The Cybersecurity 202: A new government watchdog report highlights urgent federal cybersecurity risks

“It certainly would have led to an earlier discovery of the attack,” U.S. Comptroller General Eugene L. Dodaro told House Oversight and Reform Committee Chair Carolyn B. Maloney (D-N.Y.) when asked about the GAO findings.

“It’s hard to say … but we would have been better postured to detect the attack ourselves and to take quicker action,” he said, referring to the fact the campaign was uncovered by private cybersecurity firm FireEye months after Russian hackers accessed government systems.

The GAO report provides an early blueprint for how Congress and federal agencies can work to address the significant cybersecurity issues raised by the hack of SolarWinds software, which led to the compromise of at least nine federal agencies.

“[A]nother silent battle is being fought in our IT networks by cyber attackers intent on stealing our intellectual property and undermining our national security,” Maloney said during her opening statement. “The SolarWinds breach that came to light last December, as well as escalating and targeted cyberattacks that have drained millions of dollars from struggling hospitals, are just two examples of the threats we know about.”

Dodaro pointed to that fact that none of 23 agencies reviewed by the GAO had implemented best practices for identifying and mitigating risks associated with the government’s information and communications technology.

Those weaknesses were a “at the heart of the SolarWinds incident,” Dodaro noted. 

The report comes as Congress eyes potential legislation requiring all government contractors to report cybersecurity incidents. When asked by Maloney if he would support such legislation, Dodaro said it would be “helpful.”

The GAO report noted at least three agencies have failed to fully implement the Department of Homeland Security’s Continuous Diagnostics and Mitigation, a government-wide cybersecurity program that provides threat monitoring for civilian government networks. That includes the Federal Aviation Administration, which The Washington Post confirmed was a victim of the attack.

In addition to inadequacies detecting attacks, “a number of agencies have weaknesses in their incident response capabilities and therefore don’t move as quick as need be when there are intrusions in place,” Dodaro said at a news conference preceding the hearing.

“We need better tools to detect, but we need to respond faster, better as well.”

Leadership is as big of an issue as having the right tools.

The report points to a lack of cybersecurity leadership at the federal level, something the report says “regressed” under the Trump administration. When then-President Donald Trump cut the White House cybersecurity coordinator position, it was unclear who in the executive branch was responsible for enforcing the White House’s National Cyber Strategy and holding federal agency’s accountable, the report found. 

The position was brought back as part of the most recent defense spending bill but Biden has not yet named a nominee to the post.

At a Senate Homeland Security and Governmental Affairs Committee hearing on the report, ranking member Sen. Rob Portman (R-Ohio) agreed with the GAO’s assessment that a lack of a central U.S. cybersecurity coordinating authority is a problem.

“I happen to agree with you on that and I’m hopeful that we can have legislation to address it, particularly using the Department of Homeland Security more effectively to organize around [Cybersecurity and Infrastructure Security Agency],” Portman said.

The Ohio Republican said he looked forward to working with the Biden administration to ensure the cyber coordinator position is filled. 

Nick Marinos, director of GAO’s Information Technology and Cybersecurity team, told the Senate that GAO will introduce new recommendations next week specifically targeted at improving the Cybersecurity and Infrastructure Security Agency.

The GAO agency named cybersecurity as one of the report’s five areas where government’s response has worsened since 2018.

Of the 3,300 cybersecurity recommendations the GAO has made since 2010, 750 have yet to be fully implemented. Some of the recommendations have been on the list for over 20 years and cybersecurity has been on the high-risk list since 1997. 

“The federal government is still not operating, in my opinion, at a pace commensurate with the evolving serious threats that are presented in this area,” Dodaro said.

Christopher A. Wray underplayed the idea the FBI wants back doors into encrypted apps, saying it instead wants “legal access” to encrypted communications. At the same time, Wray noted that extremists are using encrypted apps to evade detection and warned “we will all rue the day” when law enforcement agencies are no longer able to access to digital evidence.

But critics say the FBI position doesn’t square with reality because such access would defeat the purpose of encryption. “The FBI’s demand for the power to spy on end-to-end communications undermines [end-to-end] encryption and makes everyone less safe,” Electronic Frontier Foundation Cybersecurity Director Eva Galperin tweeted. “I don’t care what you call it.”

They leased American servers to launch the attacks, Microsoft researchers said, which targeted researchers of infectious diseases, law firms, universities, defense contractors and nongovernmental organizations. 

Researchers at Volexity added the hackers, which Microsoft called Hafnium, were able to get inside email mailboxes without passwords or any special access. The company said “appropriate U.S. government agencies” were briefed on the hacks, which “were in no way connected” to the cyberattack on SolarWinds and other software. Microsoft released software updates that it said would protect against the “limited targeted attacks.” 

Researchers at FireEye also observed hackers using the vulnerabilities

“FireEye has observed these vulnerabilities being exploited in the wild and we are actively working with several impacted organizations,” Charles Carmakal, senior vice president and chief technology office FireEye Mandiant said in a statement. ”In addition to patching as soon as possible, we recommend organizations also review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches.”

The Senate overwhelmingly confirmed Raimondo, the Democratic governor of Rhode Island, by a vote of 84 to 15, David J. Lynch reports. She is expected to be sworn in today.

Republicans slammed Raimondo when she declined to commit to keeping Chinese tech giant Huawei Technologies Co. on a key department blacklist that the Trump administration used to punish Chinese companies. Raimondo eventually said she sees “no reason” why Huawei and other Chinese companies shouldn’t remain on the restricted trade list. 

She inherits a Commerce Department that has been slow to regulate emerging technology exports, a provision of legislation that was passed in 2018. Cybersecurity will probably be top of mind at the department, which was breached by Russian government hackers in the cyberattack on SolarWinds and other software.

The Chinese hacking campaign raised alarm bells on Twitter. Volexity President Steven Adair:

NSA Cybersecurity Director Rob Joyce:

The amendment to Democrats sweeping voting legislation package will establish a senior cyber policy adviser on the staff of the Election Assistance Commission (EAC) and explicitly calls out cybersecurity as an ongoing EAC duty. The amendment, introduced by Rep. Jim Langevin (D-R.I.), also expands the EAC’s duties to include the “development, maintenance, and dissemination” of cybersecurity guidelines. 

• Craig Newmark Philanthropies, the organization founded by the Craigslist founder, has renewed funding for the second consecutive year to University of California at Berkeley’s Center for Long-Term Cybersecurity’s Citizen Clinic program.
• MITRE has launched the Ransomware Resource Center to help groups protect and respond to attacks on their networks for ransom.

• Former Cybersecurity and Infrastructure Security Agency director Chris Krebs speaks at an Atlantic Council event on 2020 election misinformation today at 3 p.m.
• The Atlantic Council hosts a cybersecurity event with industry leaders on Thursday at 1 p.m.
• House Armed Services Committee Chairman Adam Smith (D-Wash.) speaks at an event hosted by the Brookings Institution on Friday at 11 a.m.
• Duke University’s engineering school hosts a seminar on cybersecurity threats amid remote work on Friday at noon.
• U.S. Cyber Command executive director Dave Frederick speaks at an event hosted by the Intelligence and National Security Alliance on March 10 at 4:30 p.m.