Agencies are still unraveling the full extent of a massive cybersecurity breach that has affected wide swaths of government and industry.
But two of the leading voices on cybersecurity issues in Congress have called the discovery of the breach, made possible through malware embedded in SolarWinds network management software, a warning shot to agencies of how vulnerable they are to cyber intrusions.
Amid bipartisan calls to double down on cybersecurity within government, the leadership of the Cyberspace Solarium Commission said Thursday that the SolarWinds breach has further raised the stakes for the National Defense Authorization Act that President Donald Trump has threatened to veto.
Congress included a third of the solarium’s final recommendations into the 2021 NDAA, chief among them provisions that would elevate and empower the Cybersecurity and Infrastructure Security Agency and put a Senate-confirmed national cyber director position back in the White House.
Sen. Angus King (I-Maine) said the breach makes a clear case for the work of the Cyberspace Solarium Commission and the cyber provisions that made it into the annual defense policy bill passed by the House and Senate.
“This is the most important bill on cyber ever passed by Congress, and that’s why I’m really hoping that the president will either sign the bill or let it become law without a signature, because there is so much critically important material in the bill,” King said during an annual summit hosted by Defense One.
White House Press Secretary Kayleigh McEnany said Tuesday that Trump still does plan to veto the NDAA. The president has threatened to hold up what’s considered must-pass legislation unless it would repeal a section of the Communications Decency Act that protects social media from being held liable for content posted on their platforms. He’s also taken issue with an amendment that would remove Confederate names from military bases.
“He wants to make every effort to protect our military men and women, and we’ll prioritize military funding in the big omnibus bill,” McEnany said.
Rep. Mike Gallagher (R-Wis.) fell short of saying the NDAA’s recommendations would have prevented the SolarWinds breach, but said the provisions would have at least given CISA the tools necessary to fight back against the “hack of the decade.”
“You just need someone who’s capable of looking across the interagency and coordinate with the private sector, to start to detect patterns. And I hate to say it, but I just don’t think the CIOs at all these different agencies are capable of doing that right now,” Gallagher said.
One section of the NDAA would give CISA the authority to conduct “threat hunting” on federal networks. Another would allow the agency to issue administrative subpoenas to Internet Service Providers when the agency detects critical infrastructure security vulnerabilities.
“All this administrative subpoena, which sounds sort of scary, is that CISA can go to the ISP and say, ‘We’ve seen this threat. Who’s your customer, so we can warn them,’” King said.
The cybersecurity firm FireEye first sounded the alarm of this breach to government and industry, but CISA has led the federal response in significant ways, issuing an emergency directive late Sunday ordering agencies to remove compromised management software.
CISA also released an alert Thursday describing evidence of “additional access vectors, other than the Solar Winds Orion platform” that it was still investigating.
Gallagher said the NDAA would ultimately put CISA on a path of gaining equal footing with the National Security Administration.
“We know that federal government jobs can never compete with the private sector on salary, but we can compete on mission. The reason the NSA is able to recruit the best and brightest is it’s a cool mission. There are things you can do there you can’t do anywhere else. And we want the same to be said of CISA,” Gallagher said.
The defense bill would also reestablish a national cyber director that would report directly to the president. Former National Security Adviser John Bolton eliminated the position during his tenure, but King said this job would cut across siloed departments in ways agency chief information officers might not be able to pull off on their own.
“My concern is, you’re the CIO in the EPA, and you detect a problem. That same problem may be unfolding at Commerce or at the Treasury, we’ve got to have a better way to integrate this data and share information,” King said.