WASHINGTON: Companies and the federal government do not share information about cyber incidents well enough, and defense contractors need to be held accountable for security blunders, lawmakers said.
Sen. Joe Manchin, chair of the Senate Armed Services cyber subcommittee, questioned Jesse Salazar, deputy assistant secretary of defense for industrial policy, yesterday about holding contractors accountable for cyber incursions — at both primes and their subcontractors. Current DoD regulations provide “a number of acquisition levers” that can be used, Salazar noted, but “usually” the contractor’s program management office is contacted and ordered to “improve.”
Manchin pressed Salazar on whether there are “any fines, penalties, costs for not securing.” Salazar, who is just two months into the position, said yes, but he could not provide any examples. Salazar took the question for the record before Manchin noted, “We [Manchin and his staff] are finding out there’s no action taken against primes for subcontractors’ security lapses.”
Sen. Mike Rounds, the top Republican on the cyber subcommittee, weighed in during the hearing, saying there remain significant challenges to sharing information about cyber incidents — both between the private sector and the government, as well as within government.
Rounds questioned Rear Adm. William Chase, deputy principal cyber advisor to the defense secretary and the director of the Protecting Critical Technology Task Force, who said there are some mandatory cyber incident reporting requirements in place for contractors working on DoD-related projects, but they do not apply to companies without DoD contracts. And some information sharing for DoD contractors is only voluntary.
But the federal government, Rounds noted, also has problems sharing information between agencies. “We have silos between the different agencies, and those silos need to be coordinated” at a national level between DHS, DoJ/FBI, and DoD, Rounds said. Information sharing is important “to not just defend, but then to go out and stop these attacks from occurring again in the future. It’s not just within DoD, but at the national level, coordinating all the various very capable entities that make up our cyber defense within the nation.”
The deficit of information sharing came to stark light during the Colonial Pipeline cyberattack.
On Monday, Colonial representatives attended a Congressional briefing on the ransomware attack that paralyzed the business’s IT systems and pipeline operations. Two powerful lawmakers did not like some of what they heard — and didn’t hear.
“We’re disappointed that the company refused to share any specific information regarding the reported payment of ransom,” Rep. Carolyn Maloney, chair of the Oversight and Reform Committee, and Rep. Bennie Thompson, chair of the Homeland Security Committee, said in a statement released after the meeting.
Bloomberg first reported last week that Colonial paid about $5M “within hours of the attack.” Colonial CEO Joseph Blount said today the ransom payment was $4.4M, according to the Wall Street Journal.
The US government generally discourages paying ransoms to decrypt systems following a ransomware incident.
Another failure to share information occurred during the Colonial incident. Last week, CISA Acting Director Brandon Wales told Congress the agency had not received the “technical information” it wanted to communicate to federal agencies, industry more broadly, and the general public.
Biden’s cyber executive order, signed last week, put significant emphasis on establishing better information sharing requirements, but for now, those efforts are aimed at defense contractors and government entities. They do not apply to companies like Colonial.
Colonial is not a special case, just a newsworthy one at the moment. Many businesses deemed critical infrastructure owners and operators by DHS do not have DoD contracts, and so they are not currently required to report cyber incident information to the government. This is the case despite the fact that more than 80 percent of US critical infrastructure is owned and operated by the private sector. Disruptions to these operations can have national security, as well as widespread social and economic, implications.
Another recurring issue is public communication on the government’s response to significant cyber incidents. During a House Armed Services Committee hearing on Friday, Rep. Elissa Slotkin observed, “It is so hard to explain to the American public what we’re doing to respond when they see these very visible attacks. Our constituents are on the front lines of these attacks, and yet they don’t know what their country is doing to respond.”
Slotkin observed it’s a “difficult position” for the government because some aspects of the US response “should be under the radar.” Yet, Slotkin noted, “There’s a real sense that there’s just no deterrence on a cyberattack — that a Russian group, a Chinese group can just attack us with impunity. They can just steal a million records, and we put out a strongly worded press release.”
“So,” Slotkin continued, “we are going to need to figure out how — and not just do it in the shadows — but communicate to the American people that we’re not leaving ourselves open as this becomes the primary form of attack on average American citizens.”
On Friday, Slotkin introduced the CISA Cyber Exercise Act, “a bipartisan bill that would create new ways for American businesses and governments to test their critical infrastructure against the threat of cyber attacks, and establish a National Cyber Exercise Program to test the U.S. response plan for major cyber incidents.”