WASHINGTON, DC – Today, U.S. Senator Rob Portman (R-OH), Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, pressed Brandon Wales, Acting Director of the Department of Homeland Security’s Cybersecurity and Information Security Agency (CISA) on the need for a single point of accountability for federal cybersecurity. The hearing today followed up on last year’s SolarWinds hack and subsequent breaches that compromised the information technology systems of critical federal agencies, private companies, and several state and local governments. Portman highlighted the most recent Colonial Pipeline attack and noted these cyberattacks can have a real, demonstrable impact on the economy and national security. Portman pointed out that despite increased funding for cybersecurity and the bipartisan legislation the Homeland Security and Governmental Affairs Committee has worked on, none of the major cyberattacks on federal entities in the last six months were discovered by the federal government.
In addition, Portman urged Wales to provide Congress with prompt notification of these cyberattacks to inform legislation, ensure proper oversight, and help agencies mitigate these attacks. Portman highlighted a recent news report from the Associated Press detailing the scope of the SolarWinds attack at DHS—including information not yet provided Congress. In response, Senator Portman and Gary Peters (D-MI), sent a letter to CISA requesting additional information and documents regarding the SolarWinds hack. Portman secured a commitment from Wales to provide the requested documents within two weeks.
Excerpts of Senator Portman’s questioning can be found below and videos can be found here and here.
Portman: “Great, thank you Mr. Chairman. Yes, I must say I’m concerned that HHS didn’t report. I mean, under FISMA it’s pretty clear, when you look at the definition, that a report would have been required. Any incident likely to result in a demonstrable harm to the national security interest, foreign relations, or economy or a breach involving personal identifiable information. So, maybe we need to tighten up that FISMA requirement because the CISA requirement and the OMB requirement is far more specific and you know, I appreciate the fact that Commerce did report to Congress, thank you. And I’m concerned that HHS did not and Ms. Vogel, I understand that you all looked at what the impact was on HHS, but to me, this was definitely a major incident, and certainly it was in terms of the relationship between the different agencies, so I would agree with what the Chairman at least implied in his questioning which is, at least give us the opportunity to get notified of these so that we can do our proper oversight and be sure that we’re putting together legislation that makes sense to respond to these attacks.
“With regard to Colonial Pipeline, I know today’s focus is about federal cybersecurity attacks but this Colonial Pipeline one, as I said earlier, is probably the biggest attack ever on American infrastructure. Certainly the biggest one that we know of. Colonial supplies almost half of the oil to the East Coast. The systems remain offline today, as we talk. They have made some progress, I understand, opening up some lines, but not all the way up the East Coast. My hope is by the end of this week, that will be improved. But this is a stark example of how these cyberattacks can have real, demonstrable impacts on our economy and on our national security. Ask the people who are in East Coast states about what they’re paying for gasoline today at the pump and they will tell you it has an impact. There are a variety of tools and guidance to combat ransomware in CISA. Mr. Wales, but as we’ve seen here, we’re not effectively combating ransomware. Let me ask you a couple of questions. Did Colonial contact you?”
Homeland Security Cybersecurity and Information Security Agency Acting Director Brandon Wales: “They did not contact CISA directly.”
Portman: “So they did not contact CISA. Did CISA contact Colonial?”
Mr. Wales: “We were brought in by the FBI after they were notified about the incident.”
Portman: “Okay. Would it have been helpful to you if Colonial had contacted you immediately to provide information so that you could have responded more effectively?”
Mr. Wales: “So we received information fairly quickly in concert with the FBI. I think right now, we are waiting on additional technical information on exactly what happened at Colonial so that we can use that information to potentially protect other potential victims down the road.”
Portman: “So you still don’t have the potential information that you need to be able to be responsive and to provide support to critical infrastructure. Is that what you’re saying?”
Mr. Wales: “Yes, but that is not surprising given that they’ve only been working on the incident response since over the weekend and it’s fairly early. We have had a historically good relationship with both Colonial as well as the cybersecurity firms that are working on their behalf. We do expect information to come from that and when we have it, we will use it to help improve cybersecurity more broadly.”
Portman: “If the FBI had not brought you in, would Colonial, do you think, have contacted you to ask for your assistance?”
Mr. Wales: “No.”
Portman: “Do you think that’s a problem?”
Mr. Wales: “I think there is benefit when CISA is brought in quickly because the information that we glean, we work to share it in a broader fashion to protect other critical infrastructure.”
Portman: “Right, I think that’s the point, is that one, you could have helped Colonial, but two, you know, having that technical information allows you to help other critical infrastructure. You know, if there’s ransomware focused on Colonial, there’s likely to be ransomware focused on other critical infrastructure as well. Isn’t that true?”
Mr. Wales: “That is true.”
Portman: “Well we appreciate your testimony today about the need for more funding, more preparedness funding, for CISA funding, the need to transfer some of our systems and the cost of that, but it seems to me that we also need to worry about these attacks. Whether they’re direct cyberattacks on the federal government, whether they are attacks on the private sector, or whether they are ransomware attacks being communicated to CISA and that, you know, you’ve got the expertise. We’ve passed a lot of funding already and a lot of bipartisan legislation to help you all have the tools that you need. Seems to me that we’ve got to make sure that communication flow is happening.
“By the way, just a general question and I look forward to a second round where we can get into more of this but, my sense is that we have a number of vulnerabilities at the federal level. One is the systems themselves, in other words, the software, particularly in some of the hardware, is not updated. Is that accurate?”
Mr. Wales: “There are legacy systems in the federal government that require modernization, absolutely.”
Portman: “And is that where you would focus most of the funding immediately? What would be your top target? Because also, we have a lot of discussion in this committee about personnel and ensuring we have the best and the brightest with the federal government to be able to protect our personal information and national security. We also know that there is concern about practices. In other words, even with the best personnel and the best infrastructure – software, hardware – if you aren’t following the right practices, the so-called cyber hygiene, to be able to protect your systems, to be able to provide the appropriate encryption and so on, that it’s difficult to defend against these attacks. How would you prioritize those? Where would you prioritize the funding?”
Mr. Wales: “Yeah, I don’t think you can prioritize among those three. Those are areas that, as you’re deploying new technology, those all need to advance in parallel. You need to ensure that as you put in place new systems, you’ve got the people who are actually capable of utilizing them to improve your security. We need to have people who have the ability to configure them in the right way. We see this a lot, particularly with the move to the cloud, in particular at the state and local level, they’ll deploy on the cloud but they’ll misconfigure their cloud environment and make it open and accessible to potential malicious actors. So we want to ensure that your technology, your people and your processes are being modernized together, because if any one of those lags behind, you’re going to introduce weaknesses into your overall information security program.”
Portman: “That’s the idea in having CISA have more responsibility and more funding and the expertise and so we need to continue to work on that but again, we’ve done a lot to provide the tools and now the question is how do you bring those three elements and others together? And we’ve got to do it yesterday because these attacks continue.”
Mr. Wales: “But sir, I would also add that it’s not just CISA, because ultimately the agencies are the ones that are deploying technology on their environment to support the operational needs of their mission. And as they do so, they need to do it with security in mind, they need to build that kind of security and resilience in. They need to build in those kind of zero-trust principles to ensure that their systems are protected, and they need to ensure that they have the right people and processes in place. We can assist them and provide best practices, in some cases we provide technology, but overall managing that information security program at an agency is essential. And I think that’s why we need to ensure that the CISOs, like those joining me today, are kind of empowered and resourced to be able to support the needs and the security of their agency.”
Portman: “Empowered, and resourced, and held accountable for what happens at those agencies, including the reporting that we talked about earlier, correct?”
Mr. Wales: “Yes.”
Portman: “Thank you, Mr. Chairman.”
…
Portman: “My first question has to do with a letter that Chairman Peters and I sent to CISA back on April 5th, Mr. Wales I know that you are aware of this letter, and we asked that by April 20th, we would have a response. It’s important that we have the best information possible to be able to deal with two things. One is the reauthorization of some of your programs that is occurring next year. We want to be smart about this and be sure that, as we are reauthorizing things like the EINSTEIN Program, that it’s done properly. But second, we are also working on legislation, as I said earlier, to ensure that we can respond to immediate threats and strengthen your abilities, frankly. We’re concerned that we haven’t had a response yet except for a few documents, all of which had previously been provided, I’m told, to this committee and to the Congress. Will you commit to providing a complete response to the letter this morning?”
Mr. Wales: “Yes, we will respond. I know that we are in active discussions with your staff and that actually a briefing has been set for next week with the Department who obviously has responsibility for DHS systems including some that support CISA. And CISA will provide to the committee next week that get into some more of the details of some of the questions that were asked as part of the letter. But we are actively working this to be sure that we provide as complete a response as possible.”
Portman: “Can you give us a timeframe?”
Mr. Wales: “I cannot sitting here right now but we are working with your staff to provide as much detail as possible as quickly as possible.”
Portman: “Well let’s suggest a timeframe here this morning that’s appropriate. Two weeks?”
Mr. Wales: “We will work in two weeks to provide as much information as we can. And again, my one concern is CISA does not have all of the information, particularly where questions related to the broader problem.”
Portman: “Yeah if there’s something that we’ve asked that’s inappropriate, let us know. But my sense is that what we’ve asked is relevant and appropriate to your reauthorization and frankly, coming up with legislation is more helpful to responding to some of the attacks we’ve talked about today.”
