WASHINGTON, DC - Today, U.S. Senator Rob Portman (R-OH), Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, pressed Biden administration cybersecurity officials on the need for accountability for cybersecurity in the federal government to ensure a more effective national defense against cyberattacks, especially in the wake of the most recent ManageEngine cyberattack and increased cyberattacks against the private sector and federal agencies.
In response to Portman’s questions, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency at the U.S. Department of Homeland Security, explained the danger posed by the ongoing ManageEngine cyberattack. The CISA alert noted it “ poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software.“ Director Easterly disclosed that CISA worked with the U.S. Coast Guard on the ManageEngine vulnerability at the Port of Houston which they believe was the work of a nation-state actor.
Senator Portman also discussed his upcoming bipartisan legislation to ensure proper reporting requirements in the event of cyber and ransomware attacks so that the appropriate federal agencies and Congress are aware, activated, and have the information to help mitigate the effects.
Portman: “Thank you Madam Chair. I want to start if I could, by asking unanimous consent to put something in the record that has to do with reporting. This is some of the feedback that we have received from industry and government with regard to our cyber notification legislation. I think the bill is better for this input, and I think it would be appropriate to have these letters included in the hearing record. All three relate to the legislation. One is from 18 trade associations, one is from the financial sector, one is from the communications sector, and the fourth is from the oil and gas sector expressing their concerns in that case about lack of consultation with the pipeline industry before issuing security directives. I would ask unanimous consent that these be placed in the record.”
Acting Chairwoman Maggie Hassan (D-NH): “Without objection.”
Portman: “Thank you, Madam Chair. Let me start with something urgent. I’m really eager to get to the accountability issue because, as you know, I think that’s critical for us to be able to organize ourselves properly going forward. But unfortunately, we live in a state of constant attacks, and we just had another one. There’s a joint publication by CISA, the FBI, and the Coast Guard last week that indicates an advanced persistent threat, meaning right now, timely, a threat targeting a software program used to authenticate users when they log onto their computers. And according to this publication, it’s widely used by several critical infrastructure sectors, and hackers have covered their tracks much like what we saw with SolarWinds. So again, I’d hope we could talk about the important, not just the urgent, but the urgent is upon us again. I would ask you, Ms. Easterly, can you briefly explain what this is and why it matters?”
Ms. Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency at U.S. Department of Homeland Security: “Thanks very much for asking that question, Ranking Member Portman, because it does speak to, I think, a really good new story and the collaboration and how we use data to help protect other sectors of critical infrastructure. So you’re referring to something called ManageEngine AD Self Service Plus, which is this password management and single sign-on capability. We worked with the U.S. Coast Guard on a vulnerability at the Port of Houston and found out about this. We work with our FBI partners and our Coast Guard partners to better understand that vulnerability and then to be able to get that information out to see whether, in fact, we saw the same vulnerability across the federal cyber ecosystem and in our critical infrastructure partners. This was actually one of the early successes for JCDC, because we were able to share that information across our JCDC partners to see if they could find additional victims to notify. To this point, in time, we see that the campaign thus far is limited, but we’re continuing to work through it, and I’m happy to keep you apprised.”
Portman: “Well, I appreciate that. I guess I’m glad to hear that, that you feel like in this case, we have a handle on it. I did speak to one of your prominent JCDC members yesterday, and I support what you’re doing there, including bringing the private sector expertise in. And I think it’s critically important. The alert indicates that this advanced, persistent threat and these actors have been exploiting vulnerabilities, but also covering their tracks. What does that mean? Does that mean if it’s a nation-state actor, as an example, we’re not going to be able to determine who it is?”
Director Easterly: “Well, as you know, Ranking Member Portman, attribution can always be complicated in terms of being able to dispositively say who that threat actor is. Certainly, the most sophisticated threat actors go to great lengths, as we saw with SolarWinds, to be able to cover their tracks and obfuscate their presence so that they can live for long times in networks and be able to extract data. But we are working very closely with our interagency partners and the intelligence community to better understand this threat actor so that we can ensure that we are not only able to protect systems, but ultimately to be able to hold these actors accountable.”
