DHS Nominee Pledges Review of Agency’s Core Cybersecurity Programs

President-elect Joe Biden’s nominee to lead the Department of Homeland Security Alejandro Mayorkas promised to review the agency’s early detection and monitoring systems that failed to alert officials to the widespread cybersecurity breaches affecting federal agencies and private-sector critical infrastructure. 

Mayorkas said he looks forward to “conducting a thorough review ... to understand whether Einstein and [Continuous Diagnostics and Mitigation], as it is commonly referred to, are appropriately designed and appropriately and effectively executed to stop a threat such as SolarWinds and if not, what other defenses need we develop in the federal government to best protect our very valuable equities and resources.”

Mayorkas was responding to a question from Sen. Maggie Hassan, D-N.H. during his confirmation hearing before the Senate Homeland Security and Governmental Affairs Committee Tuesday.

Hassan’s question included the premise that the systems, which use sensors and monitoring devices to detect and communicate known vulnerabilities across the government, did not work in the case of novel malware and techniques used by hackers who leveraged their intrusion into ubiquitous IT management company SolarWinds to gain unauthorized access to agencies.     

“The SolarWinds cyberattack revealed vulnerabilities across the government in the systems designed to prevent such a far-reaching attack,” she said. “As secretary, you will be charged with immediately reviewing the adequacy of two Department of Homeland Security programs … in order to understand why they did not detect or prevent these intrusions. Do you have any initial thoughts on the performance of these programs, and whether any fundamental changes will be required to either?”

Mayorkas said he would avail himself of all the intelligence available on the SolarWinds event. 

The hearing was dominated by questions about immigration and allegations of unsuitable treatment of whistleblowers in relation to an inspectors general report during Mayorkas’ previous tenure as director of the U.S. Citizenship and Immigration Services. But in the few mentions of cybersecurity, Mayorkas, who also served as Homeland Security deputy secretary from 2013 to 2016, emphasized a need to work closely with the private sector.

“The Department of Homeland Security is fundamentally a department of partnerships,” he said during his opening statement. “To enhance our cybersecurity the department depends upon and must strengthen its cooperation with the private sector.”

Mayorkas is currently a partner with the law firm WilmerHale and in 2017 the U.S. Chamber of Commerce announced he would chair its Cyber Leadership Council. The council “serves as a forum for businesses to openly discuss cybersecurity policy and practices, direct Chamber advocacy and education efforts, and serve as a key voice of industry for dialogue with policymakers,” according to a press release from the Chamber.

Asked by Committee Chairman Sen. Rob Portman, R-Ohio, about what his approach would be with regard to the Cybersecurity and Infrastructure Security Agency, Mayorkas said the agency “must strengthen the public-private partnership, not only for the benefit, of course, of the federal government, but for the benefit of the private sector itself.”

Mayorkas said Congress deserves credit for establishing a national cyber director position, as advocated by the Cyberspace Solarium Commission, and other provisions in the National Defense Authorization Act to help CISA meet its statutory obligations.

In a letter to Portman and Ranking Member Sen. Gary Peters, D-Mich., the Chamber of Commerce supported Mayorkas’ nomination, noting his role in advocating for a 2015 law meant to foster the sharing of information about threats between the public and private sectors.

“He was a champion for improved cyber threat information sharing, which helping [sic] to usher in the Cybersecurity Information Sharing Act of 2015,” the letter reads. “Expansion of initiatives such as these—and others—to improve government-private collaboration and intelligence sharing will be essential going forward.”

But multiple IG reports show poor participation from the private sector in the information-sharing mechanism established at DHS. And the Solarium Commission is now also calling for the private sector to share information about cybersecurity incidents, in addition to threats. 

One provision, which did not make it into the final NDAA, would have required Mayorkas, as DHS secretary, to study how to best establish such reporting from the private sector. It was opposed by the Chamber and other groups as overly broad. 

Sen. Josh Hawley, R-Mo., has placed a hold on a procedure to bypass Mayorkas’ consideration by the full committee. There are too many unanswered questions about the nominee’s intention toward enforcement of laws regarding the southern border wall system, he said in a statement following the hearing.