private sector software companies, we'd be willing to dedicate some amount of resource to work with this in coming up with cybersecurity strategies for both the private and public sector but someone has to be the coordinator of that. i think cisa might be, if resourced appropriately, be in the right position to be able to do that. mr. clyde: thank you very much. mr. mandia? mr. mandia: not too much to add to that other than what i think about intel sharing. there's intel that goes to a singlele entity in the government. there's intel out that needs to be communicable to all the technology companies that
5:34 am
safeguard the nation. and then there's got to be a priorization that there's probably -- prioritization that there's probably different industry, health care, utilities, telecom, that rise above some of the others that you have to make sure abide by certain legislation standards or regulations. most of those are regulated industries. but that's how i think about it. intel in, then intel has to get out. then we get a nation that can go shields up a lot faster than it can today. mr. clyde: thank you. lastly, mr. smith. mr. smith: i think these have provided good perspectives. the one thing i would add is obviously this is a paradigm where cisa would be responsible for the assessment of threat data that is being reported domestically from companies inside the united states. at the same time you still have the n.s.a. which has this critical responsibility and role with respect to data that it is able to identify from outside the united states.
5:35 am
and then for the government as a whole, you need to have both of these sources to get the full picture of the threats to the country. mr. clyde: ok. thank you very much. we had quite a serious ransomware attack in my district to a private company that basically shut them down for five weeks and cost them almost $10 million. so this is very, very important what we're doing here. thank you, madam chairwoman much i yield back. ms. norton: i thank the gentleman for his questions. and his time has expired. i call on ms. tlaib of michigan now. ms. tlaib, you are recognized for five minutes. ms. tlaib: thank you so much, chairwoman. mr. thompson, you served as solarwinds for 14 years, including 10 as a c.e.o. so i just want to make sure it's fair to say you know this company better than anyone. it's been read into the report, i think bloomberg news said two
5:36 am
former employees viewed your company's security lapses as so significant they said, quote, they viewed a major breach as inevitable. so one of those employees said that he warned the company in 2017 of security risks but found the company's executives were, and i quote, unwilling to make the corrections. mr. thompson, i'm sure you were expecting -- expecting this question. but did you all take immediate action and when these concerns were raised? mr. thompson: i believe we've taken the security of our customers, of our company, of our product seriously my entire tenure. at solarwinds. i believe we've invested at the appropriate level. over the last four years, we're spending at a level meaningfully higher than the industry average. ms. tlaib: when did you start investing in security? mr. thompson: we've been investing in security since we got here. but obviously that security investment has grown as the company has grown. if you look back at 2016, in 2016 we really looked at the
5:37 am
business, we looked at where it was, and we invested at a higher level. we brought in a c.t.o. has w.h.o. has been a c.i.o. for many years. we brought in a very experienced c.i.o., we then added a v.p. of security. ms. tlaib: this all happened in 2016? mr. thompson: in 2016 and 2017. ms. tlaib: so, mr. thompson, is it true and this is something when the committee told me i was in disbelief. if all that was going on, then why in 2019 it was said that you could easily access your server by simply using the password solarwinds123? mr. thompson: that related to a mistake that an intern made and they is right laid -- violated our password policies and they posted that password on an internal -- on their own private account. as soon as it was identified and brought to the attention of my security team, they took that down. ms. tlaib: it just doesn't -- you know, invoke a lot of confidence in many of us when we
5:38 am
hear an intern could have done that. again, it was access to -- that was used, that same password was used to access your server. is it true that solarwinds did not create a role of a vice president of security until 2017? mr. thompson: we had a -- we did not have a vice president of security but as i said, we had a very sophisticated c.i.o. and a t.t.o. who had been a c.i.o. at a very large fortune 500 company. and we had a security team. and we had a security process. we just didn't have a v.p. of security prior to that day. ms. tlaib: with all those people, two years later, 2019, i don't know if they were in place, you know, how fast did you fix the issue with solarwinds123 password to access your server? mr. thompson: as soon as it was identified to us, it was fixed. ms. tlaib: days, weeks, months? mr. thompson: faster than days. once we found out about it. ms. tlaib: it also has been reported that back in october, another security company, pala alto networks, -- paolo alto
5:39 am
networks, brought something up. what steps did you take to ensure this issue was investigated? mr. thompson: i'll pass that to -- because i've not been the c.e.o. since december 1, 2020. there's been a lot of investigation work since then. i'll let the doctor respond to that. mr. ramakrishna: thank you. ms. tlaib: i'd love to hear what y'all are doing about these concerns. mr. ramakrishna: we just heard about it from palo alto as a possible victim of the malware that was delivered as part of the orion code and related issues. it wasn't about the security hygiene or security posture of solarwinds itself. in fact, we are a customer of palo alto's and we have 24 pairs of palo alto infrastructure
