Members of a key cyber panel wanted to know why the Department of Homeland Security wasn’t alerted to the ransomware attack that set off panic-buying of gasoline and whether the Pentagon could have taken measures to stop it before it happened.
Sen. Joe Manchin, (D-W.Va.) said at Tuesday’s Senate Armed Services cyber subcommittee hearing that what happened when the Colonial Pipeline was shut down “was an attack to me” coming from outside the U.S. and had implications for the Pentagon.
Joining the chairman in asking what role the National Security Agency or U.S. Cyber Command might have played in identifying the attack or stopping it was Sen. Mike Rounds (R-S.D.), who said “we’re not even sure Homeland Security was advised” of the attack. He added that the Justice Department also wasn’t aware that the ransom demand was to be paid in cryptocurrency.
The hacker group DarkSide, which the FBI said was behind the attack, was paid $5 million in cryptocurrency, according to CNBC.
Rear Adm. William Chase, the deputy cyber advisor to the secretary of defense, said the demand for cryptocurrency “was unique to this one.”
Speaking on cybersecurity in the defense industrial base but alluding to other intrusions, Chase said, “we need to remove barriers” between Homeland Security; the Justice Department, particularly between the FBI and the Pentagon in cybersecurity matters.
As he has in earlier hearings, Rounds said that too many silos exist in sharing threat information inside the government itself and with the private sector. As for the private sector, like the owners of Colonial Pipeline, they were not required to “report to anyone” that a major attack had occurred.
Manchin said this was not the first time something like this had occurred, citing the Solar Winds hack with malware that exposed vulnerabilities in the supply chain. The private sector also did not immediately sound the alarm when this hack happened.
In his prepared testimony, Jesse Salazar, deputy assistant secretary for industrial policy, said the “fallout continues from Russia’s SolarWinds cyber-espionage campaign that breached 16,800 users through the exploitation of what was observed to be a routine software update. Advanced persistent threat groups have recently attacked U.S. defense targets through security flaws in VPN devices and email exchange servers.”
In his opening remarks, Rounds said the Russians and the Chinese have found that hacking the defense industrial base has proven to be “an extremely profitable enterprise.” He questioned how seriously the largest contractors have stepped up their work with the subcontractors to “reduce the attack surface” at their level to espionage and disruptions.
Chase said he would have to get back to the committee as to what punitive steps the Pentagon has taken against large contractors with subs that were successfully breached. The importance of securing small companies lay in adversaries knowing that much critical data they can’t reach in large contractors is duplicated farther down the chain.
“We’re finding that [mentoring by the larger contractors to shore up cyber defenses lower in the supply chain] doesn’t happen,” Manchin said.
Salazar, newly installed in office, said during the hearing, “we really focused on cost for small companies” in improving their cybersecurity, putting the requirement on the prime contractors to mentor and ensure compliance.
Among the reasons for concern about the future of small companies is 40 percent of those that had been in the defense industrial base a few years ago are either now out of business or not doing Pentagon work.
He added there are 12,000 small companies working as subcontractors for just one large aircraft manufacturer.
Chase said the department has expanded its information-sharing program with the private sector through the Defense Cyber Crime Center to tighten security up and down the supply chain. In written testimony, he said the department “is working to amend relevant regulations to expand the program to include non-cleared defense contractors, thus enabling small- and medium-sized contractors to receive important information, including the same signatures, malign IP addresses, and threat advisories that the larger cleared primes receive as part of the program.”
This includes the National Security Agency’s assistance to all Pentagon contractors through their internet providers in detecting outside targeting.
Salazar, in prepared testimony, noted, “a combination of education, information-sharing, and cybersecurity tools and services at a reasonable cost can help us achieve these aims, especially for small- and medium-sized businesses” in reducing their vulnerability to attack.