Mr. Wales: “My only concern is that I can’t agree on behalf of the entire Department, because the DHS CIO is ultimately the one responsible for DHS systems.”
Portman: “Let’s set a milestone in two weeks that we’ll have substantially all the answers, at least those that you have the ability to answer. Because I think the sooner the better since we’re moving ahead with legislation, even during this month before the next Congressional recess. Second is, we talked a lot about funding today and the American Rescue Plan, as you know, provided $650 million to CISA for various ways to help modernize cyber systems. You mentioned hardening the cloud earlier. Can you in one minute, just tell us, or less, precisely how you expect to use that $650 million?”
Mr. Wales: “Sure, so four primary lines of effort. First is beginning to expand our cyber defensive teams so that we can spend more time doing persistent hunt activity inside of federal agencies. Second, is the deployment of new technologies and sensors inside of networks, and point detection and response tools that will give us better visibility for agencies and better visibility for CISA into what’s happening on those networks. Three, the deployment of pilot-secure, threat-hardened cloud environment for business systems to allow us to test the most effective ways to secure and defend those and then promulgate a reference architecture across the dot gov.”
Portman: “That would be focused primarily in the private sector and their ability to use a hardened cloud?”
Mr. Wales: “Well it’s primarily focused on testing a private cloud for the federal government civilian agencies that more federal agencies can then use. Right now I would say there is, I’d say, a variety of different kind of cloud security environments that federal agencies have adopted and we want more consistency.”
Portman: “Okay, more secure than others. But it wouldn’t respond to the Colonial type challenge?”
Mr. Wales: “No.”
Portman: “What’s the fourth one?”
Mr. Wales: “The fourth one is additional funding the help accelerate the move towards more defensible and secure architectures. It’s helping agencies move towards zero-trust-based approaches for their securities and help build more defensible and secure network configurations and architecture.”
Portman: “Okay, well I appreciate that. This was part of the COVID-19 package, American Rescue Package. I’m glad the money is being used, and used productively. I can’t see how it has any connection to COVID-19, by the way, which was unfortunately true with much of that legislation, but the money has been appropriated, we need the help right now, and we will be eager to see, you know, how this money is being spent. We will be overseeing it and my sense is that what you’re doing is going to be helpful to the broader mission of CISA that we’re trying to work on through legislation. Final question has to do with that just happened with regard to SolarWinds. There has been a news report that has not been confirmed nor denied by the Department of Homeland Security that the SolarWinds attack not only attacked agencies, as you know – had a major detrimental impact on nine different federal agencies at least – but specifically it was an attack on DHS. And that two areas, according to this report were subject to this massive attack. One is DHS’s Foreign Threat Hunting Teams were actually breached. And second is that the Secretary of DHS’s email account was actually breached. Can you confirm that that’s true?”
Mr. Wales: “Sir, in an open hearing what I can say is a small number of accounts at the department and at CISA were compromised during this incident.”
Portman: “Are the Foreign Threat Hunting Teams part of CISA?”
Mr. Wales: “We have threat hunting teams. Again, I’m not sure about the use of the term ‘foreign’ there but we do have threat hunting teams, those are the teams that provide incident response and hunt support to our federal agency partners. But I will just make one small comment and that is the compromise at DHS only affected our business email networks. It did not affect our operational networks where most of our cyber security work is done. Things that manage our EINSTEIN System, the system that our incident response teams use as part of when they go on-site and support other agencies. So this would mean the compromises were limited to business email and not to our operational work.”
Portman: “Can you confirm that the secretary’s email account was breached?”
Mr. Wales: “I’m going to defer that question to the Department’s CIO who was responsible for it.”
Portman: “As you know, former Secretary Wolf confirmed publically that his email account was breached. He said so on April 20, 2021. I’d also like to put the AP story into the record. I’d like to ask unanimous consent, Mr. Chairman, to do so. It indicated that the former secretary and that DHS was compromised by this attack. We need to know the information and if it’s classified, we understand. We’ve had a classified briefing, by the way, since you and I last talked at a public hearing where we had the opportunity to receive that information and we did not. So, we need to know what’s going on to be able to legislate properly and provide the proper oversight.
“I want to end by thanking you for your testimony today. For your ongoing communication with me and my staff and Senator Peters and his staff. And for your professionalism. It’s an impossible task right now. The enemy is moving very quickly, both foreign state actors and cyber criminals, and we have to move even more quickly. We have to stay ahead of them. And whether it’s personnel — and dragging our feet on having the right cyber workforce is a major frustration for me and the federal government, we talked about the 2014 legislation that’s still not properly enacted – or whether it’s in regard to keeping our systems up to speed and particularly what’s going on in the cloud. We have to stay ahead of them and so I hope you will remain committed to this task and provide the leadership to be able to respond to this very difficult challenge.”
###