Lawmakers blame SolarWinds hack on ‘collective failure’ to prioritize cybersecurity

The leaders of the House Homeland Security Committee on Friday will call for immediate changes to how Congress handles cybersecurity in the wake of a massive hack of the federal government, blaming the breach on a “collective failure” to prioritize cybersecurity.

“Our collective failure to make cybersecurity a central component of our national security — and invest in it accordingly — contributed to the success of the campaign and the difficulty we face in understanding its impact,” Committee Chairman Bennie Thompson (D-Miss.) will say as part of opening remarks at a joint hearing with the House Oversight and Reform Committee on the SolarWinds breach. 

“In short, past warnings of what could come failed to trigger a meaningful shift in our approach to security,” he will stress. 

House Homeland Security Committee ranking member John Katko (R-N.Y.) intends to zero in on five important steps Congress should take to increase federal cybersecurity in the future. These include centralizing authority at the Cybersecurity and Infrastructure Security Agency, stepping up vendor certification and “imposing real costs” on adversary nations responsible for malicious cyber activities. 

“While there is no silver bullet, deterrence still matters,” Katko will say in his opening statement. “Naming and shaming, indictments, sanctions, offensive measures where appropriate — these should all be tools in our toolkit.”

The hearing is being held less than a week after a Senate Intelligence Committee hearing on the SolarWinds breach, and two months after the House Homeland Security and the House Oversight and Reform panels announced a joint investigation into the incident. 

During the Senate Intelligence Committee hearing, industry leaders and members of Congress stressed the need for mandatory breach reporting requirements to ensure that private sector groups have to disclose if they are hacked. Both Thompson and Katko will expressed an interest in pursuing this issue as well. 

Thompson will stress that a key priority of the ongoing dual committee investigation is to “move beyond admiring the complexities of this campaign” and instead “chart a path forward.” 

“In the 15 years I have served on the Homeland Security Committee, one thing has become clear: We can’t become so consumed by preventing the last attack that we’re blind to the threats of the future,” Thompson will say. “Instead, we must identify systemic opportunities to improve our ability to prevent, defend against, mitigate, and raise the costs of all malicious cyber activity.”

The SolarWinds breach, which U.S. intelligence officials have said was “likely” carried out by Russian operatives, involved hackers breaching software from IT group SolarWinds in order to compromise up to 18,000 of its customers. 

While the number of compromised groups is likely far lower, a White House official said earlier this month that at least nine federal agencies and 100 private sector companies were breached as part of the espionage incident, which was ongoing for much of the past year before it was discovered in December. 

Agencies that have confirmed they were breached include the Commerce, Defense, Homeland Security, Justice, State and Treasury departments, while private sector groups hit include FireEye and Microsoft. 

FireEye CEO Kevin Mandia, Microsoft President Brad Smith and SolarWinds president and CEO Sudhakar Ramakrishna are all set to testify on Friday, with all three leaders having previously testified at the Senate Intelligence Committee hearing earlier in the week. They will be joined at Friday’s hearing by former SolarWinds CEO Kevin Thompson.