5:40 am
protecting us, not just from a firewall standpoint, but also doing some threat hunting within our environments today. ms. tlaib: i appreciate all of that. i just want my colleagues to understand, it's not only that we need to find out what they were able to access, but the fact that solarwinds did have a weak security culture that ran right up against this attack. we need to acknowledge that because i understand that there was just a recent post about different security positions you may have posted recently. so i just really want to make sure that my colleagues, that we're all doing our due diligence in regards to some of these companies that we contract out to, to protect the privacy and protect our country from these kinds of hacks. with that, i yield. thank you so much. ms. norton: the gentlewoman's time has expired. i thank her for yielding. mr. fallon of texas is next. mr. fallon, are you there?
5:41 am
mr. fallon: yes, ma'am. can you hear me? ms. norton: i can hear you. you can proceed. mr. fallon: thank you very much. i want to thank the witnesses for bearing with us in a joint committee. i know it's been a long day thus far. you know what alarmed me when i was reading through sourcing material was the fact that, it really got my attention, the fact that the homeland security's own email had been compromised. mr. madia, thank you for your service to our country. what would have happened and how much more damage could or would have been done if your company hadn't discovered this breach in december of 2020? mr. mandia: you know, i think over time people would have come across enough smoke to find the fire. so it would have been discovered in time and people would have connected the dots. we happened to be a forensic firm and special ops met special ops. we responded appropriately with the right skill sets, found the implant. in regards to what could have happened, the attacker had unfettered access to over 17,000
5:42 am
different organizations and nobody saw it. so this attacker stayed laser focused on stealing specific information, they showed arguably constraint and they didn't do anything destructive. but in reality, sir, it would have been easier for this attacker to destroy data than do the operations that they did. so i think there is a range of options from the threat actor and they behaved in a manner to steal emails and documents that they were targeted and collecting. mr. fallon: to follow up on that. if they chose to start destroying data, would that have in and of it self raised red flags and would they have discovered then? mr. mandia: there's a line of, you're going to start noticing if machines get shut down, or if data starts getting deleted. it's something, my observation on the rules of the playground and cyber, may be we don't have written rules that everybody follows all the time and maybe it's hard to get people to agree
5:43 am
to what's fair game for espionage, but here's one thing i do know. i don't think any modern nation wants to see modern nations -- nation's a-teams break in and delete data, put industrial control system malware if place and doing certain things i still haven't seen done by those threat acts that are are representing a foreign intelligence service. so there's still another couple of levels of escalation that have not -- at least i haven't witnessed yet in cyberspace. mr. fallon: thank you. mr. thompson in retrospect, was this breach in your opinion preventable? and if so, what should solarwinds have done differently? mr. thompson: i'll let the doctor answer some of that. i've been gone since december 31. but this attack was designed to be very difficult to find. they were incredibly patient. they moved very slowly. and the software was of tremendous complexity and so it was designed in a way that made it very difficult for anyone to
5:44 am
detect, whether it was us or whether it was fireeye or microsoft, which is why it took as long as it did. i'll let saad add what we've learned since -- saad -- sud -- sudhakar add what we've learned since december. mr. ramakrishna: noosh to mr. thompson's comments, the way we've looked at it, given the novelty of the supply chain attack, and as i've described it, the attacker hiding in plain sight, the fundamental things that we are looking at is what do we learn from this, how do we protect supply chains of companies like solar winds and our industry tiers going forward? that led us to build an initiative that secured by design internally, which provides specific guidelines and execution tactics of how to protect internal environments, how to make -- build systems a lot more robust, including access to the build systems, and then how to evolve software in the life cycle to be much more
5:45 am
secure where you're not testing security after something is cliffer delivered, but designed as you build it. i believe that is the responsibility of the industry to take more ownership of and share that, not just amongst us, but also with our environment colleagues who also build software. mr. fallon: thank you. one quick last question for mr. mandia. we say that -- quality expert teams think this is a nation-state sponsored attack. i guess with the complexity of it. why are we so sure it was a nation state-sponsored attack and not just a group of highly talented and nefarious cybercriminals? -- cybery criminals? mr. mandia: i started responding to breaches in the united states air force by 1995. back then most of the breaches we responded to were not attractive nuisances.
