Senate Homeland Security to Mark Up Cyber Fund Bill Wednesday

The Cyber Response and Recovery Act, from Peters and ranking member Rob Portman, R-Ohio, would authorize $20 million over seven years and require DHS to report to Congress on its use. It would let the DHS secretary declare “significant” cyber incidents to use the fund.

Officials attributed the Colonial incident to the DarkSide ransomware group, testified DHS Cybersecurity and Information Security Agency acting Director Brandon Wales. He responded to Sen. Ron Johnson, R-Wis., asking if there was a connection between Colonial and the Russia-linked SolarWinds hack (see 2104060058).

Senate Intelligence Committee ranking member Marco Rubio, R-Fla., is collaborating with Chairman Mark Warner, D-Va., on mandatory cyber reporting legislation with Sens. Susan Collins, R-Maine, and John Cornyn, R-Texas (see 2104140043), a Rubio aide told us. Warner told reporters the Colonial attack is one more example of the “enormous need” to pass incident reporting legislation. The group is trying to work with other committees involved, said Warner.

It’s concerning the federal government isn’t detecting these hacks, which companies are discovering, said Portman. He noted four major cyber campaigns in the past six months that the government is now aware of: SolarWinds, Microsoft Exchange, Pulse Secure and Colonial Pipeline. CISA is eager to work with Congress on a cyber response and recovery fund, said Wales. He confirmed that a few accounts at DHS and CISA were compromised during the SolarWinds incident. The breach affected only business email networks, not incident response and operational work, he said.

Peters asked about federal SolarWinds response, noting the Commerce Department alerted Congress that “something happened,” without additional details or context. The lack of detail prevents Congress from doing proper oversight, said Peters: Agencies might be meeting the letter but not the intent of the law.

Commerce considered the knowns and unknowns of the SolarWinds attack, said Commerce Chief Information Security Officer Ryan Higgins: It felt the short response to OMB, CISA and Congress was appropriate. At first, agencies don’t always have all the information needed but can notify other agencies generally, he said.

The Health and Human Services Department determined it hadn’t lost any data and firewalled everything appropriately, so there wasn’t a need for reporting, said Chief Information Security Officer Janet Vogel. The agency didn’t believe SolarWinds was a major incident initially, so it confirmed with CISA and OMB that it wouldn't declare a major incident then, she said. Portman said that raises concerns. He agreed with Peters that Congress should be given the opportunity to know about the incidents and determine severity.

CISA is awaiting technical information on what happened at Colonial, said Wales. It’s “not surprising” because Colonial learned of the incident in recent days. Sen. Jacky Rosen, D-Nev., asked what officials learned from the techniques used in the SolarWinds attack. Wales called it a series of small, novel techniques coupled together to create a “very sophisticated” attack.

Portman noted he and Peters sent CISA an April 5 letter demanding April 20 responses to questions about reauthorization of cyber programs and ongoing legislative efforts. The committee received only a few documents CISA shared previously, he said. DHS scheduled a briefing next week with Portman's and Peters' staffs and will offer detailed responses about the questions then, said Wales.