WASHINGTON, DC – Today, U.S. Senator Rob Portman (R-OH), Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, delivered opening remarks at a second hearing to examine last year’s SolarWinds hack and subsequent breaches that compromised the information technology systems of critical federal agencies, private companies, and several state and local governments. The committee heard testimony from federal chief information security officers on what resources and reforms are needed to help mitigate cybersecurity vulnerabilities and combat foreign adversaries, such as the Chinese and Russian governments, from breaching federal systems.
Portman noted that in the last six months, hackers executed four known major cyber campaigns against U.S. government agencies and private companies — SolarWinds, Microsoft Exchange, Pulse Secure, and most recently, Colonial Pipeline. The SolarWinds and Pulse Secure VPN attacks targeted federal agencies, yet it was private sector companies that discovered these intrusions. Portman pointed out that despite all the increased funding appropriated for cybersecurity and the bipartisan legislation the Homeland Security and Governmental Affairs Committee has worked on, not one of these federal intrusions was discovered by the federal government. He also highlighted the bipartisan report he issued in 2019 as then Chairman of the Permanent Subcommittee on Investigations warning of vulnerabilities at federal agencies to cyberattacks and his subsequent lack of surprise that three of the agencies highlighted in the report, including the Department of Homeland Security, were hacked in the SolarWinds attack.
A transcript of his opening statement can be found below and a video can be found here.
“Thank you, Chairman Peters. I’ve appreciated our bipartisan work over the years together on improving federal cybersecurity and I look forward to continuing the partnership. You just mentioned some of the efforts that are underway. As many of you know, we are in the process of writing legislation right now to address some of these issues that we’ll talk about today. Today is an opportunity to really focus, deeply on some of these attacks that have happened over the last several months. We already had one hearing on the SolarWinds hack. And today we want to continue that oversight with some witnesses from the agencies to talk about how we can learn from these incidents to improve our cyber defenses in the future. I look forward to hearing the perspective of these agency officials on the ground as they try to fend off these cyberattacks.
“In the last six months, hackers have executed four major cyber campaigns against U.S. government agencies and private companies. Those are four that we know of, and I say that because many of these attacks occurred months ago and we only learned of them more recently. SolarWinds is one, Microsoft Exchange, Pulse Secure, and most recently of course, the Colonial Pipeline. The SolarWinds and Pulse Secure VPN attacks targeted federal agencies, and yet it was private sector companies that discovered them. That should be concerning to all of us. Despite all the increased funding appropriated for cybersecurity and the bipartisan legislation we’ve worked on here in this committee, not one of these federal intrusions was discovered by the federal government. Cyberattacks are going to continue to be a threat and the federal government needs to be able to identify those threats and defend against them.
“We continue to learn about these attacks. Here are some of that details that we already know. First, after our last hearing, the U.S. government officially attributed the SolarWinds hack to Russia’s foreign intelligence service, or the SVR. So we’ve learned that since our last hearing. SVR was very patient and selected its targets carefully and compromised a trusted link in the software supply chain. It disguised its activity and used stealth techniques that evaded detection. Because of that, it took more than a year to detect the attack — a lifetime to be able to do damage for sophisticated adversaries like these.
“Second, we know the SolarWinds and Microsoft Exchange attacks were broad. Within the federal government, the SolarWinds attack hit agencies holding some of our most sensitive data and national security secrets — including the agencies before us today. I look forward to the testimony of our witnesses about the impacts of recent attacks on their agencies. The SolarWinds and Microsoft Exchange attacks also impacted the private sector, even cybersecurity firms meant to protects our systems. For example, FireEye, the company who discovered the SolarWinds hack, was breached itself. FireEye is one of the firms folks call on when they discover a breach. So, here, the very people we call on when we get hacked, got hacked themselves. We are still in the very early stages of learning about the Pulse Secure attack, but recent reports indicate at least five federal agencies were compromised in that attack. So we’re learning as we go and it’s concerning.
“Third, the fact that the federal government was hacked is not surprising to us. In June 2019, we issued a report from the Permanent Subcommittee on Investigations – I was Chair of that Committee at the time, Senator Carper was the ranking Democrat – and that report details the extensive cybersecurity vulnerabilities of eight specific federal agencies. Many of those vulnerabilities had remained unresolved for a decade. More than a year later, three of those eight agencies were seriously compromised by the SolarWinds attack: DHS, State, and HHS. State is not here, but HHS is here and we look forward to a dialogue about why HHS did not declare a major incident under the Federal Information Security Modernization Act, or FISMA. We talked earlier about FISMA and the need to reform it but under current FISMA, it seems to me that should have been declared a major incident. I am concerned that members of DHS’s cybersecurity team who hunt threats from foreign countries and the former DHS secretary were compromised in the SolarWinds attack and that we learned from this not from DHS, not from CISA, but from news reports. Mr. Wales, I look forward to a discussion of how CISA specifically, which is a part of DHS, was impacted. And again, we’ll refer later in the questions to those specific news reports that I’m talking about.
“Finally, it’s clear that cyberattacks are going to keep coming. Last week, cyber criminals attacked Colonial Pipeline, the company responsible for providing about 45 percent, almost half, of the East Coast’s fuel. This is potentially the most substantial and damaging attack on U.S. critical infrastructure ever. It shows that cyberattacks can have tangible, real-world consequences. Although our witnesses today are here to discuss the federal cybersecurity side, I think it is important that we hear from CISA about what we know so far about this attack on the Colonial Pipeline and what we should be doing to deter, detect, and respond to attacks like this in the future.
“These four recent attacks have demonstrated not only the weakness of our defenses, but also the persistence and sophistication of our adversaries. In response, we have to take a hard look at our federal cybersecurity strategy, capabilities, and leadership and discuss what changes are necessary to prevent and mitigate attacks like this in the future.
“At our last hearing, I asked our witnesses who is ultimately accountable, who is responsible, for federal cybersecurity. The witnesses were not able to give a clear answer, which is troubling. Under current law, each agency is ultimately responsible for securing its own networks, which is why we have asked the agency Chief Information Security Officers, or CISOs, to give their perspective today. But, CISA must also have visibility across federal civilian agencies to be able to do what Congress created it to do: secure the networks of the federal government.
“Congress also created the position of the National Cyber Director in the White House to coordinate implementation of national cyber policy and strategy, as recommended by the Solarium Commission. The Biden administration has now nominated Chris Inglis and I understand his paperwork is being finalized. It appears that the Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger, has also taken a leading role in handling cyberattacks based on briefings we’ve received.
“I believe that a single point of accountability is necessary. I think that single point of accountability for federal cyberattacks, overseeing all of this — the individual agency efforts and CISA’s work to support them — is crucial to ensure we have proper responsibility and accountability. I appreciate the witnesses being here today again, Mr. Chairman, and I look forward to your testimony on these important issues.”