Portman: “In terms of this one, can you tell us who you think it is?”
Director Easterly: “At this point in time I would have to get back with my colleagues, but I do think it is a nation-state actor, sir.”
Director Easterly: “Yes, sir.”
Portman: “Okay, well, we look forward to hearing more as you have it, perhaps even in a classified setting, to understand what we can do to, to be able to respond, as you say, to be able to push back against these nation-state actors who continue to probe and to commit these crimes against our public and private sector entities, in this case, critical infrastructure.
“Okay. Accountability. I’m going to show a chart here that it is a chart that tries to explain what the roles are. And maybe it’s just me, but it seems like there’s a lot of overlapping responsibility, including, by the way, among the three of you. And the question is, who’s in charge, who’s accountable? But we talked about this latest hack, and you mentioned that you’re involved as the CISA lead, which is good. But also you indicated that there are other entities involved. And the question is, you know who’s in charge and who will take accountability as things happen. So this chart has, with regard to the strategic side, a National Cyber Director, who’s here with us today. It has a Deputy National Security Advisor, who’s been with us here before. She is not with us today, but she has a role that she has indicated is, in some ways, quite similar to your role. Then we have OMB, of course, the federal CIO and the federal CISA role. And then the CISA Director and the FBI Assistant Director for Cyber are more on the operational side. And then the strategic side, of course, every agency head has to be involved and should be and then, of course, the agency CIOs and the CISOs in the agencies. And that goes to our FISMA issue we talked about earlier. So I guess what I would start with you, Mr. Inglis, and again, I’m glad you’re where you are. I wish you had more staff to be able to do your job, which is another topic we’ll discuss. Under your authorizing statute, you are the Principal Advisor to the President on Cybersecurity and Cybersecurity Strategy. Is that correct?”
Mr. Chris Inglis, National Cyber Director in the Executive Office of the President: “That’s correct, sir.”
Portman: “And does that mean that you are the single point of accountability for federal cybersecurity within the executive branch?”
Director Inglis: “I think I am the single point of accountability for federal cybersecurity on owned or leased estates to include the federal government and the critical infrastructure. When we determine that we need to use instruments of power outside of owned or leased estates, the military diplomacy, financial instruments of power, the National Security Council is the natural place to essentially coordinate those instruments of power, and therefore they would interact to determine what that strategy should be to do the rest of what’s required. But for purposes of preparation, synthesis of the big picture, defense of owned and leased estates, performance assessment, I am the accountable person.”
Portman: “So, are you accountable, as an example, if the Department of Homeland Security does not have proper cyber hygiene in place? Probably not a good example because they were one of the few agencies that we found of the eight that was doing some of the right things. But let’s say the Department of Health and Human Services or the Department of Energy. Are you the one responsible?”
Director Inglis: “Yes, sir. I am ultimately the accountable person. Now, my job is to ensure that that accountability has been allocated properly to agency and department heads, to CISA for being the operational entity coordinating the defense, to OMB for issuing the right directives. As the coach, as we’ve used that term before, I need to ensure those roles are properly assigned, properly executed, and ultimately to do performance assessments to ensure that we’re meeting the need.”
Portman: “And let me ask you this, this organizational chart, again, where we’ve talked about in the past the overlap, and you just talked about the National Security Council overlap with what you’re doing. Do you think the federal government’s organizational structure is effective right now? And do you think that the lines of responsibility are clear?”
Director Inglis: “I think it is reasonably effective. Can we make it better? We can. And we will. The three of us at this table talk on a daily basis about how to actually ensure that these roles complement one another. I would observe that the chart, you’ve been generous. The chart does not show sector risk management agencies. That’s a further complication of what they do on the edge of the enterprise that they represent. All of those strengths represent diversity which properly applied can be a huge strength for us. It is perhaps then less complicated than the U.S. Department of Defense or an American football team, which, if it has the right strategy, it has the right roles, if the life forces that course across it create coherence, unity, purpose, unity of effort, it can, in fact, be quite useful. That’s our job is to make sure that the video actually makes sense, even if the static picture does not.”
Portman: “Well, you make the football analogy. There you have a coach who is ultimately responsible. You have a quarterback responsible for the offense. And the question is, how do you have that with this more diffuse structure? Is there any thought of issuing an executive order or some other rulemaking to more clearly delineate what the lines of responsibility are?”
Director Inglis: “There is, sir. I think that’s essential. We’re actually taking our time, not because we’re complacent in any way, shape or form, but taking our time to actually let experience - a modest amount of experience - drive our efforts to then clarify in writing what we believe is the right and proper way to describe that chart in action. I think you would have hopefully seen over the last three or four months, there were several times when we reported informally to this committee, not on a major incident, but an incident we thought was reflective of the work that we do together, where we surged to the point of need to assist an agency that was encountering some difficulty. We checked the rest of the enterprise, the federal enterprise, in that case, to ensure that that had not been something experienced by others. We visited with the investment strategy, using OMB resources to ensure that we were making the proper investments to get ahead of this and reworked that accordingly and then ensured that ultimately those best practices became something that everyone could benefit from. That’s complicated, that’s hard to do. But it is the necessary work of the leadership that you’ve charged to undertake coherence in that diagram you have behind you.”
Portman: “Well, let’s go to one of those points that you just made, which is the cybersecurity budget for the agencies. Mr. DeRusha is here with us on the panel, and you’re here in the panel, yet both of you have that responsibility. As I understand it, you have responsibility over the agency cybersecurity budgets and what they ought to be. Is that true, Mr. DeRusha?”
Mr. Christopher DeRusha, Federal Chief Information Security Officer for the Office of Management and Budget: “Well, sir, OMB does absolutely.”
Portman: “So, say it again.”
Mr. DeRusha: “I’m sorry, sir. Yes, OMB has a responsibility, it is a shared responsibility between the management side, but largely the budget side, the resource management officers.”
Portman: “Okay. I don’t want to put Mr. Inglis on the spot here, but would you agree with that, Mr. Inglis? That you don’t have responsibility for cybersecurity budgets?”
Director Inglis: “I don’t have unique and solitary authority over that. I agree.”
Portman: “Not unique and solitary. But Mr. DeRusha just said that it’s OMB who has unique and solitary over that responsibility. And my understanding is that you believe you have responsibility for it, too.”
Director Inglis: “No, sir, I don’t. By statute, I have the responsibility to report on performance. I don’t have the authority to direct dollars. I don’t have the authority to move dollars, but I think I have a useful and necessary function to report on performance. I think by example, what we’ve done has actually joined those two responsibilities in a way that’s coherent take the technology modernization fund in hand, as earlier described by Mr. DeRusha. There’s a billion dollars allocated by Congress for that purpose. There’s $2.3 billion in applications. OMB, using its authority, has described what the requirements are that would allow them to judge the merits of any particular application. They’ve been empaneled a board. I have looked at those requirements, so I have judged that the panel is an appropriate panel to adjudicate this, and I look at each of the applications and each of the awards to ensure that they’re consistent with our overall cyber strategy. I, therefore, am in a place where I am performing my responsibility to ensure performance at the same time, allowing OMB to perform their statutory responsibility to be accountable for the budget. Those two nicely, but in a complicated way, intersect at this thing we call cyber. I think that’s by statute where we are, we could possibly clarify that to a greater degree in the FISMA Modernization and other bills. But the things that I think that we’re enjoying at the moment, we can achieve coherence with the roles as they are defined.”
