House Committees Launch Investigation into Alleged Russian Hack of Federal Agencies

The House committees on Homeland Security and Oversight and Reform Thursday launched an investigation into a wide-ranging hack that has impacted multiple federal agencies since it was publicly revealed Dec. 13.

The House investigation was announced hours after the Cybersecurity and Infrastructure Security Agency released an alert outlining at least one more attack vector used by hackers in addition to the SolarWinds Orion product used to compromise some federal systems. The alert further identified IT and security personnel as prime targets for hackers.

“Our committees are seeking information related to the apparent, widespread compromise of multiple federal government, critical infrastructure, and private sector information technology networks,” said Homeland Security Committee Chair Bennie Thompson, D-Miss., and Oversight and Reform Committee Chair Carolyn Maloney, D-NY, in a letter to the heads of the FBI, Homeland Security and the intelligence community.

“While investigations and technical forensic analyses are still ongoing, based on preliminary reporting, it is evident that this latest cyber intrusion could have potentially devastating consequences for U.S. national security,” the lawmakers added.

Per a Dec. 13 CISA directive, federal agencies were ordered to turn off all instances of the SolarWinds Orion software connected to government systems. Developments since then have signaled the hack—potentially carried out by Russians, though the government has yet to confirm that—was more widespread than previously thought. While the hack remains under investigation by multiple agencies, Maloney and Thompson said their committees expect transparent information to inform their decisions moving forward.

“As the committees of jurisdiction for U.S. cybersecurity preparedness and the defense of federal information technology systems, it is imperative that our Committees receive the latest information on the number of federal departments, agencies, and other entities affected by the breach, the extent to which sensitive information and data—including classified information—may have been compromised or exposed, the threat actor or actors responsible, and the administration’s ongoing efforts to prevent further damage, secure its computer networks, and hold those responsible accountable,” the letter states.

Biden Weighs in

President-elect Joe Biden issued a statement regarding the hack Thursday, promising a Biden/Harris administration will “elevate cybersecurity as an imperative across the government.” Biden also vowed to use the levers of government to impose “substantial costs on those responsible for such malicious attacks.”

Biden’s statement, in its entirety:

“We have learned in recent days of what appears to be a massive cybersecurity breach affecting potentially thousands of victims, including U.S. companies and federal government entities. There’s a lot we don’t yet know, but what we do know is a matter of great concern. I have instructed my team to learn as much as we can about this breach, and Vice President-elect Harris and I are grateful to the career public servants who have briefed our team on their findings, and who are working around-the-clock to respond to this attack. I want to be clear: my administration will make cybersecurity a top priority at every level of government -- and we will make dealing with this breach a top priority from the moment we take office. We will elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyber attacks. But a good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place. We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners. Our adversaries should know that, as President, I will not stand idly by in the face of cyber assaults on our nation.”

President Donald Trump has yet to weigh in on the incident.