Biden officials pledge to confront cybersecurity challenges head-on
Federal officials faced a grilling from lawmakers on Tuesday over how the Biden administration is responding to a string of recent cyberattacks that debilitated critical groups, with U.S. officials vowing to further bolster their cyber efforts.
Transportation Security Administration (TSA) head David Pekoske and other representatives from the departments of Homeland Security, Justice and Transportation testified as part of two Senate hearings organized to look into cyber concerns, particularly recent ransomware attacks.
These included the May attack on Colonial Pipeline, which led to panic-buying and gas shortages in multiple states, followed by others on meat provider JBS USA and software company Kaseya, all of which have led Congress to take aim at confronting cyber threats.
“The Colonial Pipeline attack is frankly the tip of the iceberg,” Senate Commerce Committee Chairwoman Maria Cantwell (D-Wash.) testified at the start of her panel’s hearing on pipeline cybersecurity.
“Our country is seeing 4,000 ransomware attacks every single day, and since the start of the coronavirus pandemic, the FBI has reported that cyberattacks have increased over 300 percent,” she said.
Cantwell described the rise in sophisticated cyberattacks as “an alarm bell ring ringing about the need to immediately bolster the cybersecurity of our critical infrastructure.”
“If we don’t, it will only be a matter of time before we see another crippling cyber incident that will have an even more catastrophic impact,” she added.
Sen. Dick Durbin (D-Ill.), chairman of the Senate Judiciary Committee, which held another hearing Tuesday, said, “When it comes to ransomware, it’s not just our money that’s at stake, it’s sensitive information, a personal sense of security, and truthfully, our nation’s security. It’s a critical challenge.”
Biden administration officials sought to reassure lawmakers that action was being taken to address cyberattacks, as the federal government has made confronting cyber threats a major priority amid the ongoing breaches.
Efforts include the establishment earlier this year of an interagency task force to confront ransomware attacks, and President Biden signing an executive order to strengthen federal cybersecurity and making cybersecurity a key area of discussion with allied nations.
Other steps have included the TSA issuing two security directives in the months since the Colonial Pipeline attack intended to increase pipeline cybersecurity.
Pekoske testified to the Commerce Committee that 100 percent of the owners and operators of critical pipelines have complied with requirements in his agency’s first security directive issued in May. The order required pipeline companies to report cyber incidents within 12 hours, among other issues.
The TSA administrator told The Hill following his testimony that further directives have not been ruled out.
“We will always look at, first, the information we get from compliance with the first two security directives and make a judgement in future. We have not made that judgement yet,” Pekoske said. “It’s very much an open question.”
Pekoske faced pushback from GOP Sens. Marsha Blackburn (Tenn.) and Deb Fischer (Neb.) during the hearing. Both Republicans cited concerns from constituents in the pipeline industry that requirements in the second security directive, issued last week, were too onerous.
The TSA head insisted that there were options for companies overwhelmed by the directives, through allowing the groups to submit “alternative procedures” for consideration.
“What that means is a company can come in to us and say, ‘Hey, we see your requirement, we have a different way we would like to accomplish that requirement, it might not be exactly as you prescribed, would you consider our alternative way or our alternative procedure to comply?’ ” Pekoske told The Hill.
“We will always look at those carefully, make an assessment, have a dialogue with the company, and then make a written determination as to whether their alternative procedure is acceptable,” he said.
Beyond the TSA, Biden has moved to put pressure on Russia to take action against cybercriminal groups based within the country’s borders, which have been tied by the FBI to the attacks on Colonial Pipeline and JBS USA.
Biden met with Russian President Vladimir Putin in Geneva last month to discuss cybersecurity concerns, among other issues, and called to pressure him to step up efforts against hackers in Russia following the attack on Kaseya earlier this month.
Senators drilled officials Tuesday at the Judiciary hearing on whether these efforts had seen any success.
“I don’t believe there has been a measurable drop. No, I don’t believe there has been a change,” Richard Downing, deputy assistant attorney general for the Justice Department’s criminal division, testified on rates of Russian-linked cyberattacks.
Eric Goldstein, the executive assistant director of cybersecurity for the Cybersecurity and Infrastructure Security Agency, stressed that it was difficult to gauge the impact given concerns over cyber incident reporting.
“We believe that only about a quarter of ransomware intrusions are actually reported, so the question of whether we are seeing a change in trend is a hard one to answer,” he testified. “We simply don’t have the data to be able to answer that question with any level of authority.”
Officials further testified that while their agencies were doing all they could to take action against the threat, Congress should work to pass legislation to increase cyber incident reporting.
“We wholeheartedly believe a federal standard is needed to mandate the reporting of certain cyber incidents, including most ransomware incidents,” Bryan Vorndran, the assistant director of the FBI’s cyber division, testified. “The scope and severity of this threat has reached the point where we can no longer rely on voluntary reports alone to learn about incidents.”
Both the House and Senate have already been considering mandatory reporting legislation in the wake of the cybersecurity incidents. All but three members of the Senate Intelligence Committee last week introduced a bipartisan bill that would mandate reporting of cybersecurity incidents by groups critical to national security within 24 hours of the attack.
Senators and officials came together to agree on the need to pass this type of legislation and other bills to combat cyber threats sooner rather than later.
“Right now, notwithstanding our outstanding capabilities, I think we are getting our lunch eaten on a regular basis, and we’ve got to up our game,” Sen. John Cornyn (R-Texas) told witnesses at the Judiciary hearing.
“That is not a comment on what you do or the people who work with you. I think it’s up to Congress and the policymakers to come up with a policy that you can implement to do the job that you are trained to do and you are trying to do every day.”