New authorities from the recently enacted defense bill are expected to help the U.S. government in its response to the SolarWinds hack believed to be perpetrated by Russia.
The annual National Defense Authorization Act (NDAA), which became law this past week after Congress overrode President TrumpDonald TrumpMcConnell circulates procedures for second Senate impeachment trial of Trump Trump suggests building own platform after Twitter ban Poll: 18 percent of Republicans support Capitol riots MORE’s veto, formally established a cyber czar position at the White House, in addition to granting numerous other cybersecurity powers that could help the incoming Biden administration respond to the Russian hack.
“Once this individual is appointed and confirmed, this would be the individual who is coordinating the response,” Rep. Jim LangevinJames (Jim) R. LangevinSenate approves defense bill establishing cyber czar position, subpoena power for cyber agency House chairman endorses Michele Flournoy for Biden’s Pentagon chief Hillicon Valley: Senate Intelligence Committee leaders warn of Chinese threats to national security | Biden says China must play by ‘international norms’ | House Democrats use Markup app for leadership contest voting MORE (D-R.I.), one of the key members of Congress who pushed for the national cyber director position to be established, told The Hill this week.
The national cyber director, a Senate-confirmed position, could play a critical role as federal agencies grapple with the depth and breadth of the SolarWinds hack.
“Rather than response being ad hoc and figuring out as we go, you’d have someone who has a well thought out plan for a thorough and aggressive response, and we would be much more effective,” Langevin said of a response to the SolarWinds hack.
U.S. intelligence agencies this week formally accused Russia of being behind the attack on the IT firm SolarWinds that hit clients like Fortune 500 companies and the majority of federal agencies as far back as March.
The Commerce, Defense, Energy, Homeland Security, Justice, State, and Treasury departments have all said they were compromised by the hack.
SolarWinds reported last month that around 18,000 of its customers were likely affected. Microsoft and the cybersecurity group FireEye both confirmed they were impacted.
“This is a massive, massive issue which certainly affects governments but in all probability has great consequences outside of government, into the private sector that we still are at the early innings of understanding,” said Amit Yoran, chairman and CEO of the cybersecurity group Tenable.
The executive branch has been without a formal cybersecurity leader since 2018, when former national security adviser John BoltonJohn BoltonShellshocked GOP ponders future with Trump Calls grow louder to remove Trump under 25th Amendment John Bolton argues against invoking 25th Amendment against Trump MORE eliminated the role as a way to reduce bureaucracy.
The move came a year after the State Department got rid of its cybersecurity coordinator office, making it harder for the government to coordinate on international cyber security issues.
President-elect Joe BidenJoe BidenUS judge blocks Trump administration’s restrictions on asylum eligibility McConnell circulates procedures for second Senate impeachment trial of Trump Top Trump official rescinds then reissues resignation letter to say departure is in protest MORE is likely to take a very different approach to cyber leadership.
“We have to be able to innovate and reimagine our defenses against growing threats in new realms like cyberspace,” Biden said at a press conference last month while addressing the SolarWinds attack.
Biden has not yet named an individual to fill the cyber czar post, and a transition spokesperson declined to comment on who might be under consideration.
Langevin said he hoped Biden would consider former officials like Michael Daniel, who served as special assistant to former President Obama and cybersecurity coordinator on the National Security Council; Suzanne Spaulding, former director of the predecessor agency to the Cybersecurity and Infrastructure Security Agency (CISA); and Chris Inglis, former deputy director of the National Security Agency.
“I have been in contact with someone at the very senior level within the Biden team, and hopefully we’ll have a national cyber director sooner rather than later,” Langevin said.
While the post hasn’t been filled, another key cybersecurity role that could assist in the response to the SolarWinds attack seems to be locked down.
Politico reportef Thursday that Biden would shortly appoint Ann Neuberger, the director of the National Security Agency’s Cybersecurity Directorate, to fill the newly created role of deputy national security adviser for cybersecurity on the National Security Council.
The Biden transition spokesperson declined to comment on this as well, but said “the Biden-Harris Administration will make cybersecurity a top priority, elevating it as an imperative across the government from day one.”
“We will strengthen our partnerships with the private sector, academia, and civil society; renew our commitment to international norms and engagement on cyber issues; and expand our investment in the infrastructure and people we need to effectively defend the nation against malicious cyber activity,” the spokesperson added.
The two new positions aren’t the only new powers the federal government in responding to cyber threats.
The massive defense funding bill included over two dozen other clauses that were based on recommendations compiled by the Cyberspace Solarium Commission (CSC), a congressionally established group made up of lawmakers, federal officials and industry leaders to draw up a road map for defending the U.S. in cyberspace.
Some of their recommendations that were included in the bill were clauses allowing CISA to conduct cyber threat hunting operations within an agency’s network, a power that might have notified officials far earlier about the SolarWinds hack.
The defense bill also gives CISA the power to issue subpoenas to internet service providers, compelling them to release information on cyber vulnerabilities detected on the networks of critical infrastructure organizations.
“I think a lot of the recommendations and the things in the NDAA will help and be pretty impactful,” Yoran said.
Langevin said he hoped the Biden administration would work quickly to implement the new authorities in order to “get their arms around” the increasing risk posed by adversaries in cyberspace.
“I am already impressed with the national security team that President-elect Biden is putting together,” Langevin said. “It is going to take a bit, but I want to make sure we are implementing the provisions that are in law, and combined they will both go a long way to protecting the United States in cyberspace.”