Portman: “Okay, well, I’m over time already and I apologize to my colleagues. Let me just read the statute for what you’re supposed to be doing, reviewing the annual budget proposal for relevant federal agencies and departments and advising the heads of such department agencies whether such proposals are consistent with the National Cyber Policy and Strategy. Sounds like you’re involved in the budgets, but we look forward to further conversation in the second round. Thank you, sir.”
Portman: “Thank you. And again, thanks for the opportunity today to dig into some of these issues, including a good dialogue you just had with Senator Scott. There’s so much that needs to be done to tighten up our defenses and respond more effectively. But one is this reporting requirements legislation we talked about earlier, and we would like to get legislation passed that is bipartisan that you all can work with. And the bottom line is, it would require entities to report to you, Ms. Easterly, in a more expedited fashion. And in some cases, just clarifying that that’s a responsibility because it’s not, as we saw with Colonial Pipelines when they got the FBI and didn’t contact you, based on our hearing testimony. So for you to be able to properly disseminate that information that you get to the right agencies and therefore to have the right analysis, I suppose you need to do that. What do you need? In other words, if we have a reporting requirement, what do you need to make it effective so that CISA can take that information and get it out immediately to the right actors?"
Director Easterly: “Thanks for the question, Senator. Well, that’s what we do every day. We receive a variety of reports across the federal civilian executive branch. We receive a variety of reports at the state and local level, and then, of course, a critical infrastructure. And we analyze those reports to ensure that if there is information that needs to be shared with other entities to help us raise the cybersecurity baseline of the cyber ecosystem, that we are doing that. That really is what I describe as our superpower is to share that information and the authorities that we were given by the Congress to do that, I think, are exactly what we need. If this legislation goes into place, and I’m a huge supporter of it, and I think, as I said earlier, we need to craft it in such a way that it enables enforcement, it is timely, but we’re going to need to put in place process to be able to handle this information at even greater scale and make sure that we can share it as agilely as possible. I think that the JCDC that we’re standing up will help enable that, because again, that gives a construct to share many to many. Uniquely, it is the only federal cyber entity in statute that brings together NSA, FBI, CISA, Cybercom, DOD, ODNI with the private sector so that we can share that many to many. That’s the dots visibility issue that we’re trying to solve, Ranking Member Portman, and I’m optimistic that we’ll be able to leverage any new legislation to share that information as agilely as possible.”
Portman: “Well, I appreciate that my colleagues want to ask some additional questions. I want to make sure they get the chance to. We’ll have more follow-up on this as we move the legislation through the process. But we want your input. We want to make sure that this works right and doesn’t unduly burden those who get hacked at a time when they have to be able to respond. So that’s why there’s a time period here to give them time where they’re not filling out paperwork, but there, in fact, addressing the attack. So there’s a balance here. We understand that. But ultimately, we want to have a reporting requirement, and we want to make sure that you have the resources to be able to properly take that information and get it out to the right federal agencies and others as quickly as possible.”
Director Easterly: “Can I respond to that?”
Director Easterly: “I totally agree with you. I mean, we went through this in the private sector at Morgan Stanley. What we don’t want is to have CISA overburdened with erroneous reporting, and we don’t want to burden a company under duress when they’re trying to actually manage a live incident. And that’s why I think the rulemaking process, that will be consultative with industry, will really be important to getting this right. We don’t want to be flooded with reports saying we detected something. We’re not sure whether there’s actual impact or not. I think we need to make sure that there’s determined impact, and then we can get that information, and we can do something with it that will help ensure the cybersecurity baseline is raised. But erroneous noise is not what we need. We need signal.”
Portman: “Yeah, I couldn’t agree more. You noted that at the outset, we introduced into the record letters we received from the private sector, and I think you’ll see in some of that information, the input that you’re talking about, and it’s a balance, and we’ll try to achieve that balance, but also provide some discretion so that we get it right. And we look forward to working with you. Thank you, Mr. Chairman.”