WASHINGTON, DC – Today, U.S. Senator Rob Portman (R-OH), Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, delivered opening remarks at a hearing to examine last year’s SolarWinds hack and subsequent breaches that compromised the information technology systems of critical federal agencies, private companies, and several state and local governments. The committee heard testimony this morning from federal cyber experts on why American cyber defenses were unprepared for the attack and what actions lawmakers can take to mitigate cybersecurity vulnerabilities and limit future cybersecurity breaches.
Portman noted that these attacks demonstrate the vulnerabilities of our cyber defenses and the need for bipartisan action in Congress to do more to equip the federal government to defend against and deter future cyberattacks. He highlighted the bipartisan report he issued in 2019 as then Chairman of the Permanent Subcommittee on Investigations warning of vulnerabilities at federal agencies to cyberattacks and his subsequent lack of surprise that three of the agencies highlighted in the report, including the Department of Homeland Security, were hacked in the SolarWinds attack.
A transcript of his opening statement can be found below and a video can be found here.
“Thank you, Chairman Peters. And I have appreciated our bipartisan work on these issues, even before you sat in the chair and I was Ranking Member. And we’ve got much more to do, clearly.
“We are here today to focus on this massive SolarWinds hack. The most massive hack, I believe, in the history of our country. We need to analyze its impact on the federal government and discuss what changes are necessary to prevent and mitigate attacks like this in the future.
“It has been three months since we learned of this attack and there is still a lot, frankly, that remains unknown. We’ll learn more today, I hope. But what we do know is really chilling. First, according to the FBI, the attackers were ‘likely Russian in origin.’ That’s a quote from them and our intelligence services as well. They were also smart and hard to detect, apparently. They were patient. They were careful about selecting their targets. They disguised their activity and used stealth techniques that evaded detection. And because of that, it took over a year to detect the attack—a lifetime to do damage for sophisticated adversaries like these.
“Second, we know that the attackers used a trusted software company, a supplier to attack the U.S. government. The attack compromised a security update or a ‘patch’ for the widely used SolarWinds Orion IT management software. So, it’s good cyber hygiene to have a security patch updated and it’s something that we preach that those practices ought to be followed. And yet, applying those updates and security patches is exactly how this hack occurred. Here, they used this security patch meant to better protect against hacks to launch the attack. The attacker capitalized on our assumption that these patches are safe to install. This should be a wake-up call for all of us who are concerned about our data being compromised.
“Third, we know that this attack was broad—the federal government, of course, was hit. We know that. But also the private sector. Within the federal government, this attack hit agencies that hold some of our most sensitive data and national security secrets. Based on public sources, this includes the State Department, the Department of Homeland Security, the National Institutes of Health, and the National Nuclear Security Administration, which is the agency charged with maintaining our nuclear stockpile. The SolarWinds attack also impacted the private sector, even cybersecurity firms like FireEye, the company that actually discovered the breach in its own systems. FireEye is one of the firms folks call when they discover a breach. So, here, the very people we call when we get hacked, got hacked itself.
“Fourth, we know that despite all the increased funding that has been appropriated for cybersecurity, some of the legislation that we’ve worked on here in this committee, the federal government never caught this attack.
“The fact that the federal government was hacked is not surprising to me. In June 2019, as Chair of the Permanent Subcommittee on Investigations, I released a report with Senator Carper detailing the extensive cybersecurity vulnerabilities of eight different federal agencies. Many of these vulnerabilities had remained unresolved for a decade. Over a year later, three of those agencies that we highlighted in our report were seriously compromised by the SolarWinds attack: DHS, State, and HHS. And those are just the three we know of as of today. So, unfortunately, this was not a big surprise to us.
“The SolarWinds attack was one of the most widespread and consequential cyberattacks to date. In response, we have to take a hard look at federal cybersecurity strategy. What are we doing wrong? Why are our defense capabilities not up to the task? This includes the failures of the federal government’s front-line defense program called EINSTEIN. EINSTEIN has cost approximately $6 billion and is supposed to detect and prevent cyber intrusions at federal agencies. Clearly, it was not effective in stopping the SolarWinds breach, or even recognizing that it occurred. EINSTEIN’s authorization expires at the end of next year, so it is a good time to consider its utility and how it can be improved.
“Any cybersecurity legislation we consider needs to address the broad set of risks facing our federal networks and needs to ensure there is proper expertise and accountability in the U.S. government. We’ll talk about that today and the legislation that was recently passed to establish more accountability within the Executive Office of the President. When these networks are breached, as in the case of SolarWinds, there also have to be consequences.
“I appreciate the witnesses being here today. I appreciate their service and I look forward to their testimony on these important questions and getting solid ideas as to how we can better defend our federal networks.”