December 19, 2020

What the Congressional Think Tank Is Telling Lawmakers about Cybersecurity

CRS recently informed lawmakers about the SolarWinds attack. No easy answers are in sight, but the issue will be of intense policy interest in 2021.

What the Congressional Think Tank Is Telling Lawmakers about Cybersecurity

On December 13, cybersecurity firm FireEye detected a serious network breach orchestrated by Russian state actors. The same day, the Cybersecurity and Infrastructure Security Agency (CISA) issued a directive that required federal agencies to disconnect impacted devices on an emergency basis. By December 16, Office of the Director of National Intelligence and the Federal Bureau of Investigation jointly activated the National Cyber Incident Response Plan with CISA.

The Congressional Research Service issued two updates on the situation for lawmakers: one general cybersecurity primer, and a more specific analysis of the SolarWinds attack. Subsequent analysis from CISA found that there are additional attack vectors beyond the ones initially reported.

The Congressional Research Service report assessed that existing legislation would not have prevented the incident. According to CRS, The Federal Information Security Modernization Act (FISMA) places implementation responsibility with agency heads without strong guidance. Other legislation like the SECURE IT Act and the IT MGT Act do not address how technology should be managed once deployed. An existing vulnerability disclosure program exists, but does not apply to government contractors.

The Government Accountability Office released the results of its audit of federal agencies on December 15, showing serious problems in the implementation of risk management practices. None of the 23 agencies surveyed fully implemented foundational security practices.

GAO: "Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks"

GAO director of IT and cybersecurity Carol Harris told Nextgov in an interview, "Even if agencies had robust supply chain risk management processes in place, most likely this particular attack still would have happened because of the level of sophistication that was involved."

Details about the attack are still emerging. Early reporting suggests that the National Nuclear Security Administration, which manages the national nuclear weapons stockpile, was impacted.

In a wide ranging conversation with Defense One, Senator Angus King and Representative Mike Gallagher cited the importance of the National Defense Authorization Act in jump-starting new initiatives. The bill has been passed by both the Senate and the House but is currently under threat of veto from President Trump.

This is a quickly evolving story that will be of considerable interest to the press and to lawmakers in coming weeks and months.