5:46 am
i'll give you -- i've got about seven reasons why i believe it's a foreign intelligence service. i'll give you two. fireeye was attacked by over 20 different i.p. addresses and we were a victim of the attack after we did a solarwinds up where date -- update. thesome -- systems used to attack us were used in zero other breaches. that is very uncommon. what normally happens, if i'm a threat actor and doing ransomware, i have the same infrastructure for every attack i do. we went to our partners, microsoft, our partners in the intel community, none of the systems were used to attack anybody but fireeye. i have six other technical reasons, happy to take them offline with you. i have virtually no doubt 10 minutes into the first briefing i got on our incident, this was a foreign intelligence service and i had a good idea which one. mr. fallon: thank you very much. thank you, madam chair. i yield back. ms. norton: yes. the gentleman's time has expired. mr. correa of california.
5:47 am
mr. correa of california, are you -- mr. correa: can you hear me ok? ms. norton: i can hear you you know now, sir. mr. correa: thank you, ma'am. i want to thank all our chairs and ranking members for this most important hearing. i wanted to ask questions about -- of all of our guests. mr. ramakrishna, mr. smith, mr. mandia. the question is as follows. is this a political diplomatic issue or is this a technical issue? and i ask this question because mr. smith, during your presentation, you said that we needed to strengthen international law and the consequences for a violation of international law. yet i recently read a report that talked about the chinese intelligence, that they had stolen our espionage code and essentially customized it and were using it against us. so, are those folks overseas, are they better than we are now?
5:48 am
are russia, china and others better than we are in this cyber battlefield? and if they are, how do we stop them? my question is, is this an international law consequences issue, or is this a technical issue? to all our guests, please. mr. smith: i'm happy to field that first. i think you framed the question well. is it a diplomatic issue or is it a technical issue? yes. that's the way of saying it's both. we need to deal with it on both levels. i don't believe for a moment that we live in a world where our adversaries are more capable than our own government. but we do love -- live in a world where there's an asymmetry. it's easier to play offense than it is to play defense. when you play offense, you can scan the horizon and look for the weakest point and then that is where you direct your energy. and when you're on the defensive, that means you need to scan and secure the entire horizon. so on the technical side, that
5:49 am
means that there's this enormously important work to strengthen all of our cyber defenses. and it equally makes it a critical diplomatic and international legal issue because it simply must be the case that there are certain acts that are put off limits and for which there are international and diplomatic consequences. and this kind of indiscriminate and disproportionate attack on the software supply chain is and should be one of them. mr. correa: mr. ramakrishna and mr. mandia, go ahead. mr. ramakrishna: i agree with my colleague, brad smith, that it is a technology as well as a political diplomatic issue. especially as it relates to the private sector, we have to learn and anticipate issues like this and collaborate together on coming up with best practices, similar to the ones that we are trying to do and new things that
5:50 am
our colleagues at microsoft and fireeye are doing. additionally, i think internally within the united states, we need to look at our disclosure rules and as we have all been saying, encourage more of us to come forward and disclose without fear of being punished either in the public or legally. so that is as it relates to us in the u.s. and then diplomatically setting some ground rules, holding people accountable and driving consequences is, i would say, the help that we can get from the government. last but not least, the point i have highlighted a couple of times today with regards to the need for speed and agility in terms of information sharing and information dissemination might require some help from lawmakers such as yourself. mr. correa: thank you. mr. mandia?
