The Cybersecurity 202: Senate panel delves into SolarWinds hack

Three witnesses — the acting director of the Department of Homeland Security’s Cybersecurity and Information Security Agency (CISA); the acting assistant director of the FBI’s Cyber Division’ and the chief information security officer from the Office of Management and Budget, will field questions from the panel. 

Those questions are likely to focus on specific changes the government is implementing to better guarantee the security of contractors, as well as the progress of internal audits in cases where agencies were compromised; and which entities are responsible for coordinating a government-wide response.

The Biden administration has promised a more aggressive stance against foreign hackers, especially those backed by Russian government entities. Last month, the administration signaled it was planning to sanction Moscow for the SolarWinds hack, alongside the poisoning of Russian opposition leader Alexei Navalny, which the United States has also blamed on the Kremlin. While the administration has announced sanctions against Russia for Navalny’s poisoning, sanctions for the SolarWinds attack have yet to materialize.

Since the revelation of the SolarWinds hack late last year, tech giant Microsoft has admitted that its email systems — which are also used by U.S. government agencies — were subject to their own hacking, likely by China. The disclosure of that hack has raised new questions about how the Biden administration will implement a policy of cyber deterrence against a range of adversaries and threats — many of them state-sponsored — with varying motivations.

For example, earlier this week, two of the agencies whose representatives will face senators on Thursday released a declassified report showing while Russia and Iran were among the countries trying to influence the outcome of the 2020 election, China was not. 

The report — which determined that Vladimir Putin directed the Kremlin to carry out influence operations against President Biden and Democrats during the 2020 election — also repudiated many of the conspiracy theories former president Donald Trump espoused during and after the campaign, including that voting machines or vote tallies were manipulated.

While the nature of threats to elections are different than those posed to government systems, they are no less potentially devastating. 

Hacks to Office of Personnel Management databases publicized in 2015 ended up compromising the personal information of over 22 million people, including the friends and family of government employees and contractors. But other recent attacks, directed against supply chains and critical infrastructure, have raised fears about a hack that could cripple public services or render whole areas susceptible to physically devastating system failures.

Last year, the National Defense Authorization Act created the position of a national cyber director to coordinate resources and information across the government, to better standardize the country’s cyber defenses and ensure best practices are used to protect soft targets, as well as state secrets.

Biden has yet to name a person to fill this role. He has appointed Anne Neuberger, the deputy national security adviser for cyber technology, to lead the federal government’s SolarWinds response.

Private companies were invited to the Monday meeting for the first time, White House press secretary Jen Psaki said in a statement. The meeting came as organizations continue to triage and update their systems in the wake of the far-reaching attack, which Microsoft announced earlier this month. Psaki noted that Microsoft released a tool to mitigate the hack after a White House request for the company to develop a “simple solution” for small businesses.

According to cybersecurity firm BitSight, more than 3,400 U.S.-headquartered organizations — including more than 200 government organizations, mostly at the local level — were running the vulnerable software or could be accessed by hackers as of Tuesday.

The Ulysses Group said in a document that it can access real-time locations for 15 billion vehicles located worldwide, Motherboard’s Joseph Cox reports. The company, which said it hasn’t sold the tool to the U.S. government, said in the document that the technology would “dramatically enhance military intelligence and operational capabilities” if used.

“Far too little is known about how private information is being bought and sold,” Keith Chu, a spokesman for Sen. Ron Wyden (D-Ore.), said in a statement. “Sen. Wyden is conducting an ongoing investigation into the sale of personal data, particularly via data brokers, to put some sunlight on this shady industry.”

Phishing and related attacks had the most victims — more than 240,000 — than any other type of Internet crime, and the number of phishing victims more than doubled since 2019, the FBI’s Internet Crime Complaint Center said in a report. People over 60 years old were the most targeted age group of online crime last year, with more than 105,000 victims facing a total loss of more than $966 million. 

The report also highlighted lucrative hacks of business emails, which resulted in losses of more than $1.8 billion. And losses reported as a result of hacks for ransom more than tripled, according to the report, despite a nearly 21 percent increase in the number of victims who made reports about the hacks.

Venn Strategies has registered to lobby for cyber risk management company Axio effective March 1. Venn Strategies Senior Vice President Ben Steinberg, a former official in the Energy Department’s cybersecurity office, is among the registered lobbyists, who plan to advocate on cyber hygiene and risk management policies and standards for critical infrastructure. 

• Acting FCC Chairwoman Jessica Rosenworcel and Rep. Doris Matsui (D-Calif.) speak at a 5G event hosted by the Center for Strategic and International Studies today at 10 a.m.
• Cybersecurity and Infrastructure Security Agency acting director Brandon Wales; Christopher DeRusha, the federal chief information security officer; and Tonya Ugortez, an FBI deputy assistant director for cybersecurity, testify at a Senate hearing on the cyberattack on SolarWinds and other software today at 10:15 a.m.
• Mark Weatherford, the National Cybersecurity Center’s chief strategy officer, and former U.S. Air Force official Riley Repko discuss cybersecurity priorities and goals at the Information Systems Security Association’s Mid-Atlantic Quarterly Summit today at 6 p.m. 
• The House Energy and Commerce Committee holds a hearing on infrastructure legislation on March 22 at 11 a.m.

DomainTools senior security researcher Joe Slowik’s chart of the groups exploiting vulnerabilities in Microsoft Exchange software drew praise on Twitter. Derek Johnson, a senior reporter at SC Media:

Alex Stamos, who is director of the Stanford Internet Observatory and a partner at the Krebs Stamos Group:

It was only a matter of time. The Microsoft Exchange hack has been adapted into a meme: