Congress’s latest hacking investigation should model its most recent
On April 30, 2015 the Office of Personnel Management briefed Congress on a major incident involving the cyber theft of what would later be called the “crown jewels” — the highly personal information on government employees with security clearances. The first Congressional oversight hearing took place twelve days later, which started a year-long investigation putting the agency under a microscope and ultimately led to the resignations of the director of OPM and its chief information officer.
The compromise of a less well-known organization (at least, by the general public) turned into major cybersecurity vulnerability rings eerily similar to our experience in 2015. As the SolarWinds hearings continue and committees ramp up their investigations into the federal response, members and staff may benefit from considering how the House Oversight and Government Reform Committee conducted its inquiry into the OPM hacks.
First and foremost, don’t be afraid to get technical. The pivotal findings from the investigation into the OPM data breaches were rooted in the understanding, among other things, of end-point protection technologies and the implications of failing to segment network architecture. To understand the questions raised by the SolarWinds incident — of both IT security policy and practice — Congressional investigators will have to examine the details of software updating, authentication, code signed certificates, risk-based cybersecurity, vulnerability management and how to hunt for advanced persistent threat actors, among other cyber topics.
During both hearings the SolarWinds hackers were rightly referred to as “sophisticated.” Their ability to obtain access via a trusted supplier and the demonstrated ability to leverage that access to hide their digital tracks and to navigate multiple victims’ IT environments for months without being identified illustrate a thoughtful, patient and resourced adversary. Grasping the implications of these tactics and behaviors will be key in understanding the nuances and unique policy implications of supply chain attacks. Getting these details right will be necessary for effective Congressional oversight to push federal agencies toward long-term solutions, rather than grasping for silver bullets. House and Senate offices should lean on fellowship programs, such as TechCongress, to bring experienced technical knowledge directly to policymakers.
Second, Congressional overseers will likely look at this issue from the perspective of federal IT leadership. In 2016, then-Rep Jason Chaffetz (R-Utah), who was chairman of the Committee on Oversight and Government Reform, authored a letter addressed to federal chief information officers as the preamble to a majority staff report on the data breaches at OPM. This letter was a call to arms for federal chief information officers to seize the moment and prove they could be trusted with the nation’s and its citizens’ most sensitive information. Congressional overseers will now have to judge whether or not they have lived up to that challenge.
The unfortunate reality is that many federal chief information officers still suffer from systemic problems — a shortage of qualified cyber and IT professionals, pervasive use of legacy technologies that are no longer supported by the vendors and limited resources, among other things. The current federal statutory requirements, established by the Federal Information Security Modernization Act of 2014, makes each agency responsible when it comes to securing its digital assets. But as supply chain attacks such as SolarWinds illustrate, cybersecurity is a team sport that requires a comprehensive approach that leverages shared services, increased automation, and a holistic understanding of risk. Perhaps Congress should consider whether the Cybersecurity and Infrastructure Security Agency should be given additional authority and resources to take a more active role in assessing and managing cybersecurity risks and incident response across federal civilian agencies?
Finally, as in 2015, Congress is uniquely positioned to explore the full breadth of the SolarWinds incident. House and Senate Committees will be able to convene stakeholders ranging from leading private sector incident response firms and academic experts to victims and federal agencies. Hearings and transcribed interviews are critical investigative tools, but some of the most valuable insights in 2015 started with off the record meetings and briefings with technical experts. Closed door roundtables can provide an invaluable opportunity for members to engage collectively with experts on complex cybersecurity, supply chain and IT questions.
At the first Congressional hearing on the OPM data breaches, former Rep. Will Hurd (R-Texas) observed, “until leadership takes control of the basic cybersecurity measures, things like network monitoring, encrypting data and segmentation, we will always be playing catch-up against highly sophisticated adversaries.”
Five years later it is fair to say the federal government is still playing catch-up. Shortly after the attack was made public, then President-Elect Biden hinted at a cyber-enabled offensive response to the SolarWinds attack saying, “we will respond, probably in kind.” But to prevent another SolarWinds it will not only be a matter of hitting back, but also, a matter of the realities of the cybersecurity calculus finally hitting home.
Mike Flynn is a visiting fellow at the National Security Institute at George Mason University and a senior director and counsel for Government Affairs at the Information Technology Industry Council. He served as the lead cybersecurity counsel on the House Oversight Committee during the investigation into the data breaches at OPM in 2015.