3rd Party Risk Management , Breach Notification , Cyberwarfare / Nation-State Attacks
Senators Push for Changes in Wake of SolarWinds AttackIntelligence Hearing Focuses on Need for Federal Breach Notification Law, Fixing 'Blind Spots'
The SolarWinds supply chain attack that led to follow-on attacks on nine government agencies and 100 companies points to the need for a federal law requiring prompt breach notification, several senators said at a Wednesday hearing.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
At the hearing, members of the Senate Select Committee on Intelligence heard from the leaders of the FBI, the CIA, the National Security Agency and the Office of the Director of National Intelligence about what these agencies are doing to address the fallout from the SolarWinds attack.
The hearing was scheduled to discuss the "Annual Threat Assessment of the U.S. Intelligence Community" report published by ODNI this week, which covers a range of cybersecurity and other threats. It was the first time in two years that Congress has held a public hearing about the annual intelligence assessment report (see: Intelligence Report: 4 Nations Pose Serious Cyberthreat to US).
Rethinking Notification Laws
Sen. Mark Warner, D-Va., the chairman of the intelligence committee, noted in his opening remarks that more needs to be done to ensure that companies promptly report data breaches. He noted that the security firm FireEye detected and reported the SolarWinds attack in December.
"In order to deter these intrusions, we will need to accurately attribute them and hold our adversaries accountable," Warner said. "The SolarWinds hack offered a stark reminder that there is no [federal] requirement to report breaches of critical infrastructure. If FireEye had not come forward, we might still be in the dark today. We may also want to develop new international norms where certain types of attacks are prohibited, just as the use of chemical or bioweapons is banned."
Yet another proposed federal breach notification law is expected to be introduced in Congress in the coming weeks. Many previous such proposals have failed to advance, but states have their own breach reporting requirements (see: House SolarWinds Hearing Focuses on Updating Cyber Laws).
In addition to Congress, the Biden administration is preparing a series of executive orders that will seek to address some of the security shortcoming found after the SolarWinds attack. These actions will likely include a combination of sanctions that will target the suspected Russian-linked group responsible for the attack as well as new rules and guidelines for companies and government agencies that are designed to enhance security standards (see: White House Preparing 'Executive Action' After SolarWinds Attack).
On Thursday, the White House is expected to announce the sanctions portion of that response. These measures are likely to including financial sanctions that target Russia as well as expelling some diplomats from the U.S., according to the (see: New York Times).
FBI Director Christopher Wray testified that in the wake of the SolarWinds attack, the bureau and other federal agencies are working to improve communication with companies that control the vast majority of the U.S. IT infrastructure. These companies need to be encouraged to come forward and share security incident details, he added.
"If one company reaches out promptly after they've been compromised, it means that all the rest of the companies that are likely to be the next ones [attacked] might be able to get in front of [the threat]," Wray said.
Although the FBI can use subpoenas and other powers to investigate breaches, "ultimately … to protect against these problems, we really have to solve this with public-private partnerships," Wray said.
Addressing 'Blind Spots'
Wray and Gen. Paul Nakasone, the head of the U.S. Cyber Command and the NSA, were asked by senators about addressing the issue of "blind spots" where attackers might hide their activities from law enforcement and intelligence agencies.
The issue of blind spots first surfaced during a previous hearing about SolarWinds, when some lawmakers asked if the Russian-linked hacking group that targeted the company may have used Amazon Web Services infrastructure within the U.S. to hide its campaign and disguise network traffic (see: Senate SolarWinds Hearing: 4 Key Issues Raised).
Nakasone said that while the NSA can't investigate cyber intrusions within the U.S., his agency shares intelligence with the FBI for follow-up. But he stressed that it's important for companies to share breach information with the government.
"We need to be able to understand that whenever adversaries are coming into the United States and using our infrastructure, whether it's servers or cloud providers, that there is [information sharing] on that," Nakasone said. It's important to understand what data may have been lost or compromised and "to ensure that the public and the private industry have the most resilience possible," he said.
Avril Haines, national intelligence director, noted that her office is continuing to work to balance the need to collect foreign and domestic intelligence with the need to protect American's privacy and civil liberties.
"We also want to be able to provide the analysis that gives the full picture," Haines said.
At the hearing, senators also asked about cyber challenges that are stemming from Russia and China as both countries increase their technical capabilities.
Sen. Dianne Feinstein, D-Calif., asked about attacks that may target critical infrastructure, including China's ability to use cyber tools to disrupt natural gas pipelines and Russia's ability to interfere with the U.S. electrical grid (see: Senators Raise Concerns About Energy Dept. Cybersecurity).
Nakasone answered that both Russia and China have improved their cyber capabilities over the last two years and that the NSA and other agencies are looking to counter those capabilities.
"I would also tell you we are also working very holistically across our government to improve two things - our ability to have resilience in that infrastructure and our ability to respond," Nakasone said. "And we have made progress there. But … the scope, scale and sophistication of our adversaries today should make us take notice."