When federal agencies suffer a major cyberattack, they’re required by law to notify Congress immediately and provide details including any data breaches.
But agencies aren’t always complying with the law as intended, top lawmakers on the Senate Homeland Security and Governmental Affairs Committee said at a hearing Tuesday.
Committee Chairman Sen. Gary Peters, D-Mich., and ranking member Sen. Rob Portman, R-Ohio, said they were considering amending parts of the Federal Information Security Modernization Act , a 2014 law, to address gaps in information sharing and notification.
The committee’s hearing was focused on the SolarWinds attack by Russian intelligence services, which has exposed at least nine government agencies and 100 U.S. private companies.
Government officials and cybersecurity researchers have said that Russian hackers gained access to the software updating process of the network monitoring software made by SolarWinds and used that to inject malware into the company’s clients. The attack was discovered in early December after security researcher FireEye noticed and alerted government agencies to it, even though the breach likely began in July 2020.
In the aftermath of the attack, some agencies notified Congress that “something happened” on their networks, without providing any details, Peters said.
The omission of details in such notifications, as required by law, “frankly prevents Congress from conducting effective oversight,” Peters said. “While agencies may be meeting the letter of the law, they’re not meeting the intent of the law.”
Ryan Higgins, the chief information security officer at the Department of Commerce, told lawmakers that the agency considered the nature of the compromise and the “stakeholders and customers impacted” and decided that it was a “major cybersecurity incident.”
The department then notified the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency, and Congress, as required by law, Higgins said.
In contrast to the Commerce Department, the Department of Health and Human Resources did an initial assessment of the attack on its systems and “felt that we had not lost any data … and we had also firewalled everything appropriately and that there wouldn’t be follow-up activity,” said Janet Vogel, the department’s chief information security officer.
The department confirmed with the OMB and CISA that “we would not declare a major incident at that time,” Vogel said. The agency would have done so if CISA had shared information it had about the SolarWinds attack and how it was affecting other agencies, she said.
But Portman said HHS’s decision not to declare the attack a major incident was concerning.
“To me this was definitely a major incident,” regardless of whether CISA provided the department with additional information, he said.
Peters and Portman in late April introduced a bipartisan bill to create a $20 million cyber response fund over seven years. The fund, to be managed by the Department of Homeland Security, would be used to help government agencies and private companies recover from major cyberattacks.
The bill would allow DHS to assess whether a cyberattack qualifies as a major incident and allow CISA to provide direct assistance to affected entities.
At Tuesday’s hearing, CISA’s acting director, Brandon Wales, said the bill and the national fund to respond to cyberattacks “is an absolutely instrumental advancement in the country’s ability to respond” to major attacks.
Wales said the fund would allow CISA to build cyber defense teams by hiring specialists on contract to assist victims of cyberattacks, deploy sensors and technologies on site where an attack has occurred to better monitor follow-on activity, and reimburse other federal agencies, including the Defense Department's U.S. Cyber Command, that are sometimes asked to help instead of paying out of CISA’s current budget.