Lawmakers call for action after ‘devastating’ nation state cyberattack on federal government

U.S. officials and experts are calling for action after a devastating cyberattack aimed at the federal government by nation state hackers, which may have exposed sensitive government data for the past several months. 

“The reported breach of our Federal networks is serious and disturbing,” House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) told The Hill in an emailed statement. “Congress must understand the scope of what happened and what resources Federal agencies will need to secure their networks.”

The cyberattack targeted Austin, Texas-based IT vendor SolarWinds. Hackers inserted a vulnerability into updates put out by the company between March and June of this year for its Orion software, according to a Monday filing with the Securities and Exchange Commission (SEC). 

Reuters first reported that the hackers had successfully hacked into the Treasury Department, the Department of Homeland Security, and the Commerce Department’s National Telecommunications and Information Administration (NTIA).

However, the attack was likely even more catastrophic.

According to a post on SolarWinds’ website removed Monday, the company’s customers also include all five branches of the military, the Justice and State departments, the National Security Agency, the Postal Service, and 425 of the U.S. Fortune 500 companies. 

The Washington Post reported that a prolific Russian military intelligence unit known as “Cozy Bear” was behind the attack on SolarWinds. The group was previously tied to an attack on the State Department and groups doing research on COVID-19 vaccines and treatments. No federal agency had publicly confirmed that this group was responsible. 

“While many details are still unknown, the attack emphasizes the importance of strong cybersecurity protections and rapid incident responses across all federal agencies,” Senate Commerce Committee Chairman Roger Wicker (R-Miss.) and Sens. John Thune (R-S.D.) and Jerry Moran (R-Kan.) said in a joint statement Monday following a briefing on the attack from the Commerce Department. 

“Cyberattacks by nation states like Russia and China threaten our economy and national security. Our response should be swift and clear,” they added.

SolarWinds noted in the SEC filing that while it had notified 33,000 customers of the potential months-long breach, it believed that only around 18,000 customers were impacted, and that the hackers had been able to gain access to company emails through exploiting Microsoft Office 365 tools. 

Microsoft on Sunday night published a blog post emphasizing that it had “not identified any Microsoft product or cloud service vulnerabilities” while responding to the incident, but noted that it concurred that “this is nation-state activity at significant scale, aimed at both the government and private sector.”

The attack came less than a week after major cybersecurity group FireEye announced that it had been hacked by a nation state in a related attack. 

The company wrote in a separate blog post on Sunday that based on its initial investigation into the “ongoing” attacks, it was the “work of a highly skilled actor and the operation was conducted with significant operational security.”

With the fall out ongoing, Capitol Hill on Monday pivoted its attention to the attack. 

Thompson told The Hill that he had asked DHS’s Cybersecurity and Infrastructure Security Agency (CISA) to brief the House Homeland Security Committee, while the panel’s newly appointed ranking member Rep. John Katko (R-N.Y.) called for a “coordinated and cohesive national strategy” to fight these types of attacks. 

House Intelligence Committee Chairman Adam Schiff (D-Calif.) summed up the attack as “devastating,” and Senate Intelligence Committee Vice Chairman Mark Warner (D-Va.) said in a statement that “we should make clear that there will be consequences.”

“These recent attacks threatened national security, created unacceptable risks to Americans safety, and we need to do everything we can do to prevent them from happening in the future,” Senate Homeland Security and Governmental Affairs Committee ranking member Gary Peters (D-Mich.) told The Hill. 

Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, said he was pressing the federal government for more information on the incident.

“Our country has suffered a massive national security failure that could have ramifications for years to come,” Wyden told The Hill. “I fear that the damage is more significant than is currently known.”

The federal government has already begun to take action, with Reuters reporting that the National Security Council (NSC) met in an emergency meeting on Saturday to discuss the attack. 

NSC spokesperson John Ullyot said in a tweet Monday that the NSC, the FBI, CISA, and the intelligence community were working together “to coordinate a swift and effective whole-of-government recovery and response to the recent compromise.”

CISA also put out an emergency directive late Sunday night ordering federal agencies to immediately disconnect from any SolarWinds systems by Monday afternoon. 

But experts warned Monday that there is almost certainly more that will come to light around the incident. 

Kiersten Todt, who served as executive director of former President Obama’s Commission on Enhancing National Cybersecurity, told The Hill that the “security of the nation has been compromised.”

“We have no idea what they accessed specifically and for what purposes, and I believe it’s just the tip of the iceberg in terms of who, what, and when has been breached,” said Todt, who currently serves as managing director of the Cyber Readiness Institute. 

Theresa Payton, the White House chief information officer during the George W. Bush administration, said the attack was particularly bad after a year in which IT professionals have been pushed to their limit by Americans moving online, and as federal agencies begin the transition process between presidential administrations. 

“On a scale of one to ten, my gut tells me we are approaching a nine,” Payton, who currently serves as CEO of the cyber consultancy group Fortalice Solutions, said of the overall attack.

The incident came to light as the U.S. faces a vacuum of cybersecurity leadership after top CISA officials were forced out by the Trump administration. The U.S. is also without a central cybersecurity leader as lawmakers and Trump clash on the issue of reestablishing a White House cyber czar following the elimination of the position in 2018. 

Todt pointed to the firing of former CISA Director Christopher Krebs by President Trump, and the departure of three other top officials, as “not helpful,” and both Todt and Payton called on President-elect Joe Biden to bolster cybersecurity once in office.

As foreign hackers continue to step up their game, Schiff also called on Biden to illustrate to Russia, China, and Iran the consequences of carrying out a major cyberattack on the nation. 

“For too long, cyber-attacks have been seen as relatively cost-free for the perpetrators; that needs to change,” Schiff said.