The hearing: The Tuesday afternoon hearing — the first public congressional inquiry into the SolarWinds breach — will focus on the role that private companies have played in discovering, analyzing and sharing information about the breaches, as well as in fixing any underlying issues in their own products.
The list: On Monday, Google offered up a list to lawmakers of more than a dozen questions that one Senate aide said were aimed at scrutinizing the security of Microsoft products, such as Windows 10, Azure and Office 365. The aide spoke on the condition of anonymity in order to discuss the matter freely.
It’s unclear if every lawmaker on the 16-member panel received the list of queries from Google.
The aide said some, but not all, of the questions are intended for Smith, who will appear before the committee Tuesday afternoon alongside executives from SolarWinds and the cybersecurity firms FireEye and CrowdStrike. The latter two companies have been at the forefront of uncovering the breadth and scope of the likely Russian espionage operation that officials believe specifically targeted nine federal agencies and roughly 100 companies.
A second Senate aide who also spoke on the condition of anonymity described Google’s questions as “bad” and that committee members had been told to be wary of them.
Neither Google nor Microsoft responded to requests for comment.
Figuring out Microsoft’s role: In a Dec. 14 Securities and Exchange Commission filing, SolarWinds appeared to claim that the hackers first accessed its systems through flaws in Microsoft’s Office 365 service. Microsoft vehemently denied that. In the same FAQ, Microsoft denied a Dec. 17 Reuters report that the hackers breached its network and used its products “to further the attacks on others.”
But Microsoft has admitted that the hackers accessed some of its products’ source code and reviewed code related to the products that they later exploited to preserve their access to breached networks.