Federal officials faced a grilling from lawmakers on Tuesday over how the Biden administration is responding to a string of recent cyberattacks that debilitated critical groups, with U.S. officials vowing to further bolster their cyber efforts.
Transportation Security Administration (TSA) head David Pekoske and other representatives from the departments of Homeland Security, Justice and Transportation testified as part of two Senate hearings organized to look into cyber concerns, particularly recent ransomware attacks.
These included the May attack on Colonial Pipeline, which led to panic-buying and gas shortages in multiple states, followed by others on meat provider JBS USA and software company Kaseya, all of which have led Congress to take aim at confronting cyber threats.
“The Colonial Pipeline attack is frankly the tip of the iceberg,” Senate Commerce Committee Chairwoman Maria CantwellMaria Elaine CantwellDelta variant's spread hampers Labor Day air travel, industry recovery Wyden asks White House for details on jet fuel shortage amid wildfire season Air travel hits pandemic high MORE (D-Wash.) testified at the start of her panel’s hearing on pipeline cybersecurity.
“Our country is seeing 4,000 ransomware attacks every single day, and since the start of the coronavirus pandemic, the FBI has reported that cyberattacks have increased over 300 percent,” she said.
Cantwell described the rise in sophisticated cyberattacks as “an alarm bell ring ringing about the need to immediately bolster the cybersecurity of our critical infrastructure.”
“If we don’t, it will only be a matter of time before we see another crippling cyber incident that will have an even more catastrophic impact,” she added.
Sen. Dick DurbinDick DurbinThe Hill's Morning Report - Presented by Alibaba - Government shutdown fears increase as leaders dig in Democrats look for Plan B after blow on immigration Democrats up ante in risky debt ceiling fight MORE (D-Ill.), chairman of the Senate Judiciary Committee, which held another hearing Tuesday, said, “When it comes to ransomware, it’s not just our money that’s at stake, it’s sensitive information, a personal sense of security, and truthfully, our nation’s security. It’s a critical challenge.”
Biden administration officials sought to reassure lawmakers that action was being taken to address cyberattacks, as the federal government has made confronting cyber threats a major priority amid the ongoing breaches.
Efforts include the establishment earlier this year of an interagency task force to confront ransomware attacks, and President BidenJoe BidenUN meeting with US, France canceled over scheduling issue Schumer moves to break GOP blockade on Biden's State picks GOP Rep. Cawthorn likens vaccine mandates to 'modern-day segregation' MORE signing an executive order to strengthen federal cybersecurity and making cybersecurity a key area of discussion with allied nations.
Other steps have included the TSA issuing two security directives in the months since the Colonial Pipeline attack intended to increase pipeline cybersecurity.
Pekoske testified to the Commerce Committee that 100 percent of the owners and operators of critical pipelines have complied with requirements in his agency’s first security directive issued in May. The order required pipeline companies to report cyber incidents within 12 hours, among other issues.
The TSA administrator told The Hill following his testimony that further directives have not been ruled out.
“We will always look at, first, the information we get from compliance with the first two security directives and make a judgement in future. We have not made that judgement yet,” Pekoske said. “It’s very much an open question.”
Pekoske faced pushback from GOP Sens. Marsha BlackburnMarsha BlackburnHouse Oversight Democrat presses Facebook for 'failure' to protect users Warren, Daines introduce bill honoring 13 killed in Kabul attack Overnight Hillicon Valley — Scrutiny over Instagram's impact on teens MORE (Tenn.) and Deb FischerDebra (Deb) Strobel FischerAustin, Milley to testify on Afghanistan withdrawal After messy Afghanistan withdrawal, questions remain House Democrats press leaders to include more funding for electric vehicles in spending plan MORE (Neb.) during the hearing. Both Republicans cited concerns from constituents in the pipeline industry that requirements in the second security directive, issued last week, were too onerous.
The TSA head insisted that there were options for companies overwhelmed by the directives, through allowing the groups to submit “alternative procedures” for consideration.
“What that means is a company can come in to us and say, ‘Hey, we see your requirement, we have a different way we would like to accomplish that requirement, it might not be exactly as you prescribed, would you consider our alternative way or our alternative procedure to comply?’ ” Pekoske told The Hill.
“We will always look at those carefully, make an assessment, have a dialogue with the company, and then make a written determination as to whether their alternative procedure is acceptable,” he said.
Beyond the TSA, Biden has moved to put pressure on Russia to take action against cybercriminal groups based within the country’s borders, which have been tied by the FBI to the attacks on Colonial Pipeline and JBS USA.
Biden met with Russian President Vladimir PutinVladimir Vladimirovich PutinCourt finds Russia was behind 2006 poisoning of ex-spy in London Google employees criticize removal of Navalny app Third Russian charged in 2018 nerve agent attack on ex-spy in England MORE in Geneva last month to discuss cybersecurity concerns, among other issues, and called to pressure him to step up efforts against hackers in Russia following the attack on Kaseya earlier this month.
Senators drilled officials Tuesday at the Judiciary hearing on whether these efforts had seen any success.
“I don’t believe there has been a measurable drop. No, I don’t believe there has been a change,” Richard Downing, deputy assistant attorney general for the Justice Department’s criminal division, testified on rates of Russian-linked cyberattacks.
Eric Goldstein, the executive assistant director of cybersecurity for the Cybersecurity and Infrastructure Security Agency, stressed that it was difficult to gauge the impact given concerns over cyber incident reporting.
“We believe that only about a quarter of ransomware intrusions are actually reported, so the question of whether we are seeing a change in trend is a hard one to answer,” he testified. “We simply don’t have the data to be able to answer that question with any level of authority.”
Officials further testified that while their agencies were doing all they could to take action against the threat, Congress should work to pass legislation to increase cyber incident reporting.
“We wholeheartedly believe a federal standard is needed to mandate the reporting of certain cyber incidents, including most ransomware incidents,” Bryan Vorndran, the assistant director of the FBI’s cyber division, testified. “The scope and severity of this threat has reached the point where we can no longer rely on voluntary reports alone to learn about incidents.”
Both the House and Senate have already been considering mandatory reporting legislation in the wake of the cybersecurity incidents. All but three members of the Senate Intelligence Committee last week introduced a bipartisan bill that would mandate reporting of cybersecurity incidents by groups critical to national security within 24 hours of the attack.
Senators and officials came together to agree on the need to pass this type of legislation and other bills to combat cyber threats sooner rather than later.
“Right now, notwithstanding our outstanding capabilities, I think we are getting our lunch eaten on a regular basis, and we’ve got to up our game,” Sen. John CornynJohn CornynDemocrats up ante in risky debt ceiling fight Senate parliamentarian nixes Democrats' immigration plan Democrats make case to Senate parliamentarian for 8 million green cards MORE (R-Texas) told witnesses at the Judiciary hearing.
“That is not a comment on what you do or the people who work with you. I think it’s up to Congress and the policymakers to come up with a policy that you can implement to do the job that you are trained to do and you are trying to do every day.”