Senate Homeland Security Committee hearing on SolarWinds and federal cybersecurity is starting now: hsgac.senate.gov/hearings/preve…
In opening statement, ranking member Rob Portman questions why HHS didn't declare its SolarWinds breach to be a "major incident" per FISMA. He also questions why HSGAC learned from news reports that SolarWinds had hit DHS/CISA, including DHS secretary and incident responders.
In opening statement, Acting CISA Director Brandon Wales says one of CISA's top priorities this year is creating joint cyber planning office (authorized in NDAA) to strengthen public-private collaboration, which he says was key to successful SolarWinds/Exchange responses.
Wales: “As the pace and scale of cyber threats that we face expands, so must our response toolkit.”
He said a proposed Cyber Response and Recovery Fund would "ensure CISA has sufficient resources and capacity to respond rapidly to catastrophic cyber incidents.”
He said a proposed Cyber Response and Recovery Fund would "ensure CISA has sufficient resources and capacity to respond rapidly to catastrophic cyber incidents.”
Peters asks Wales to elaborate on how a CRRF would help CISA.
Wales says it would help ensure that CISA has enough incident responders (for example, by paying contractors); can deploy additional sensors and technology; and can reimburse other federal agencies for their help.
Wales says it would help ensure that CISA has enough incident responders (for example, by paying contractors); can deploy additional sensors and technology; and can reimburse other federal agencies for their help.
HHS CISO Janet Vogel on why dept didn't initially declare SW a major incident:
“We felt that we had not lost any data, we had...firewalled everything appropriately...there wouldn't be follow-up activity. ... We determined right away we did not believe this was a major incident."
“We felt that we had not lost any data, we had...firewalled everything appropriately...there wouldn't be follow-up activity. ... We determined right away we did not believe this was a major incident."
Commerce CISO Ryan Higgins, asked why DOC only sent a vague initial notification to Congress about SolarWinds, says the department didn’t know right away what systems were affected and what stakeholders were impacted. It wanted to gather more information first.
Portman: Did Colonial contact CISA after being hacked?
Wales: “They did not contact us. … We were brought in by the FBI after they were notified about the incident.”
Wales: “They did not contact us. … We were brought in by the FBI after they were notified about the incident.”
Portman: Would it have been helpful if Colonial had contacted you immediately and shared information?
Wales: “We received information fairly quickly, in concert with the FBI. ... We are waiting for additional technical information on exactly what happened at Colonial..."
Wales: “We received information fairly quickly, in concert with the FBI. ... We are waiting for additional technical information on exactly what happened at Colonial..."
Portman: So you still don’t have the technical data that you need?
Wales: “Yes, but that is not surprising...they've only been working on the incident response since over the weekend...We do expect information to come from that."
Wales: “Yes, but that is not surprising...they've only been working on the incident response since over the weekend...We do expect information to come from that."
Portman: If the FBI hadn’t brought you in, do you think Colonial would have contacted you?
Wales: No.
Wales: No.
Johnson: Are you looking to see if SolarWinds and the Colonial Pipeline hack are connected?
Wales: We're evaluating all intelligence, including what the hackers were able to access through SolarWinds. But FBI has attributed Colonial to a criminal group.
Wales: We're evaluating all intelligence, including what the hackers were able to access through SolarWinds. But FBI has attributed Colonial to a criminal group.
Johnson: Have we looked at the cybersecurity risks of switching to green infrastructure? “A move toward green energy is potentially, probably making us even more vulnerable.”
Wales carefully dodges the question.
Wales carefully dodges the question.
Rosen: Would it help if the government embedded cybersecurity advisers in HHS’ regional offices to help small and rural healthcare providers?
HHS CISO Janet Vogel: “We are looking at how to reinforce the capabilities that we have in our regional offices.”
HHS CISO Janet Vogel: “We are looking at how to reinforce the capabilities that we have in our regional offices.”
Portman: Is it true that SolarWinds compromised CISA incident responders and the secretary of homeland security?
Wales: Can’t say in an open forum. But can say that SW didn’t compromise operational networks, where we manage EINSTEIN, collect+analyze incident response data, etc.
Wales: Can’t say in an open forum. But can say that SW didn’t compromise operational networks, where we manage EINSTEIN, collect+analyze incident response data, etc.
Josh Hawley: Do you agree with suggestion that Pulse Secure attack was partly about economic espionage?
BW: “Not aware of any specific economic thefts from that operation, but...we are still trying to understand the full scope of what happened during the Pulse Secure campaign."
BW: “Not aware of any specific economic thefts from that operation, but...we are still trying to understand the full scope of what happened during the Pulse Secure campaign."
Peters: Do you have the insight that you need into every agency’s risk posture?
Wales: No.
Peters: What do you need?
Wales: We’re starting to make certain “critical improvements” using the American Rescue Plan Act money.
Wales: No.
Peters: What do you need?
Wales: We’re starting to make certain “critical improvements” using the American Rescue Plan Act money.
Peters, closing the hearing, says he wants to amend FISMA "so there is no ambiguity, so there's no confusion, on when and if an agency needs to declare a major incident and notify Congress about those events."
Follows criticism that HHS didn't do this with SolarWinds.
Follows criticism that HHS didn't do this with SolarWinds.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
