Lawmakers seek details on damage done by the SolarWinds hack
As information trickles out about which federal agencies have been compromised by a sophisticated hacking operation, lawmakers have begun seeking an extensive accounting of what damage has been done.
A bipartisan group of senators is calling on the heads of the FBI and Cybersecurity and Infrastructure Security Agency to brief them on the "size, scope, and details" of how a hacking campaign breached multiple agencies via a software widely used throughout the federal government.
The letter is one in a series of calls to action lawmakers made this week as new details emerge about how hackers managed to breach networks at the Departments of Commerce, Treasury, Homeland Security as well as the National Security Agency and parts of the Pentagon through a vulnerability in the IT management software suite SolarWinds.
The Dec. 15 letter is signed by Sens. Jerry Moran (R-Kan.), John Thune (R-S.D.), Roger Wicker (R-Miss.), Jeanne Shaheen (D-N.H.), Richard Blumenthal (D-Conn.) and Maria Cantwell (D-Wash.).
Asked about how quickly the lawmakers expect a response, a committee aide told FCW they expect to receive new information on a rolling basis. However, federal law requires agencies to provide a detailed report to Congress of any incident within 30 days, they added.
The senators are seeking an extensive account of what FBI Director Christopher Wray and CISA's acting chief Brandon Wales know about the incident so far such as a list of every agency that uses SolarWinds' Orion, the software suite that was compromised, as well as any agency that has reported specific breaches.
They are also asking for the "categories and quantities of data" that may have become susceptible, a description of how the FBI and CISA are responding to the incident and what help SolarWinds has played in assisting the government.
"Has the investigation of the impacted federal agencies identified any failures in implementation of the Federal Information Security Modernization Act or other relevant federal information security statutes?" the letter states.
The senators also want to know whether or not the government's investigative efforts will include outreach to the private sector.
Sens. Sherrod Brown (D-Ohio) and Ron Wyden (D-Ore.) yesterday also sent a similar letter to Treasury Secretary Steven Mnuchin seeking information about the extent the hack has affected his agency and what is being done to respond.
The letter also suggests the lawmakers will lobby for financial sanctions against whatever country or group is formally attributed with orchestrating the attack.
"Once the U.S. government formally attributes the attack to specific actors, will the Treasury Department initiate a process to consider using the full panoply of economic, financial, cyber, and other sanctions tools Congress has provided to the Treasury Department, or other counter-measures, to respond appropriately?" the letter said.
Both letters acknowledge media reports suggesting a Russian intelligence service was behind the attacks, but the affected agencies, SolarWinds and FireEye, a cybersecurity firm also investigating the hack, have not yet named a specific group or nation.
Rep. Ted Lieu (D-Calif.) said he is crafting a bill to mandate vendors working with the federal government maintain a vulnerability disclosure policy.
"Additionally, I believe Congress should create a Select Committee on Cybersecurity. Presently, no single committee deals with cybersecurity, and we need to treat this issue like the ongoing threat it is," he said. "Having a Committee dedicated exclusively to cybersecurity would allow Members to drill down and bring a variety of perspectives to bear."