5:51 am
mr. mandia: yeah, i think everything both the witnesses have said is exactly right. it's a diplomatic issue, it's a technical issue. what i've learned over 20 years-plus in responding to security breaches, sir, is that all the threats we respond to literally mimic real world geopolitical conditions and really economic alliances as well. so when you look at what the threat is to the united states and cyber, north korea, iran, china cyberespionage, it's russia and then it's folks who are safe harbors for ransomware. so it's going to take diplomacy, it's going to take technology. it will be both. mr. correa: my last seconds i have, mr. smith, you talked about a community college being enough to get cyber education. do you have a list of community colleges that offer that education now? mr. smith: i will see what we have. mr. correa: do you know of any? are you showing us how far we have to go? mr. smith:, no actually the
5:52 am
community colleges of the country have created the kinds of courses that we need. they have become a much more common part of the curriculum. we have a robust cybersecurity profession in the united states, we just need to make it larger. i think we can harness what exists and expand the capacity and basically make it financially easier for people to go get these courses and education. ms. norton: the gentleman's time has expired. i thank the gentleman for his questions. the gentleman from florida. mr. gimenez of florida. are you there?
5:53 am
you're recognized for five minutes. i can't hear you. we'll go to the next person. mr. donalds of florida.
5:54 am
mr. donalds, are you there? let us then go to ms. porter of -- of where? mr. portman: i'm from california, ma'am -- ms. porter: i'm from california, ma'am. thank you so much. mr. ramakrishna, we're here today to talk about a major security breach. why are security breaches a problem? very briefly, just in a few words. what are we worried about? mr. ramakrishna: they could impact people and companies with breach of sensitive information and data. and they could -- ms. porter: wonderful. mr. ramakrishna, do you want to
5:55 am
please provide your home address for the committee today? and the american public? mr. ramakrishna: i'm happy to provide it, representative. i would like to take off the record and provide it online. ms. porter: so you don't want to share it with the whole world, like with russia? mr. ramakrishna: yes. ms. porter: so, you would agree that the information that got hacked is national security information, that it's damaging to national security implications, it could literally put lives at risk? you don't want to even give out your address, much less personal security information. what kind of legal liability is solarwinds taking for this hack? mr. ramakrishna: we have our standard understand user licensing agreement that we signed -- end user licensing agreement that we signed with every one of our customers, including our federal customers.
5:56 am
and we're bound by those. ms. porter: so your customers can sue you? there's a law that makes you legally liable for this data breach? mr. ramakrishna: i do not have the details of it, congresswoman. i'm happy to find out those specifics from our team and furnish them to you. ms. porter: mr. ramakrishna, does this look familiar to you? mr. ramakrishna: yes. ms. porter: solarwinds123. is it true that some servers at your company were secure with this cracker jack password, solarwinds123? mr. ramakrishna: congresswoman, i believe that was a password that an intern used on one of his servers back in 2017. which was reported to our security team and it was immediately removed. and that particular -- ms. porter: reclaiming my time.
