The Democratic and Republican leadership of a Senate homeland security committee are asking key federal cyber security officials about the extent of compromises to federal networks arising from recently disclosed cyber hacks committed through commercial software products as well as about existing federal cyber security capabilities, roles and responsibilities, and strategy.
The requests by Sens. Gary Peters (D-Mich.) and Rob Portman (R-Ohio) follow a hearing the leaders of the Homeland Security and Governmental Affairs Committee held in March to examine the government's role in public and private sector cyber breaches perpetrated through commercial network management software supplied SolarWinds Inc. [SWI] and email server software supplied by Microsoft [MSFT]. During the hearing, both senators said the federal government needs clear lines of authority and accountability for detecting compromises of federal networks.
They also highlighted the fact that private sector entities first discovered the breaches, which included both private and public sector networks.
"Time and again this committee has discussed the challenges of defending against sophisticated, well-resourced, and patient cyber adversaries," Peters, the chairman of the committee, and Portman, the ranking member, wrote this week in letters this week. "Nevertheless, the fact remains that despite significant investments in cyber defenses, the federal government did not initially detect this cyberattack."
The April 5 letters were to Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, and Christopher DeRusha, federal chief information security officer at the White House Office of Management and Budget.
In their letter to Wales, the senators want "unredacted documents" that show what federal information systems were compromised by both cyber hacks and the names of senior officials whose accounts were hacked. They also want to know what is the current DHS cyber security strategy and "intrusion assessment plan," and what the current and planned capabilities are for the department's EINSTEIN perimeter intrusion detection and prevention system, as well as the current and planned capabilities of the Continuous Diagnostics and Mitigation (CDM) program that provides visibility into, and detection and mitigation tools for, federal civilian agency networks.
In the case of the SolarWinds hack, attackers were able to breach networks using the company's software by inserting malware into software patches and updates, which bypass perimeter defenses such as EINSTEIN.
Wales at the hearing in March said that the CDM tools will be an area of increased investment for the federal government following the recent breaches.
In the letter to DeRusha, Peters and Portman asked about the current federal cyber security strategy and plans to update it, "A list of the roles and responsibilities for federal cybersecurity including an assessment of how these defined roles prevent duplicative efforts and facilitated the federal government's response to the SolarWinds attack," and data on the cyber security posture of federal agencies.
As in the letter to Wales, the senators also want DeRusha to provide them with documents on the specific federal networks that were compromised in both attacks and the names of senior officials whose accounts and systems were breached or targeted.
The senators want the requested information by April 20.