Key lawmakers expressed concern on Tuesday that they have been kept in the dark about what Russian hackers are accused of stealing from the federal government, and they pressed Biden administration officials for more information about the nature of the so-called SolarWinds hack.
Sens. Gary Peters and Rob Portman wrote to top officials, saying that recent reports by The Associated Press “opened the alarming possibility” that certain federal agencies did not completely disclose the violation to Congress.
“This committee has addressed the complexities of defending against advanced, well-resourced, and patient cyber adversaries on several occasions. Nonetheless, despite substantial investments in cyber defences, the federal government failed to detect this cyberattack at the outset,” the senators wrote. The Senate Homeland Security and Governmental Affairs Committee is chaired by Peters, a Democrat from Michigan. Portman, a Republican from Ohio, is the party’s leader.
Last month, the Associated Press confirmed that alleged Russian hackers obtained access to email accounts belonging to Chad Wolf, the Trump administration’s acting homeland security secretary, and representatives of his department’s cybersecurity team, who were charged with searching for threats from other countries.
It’s been nearly four months since officials uncovered what they describe as a huge, months-long cyberespionage campaign carried out primarily through a hack of commonly used SolarWinds Inc. software. At least nine federal agencies, including the Department of Homeland Security, as well as hundreds of private-sector businesses, have been hacked.
Senators wrote to Brandon Wales, acting director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Division, and Christopher DeRusha, the Office of Management and Budget’s chief information security officer.
Senators are requesting a number of documents relevant to the hack, including those that detail which accounts were targeted or compromised.
A spokesperson for the cybersecurity department, Scott McConnell, said the agency “does not comment on legislative correspondence.” OMB did not respond to a request for comment right away.
In an interview with The Associated Press last week, Anne Neuberger, the deputy national security adviser, said there were “gaps” in basic cybersecurity protections at some of the nine agencies affected, making it difficult for officials to figure out what the hackers got access to.
She said the administration has established five required modernizations as a result of its investigation into how the SolarWinds hack occurred, including the use of technology that constantly monitors for malicious activity and needing more multi-factor authentication so systems can’t be accessed with just a stolen password.
As it considers retaliatory action against Russia, the Biden administration has sought to keep the extent of the SolarWinds assault under wraps. However, an investigation by the Associated Press uncovered new information about the DHS and other departments, including the Energy Department, where hackers obtained access to top officials’ schedules.
The Associated Press consulted with more than a dozen current and former US government officials, all of whom spoke on the condition of anonymity due to the continuing investigation into the hack.