5:57 am
i've got a stronger password than solarwinds123 to stop my kids from watching too much youtube on their ipads. you and your company were supposed to be preventing the russians from reading defense department emails. do you agree that companies like yours should be held liable when they don't follow best practices? yes or no? mr. ramakrishna: congresswoman -- ms. porter: should there be a national breach law? mr. ramakrishna: we believe, we take our security, as well as the secure security of our customers, very, very -- ms. porter: i'm sure you take everything seriously. you seem like a very serious person. but i'm asking you, should there be a breach law? let's move on. mr. smith, should there be a law requiring companies to notify first of all law enforcement, notify first of all law enforcement when they've had a cyberscurte breach? yes or no? mr. smith: yes, i believe there should be a law that applies to some and then we should decide who they notify. i'm not sure it should be law enforcement. it could be an organization like
5:58 am
cisa. ms. porter: excellent. mr. smith, thank you for that. earlier this week you told the senate intelligence committee that it took courage for fireeye and solarwinds to reveal this hack to authorities. what did you mean by that? mr. smith: what i mean is you have three companies here today, because we have chosen to share information. at microsoft we have published 32 blogs about what we observed and have seen. if i take my colleagues at google and amazon and put them together, they have published one blog. they didn't get an invitation here as a result. ms. porter: so i appreciate that. but you're not really saying we should give you some kind of scout badge for telling the federal government that the russians are waist deep in your source code. mr. smith:, no i did not ask for any kind of badge. ms. porter: good. i'm not going to give you one. mr. smith: i didn't think you would. ms. porter: do you -- do engineers or people at microsoft who come forward and reveal these kinds of breaches, do they
5:59 am
have protections? can they do so without fear mr. smith: within our company, it is their job to bring this information. >> should it be true in every company? mr. smith: i think it should be true that every company. i think that you need whistleblower protection, more important than that, we need to make it a mission for people to do their job so that companies can solve them. >> thank you very much, my time is expired. >> i think the gentlewoman for questions. i recognize mr. meyer. >> thank you braking member into our witnesses here today. i just want to echo gratitude
6:00 am
for stepping forward. i am not sure it is within our congressional robert to upper merit badges but i just want to thank you. on february 17, deputy national security adviser emerging technology announced hackers had launched attacks from inside the united states using our own infrastructure. this is a question for the panel. can you explain the unique challenges presented when we are having to mitigate the efforts of a foreign actor or one that is using our own internal systems? >> i will offer a couple of thoughts. we are taking turns. we have a well ability as a government, as it country through the national security agency to look at what is going on beyond our borders. the question is how do we take
6:01 am
stock of what is going on inside the united states, especially when a foreign government can basically use a credit card and false id to get access to a server in the u.s. data center. it is not an easy problem to solve. i think we all would recognize we do not want to live in a country where there is extraordinary domestic surveillance, so we have to ask ourselves how do we collect the information when there are these kinds of threats? we should call on the loyalty of companies in the country to step forward voluntarily and share information, but clearly that is not sufficient, it is not doing the job, so i think we should put in place a legal obligation that applies to companies in the critical infrastructure business, people that are first responders. we are at a microsoft, we are a first responder. we would recognize it is reasonable for this kind of law
6:02 am
to apply to us. that creates the date at goes to the government. there needs to be careful thought to how it is used, with whom it is shared, when it is shared back with others in the private sector. >> thank you. i would hope that sense of shared collective self interest not necessarily from a patriotic impulse but at least an awareness and understanding that when we are dealing with cybersecurity the contagion component of it is essential. while we are obviously referring to this as the solar wind hack and i note many of this have referred to it and looking to change it, that shift of not wanting -- the shift of the name, the tainting of the reputation goes towards those who are willing to acknowledge what has occurred and are willing to share it rather than not, and i guess on that point,
6:03 am
if you could put it simply. why did you come forward to testify today? mr. ramakrishna: congressman, we believe it is our obligation to learn from incidences such as this and be an active participant in the recovery and remediation. as we heard earlier today we need to bounce forward from this, not bounce back only. so we have taken our learning very seriously and have created an initiative within our company that we are sharing very publicly, so i consider it my obligation to be very active in the bouncing ford aspect of this -- forward aspect of this. >> thank you, one more specific question. i think it was determined by analyst that 30% of the victims had no direct connection to solar winds but were still
6:04 am
targets of the broader campaign. can you share what methods you -- this understanding and why they were not targeted in a separate effort, using the solar winds access? mr. ramakrishna: that is not a study we conducted, so i do not have the numbers, but as i engage with national defenders across the world -- we have spoken to the uk's security center, and they said they are actively investigating other supply chain attacks within the u.k. and other cases. a few days ago a french company noticed a supply chain attack as well. multiple investments are being used. earlier, i described the
6:05 am
intruders as behaving like transform a tories. they are changing their personalities and personas constantly. that is the reason i'm advising us to share information as quickly as possible so that we can flaunt these attacks. >> thank you, my time is expired. >> mr. mendez of california. >> thank you, i hope everyone can hear me now. i have a couple of questions. you talk about the supply chain. when you are developing software, is it a bunch of people in a room developing the software, or do you subnet out to other parts of your supply
6:06 am
chain, many of which can be offshore. mr. ramakrishna: in this particular context, these are employees of ours. like many american companies, we have a global workforce and employees all over the world to contribute to our software, which essentially is part of our supply chain. rep. gimenez: where is this embedded. mr. ramakrishna: it was on a platform which we call the orion platform, a product of ours. rep. gimenez: i understand that. you said this software is developed from all around the world. where was this malware embedded? mr. ramakrishna: it is difficult for me to pinpoint a location.
6:07 am
this particular software is built in a combination of our centers, including in the u.s. and non-us locations. rep. gimenez: somebody got access to your software development platform? mr. ramakrishna: basically somebody got access to one of our servers and he had piece of malware on it that was observing where products were being built, and as products were being built , they were able to replace that and keep it in the building process. rep. gimenez: did you run the software through security checks before you introduced it into the general public? mr. ramakrishna: there are security factors we had been adopting that were part of our standard software processes. since we have learned what else we can do, that is the
6:08 am
initiative i was describing earlier. rep. gimenez: mr. smith said earlier everybody should adhere to best practices. are you saying those federal agencies that were affected did not adhere to best practices? mr. ramakrishna: -- mr. smith: i do not want to speak to any specific federal agency. we saw typically a failure in one area or another to add to best practices. we sought for example passwords were not kept in a secure location. we saw there was not a practice called least privilege access where you try to give an individual access on only a limited part of the network. we saw instances where there might not have been the use of multifactor authentication. we definitely sought lapses which could have prevented the
6:09 am
impact among certain customers. rep. gimenez: thank you, i appreciate that. to be fair to say china, russia, north korea, iran are the major players in this cyber warfare we are engaged in? mr. smith: at microsoft we provided security defense report . all except one patient state actor was from those four countries. rep. gimenez: from this four countries? how would you engage our cyber defensive capabilities and cyber warfare? mr. smith: i am definitely not the expert on that. rep. gimenez: microsoft, are you in china, are you in russia? mr. smith: we have personnel in both countries.
6:10 am
yes. rep. gimenez: are there -- mr. smith: we certainly work with joint ventures, but we operate through microsoft corporation and through wholly-owned subsidiaries. i am not aware of any other kind of structure. rep. gimenez: i have been made aware if you were doing business in china they need to have 50% ownership to do business in china. does that apply to you? mr. smith: it does not apply to microsoft. there are companies we have acquired in recent years and i would want to go back and look specifically at the ownership structure for each of those. we run through our own company. i know mike -- rep. gimenez: i know my time is up and i yield my time. ms. norton: thank the gentleman for his questions. next would be mr. johnson from georgia. rep. johnson: thank you madam
6:11 am
chair. ms. norton: you may be muted mr. johnson. mr. johnson, can you hear me? you may be having bed with problems. -- bandwidth problems. who is next? we may have to go on to another member while we wait for mr. johnson of georgia, but just a moment these. i will see who is next.
6:12 am
witnesses are in and out with boats, so it is difficult to know who is available. take a moment, please. [indiscernible]
6:13 am
let us take a five-minute recess to see if other members are available. i apologize to our witnesses. with these rolling votes we are having this difficulties seeing who is available, but we will be back in five minutes. thank you. >> i do not seep mr. smith in the hearing. it feels like one of the takeaways from this hearing is that successful cyber attacks are really a matter of when, not if. when investigating this type of breach companies have conference of logs to review so they know who accessed what, what settings were change, and so on. is that right? mr. smith: generally, logs can be helpful, correct. rep.


info Stream Only

Uploaded by TV Archive on