The Hack Roundup: State Department Cyber Office Clears Committee Amid Push for International Norms

The House Foreign Affairs Committee unanimously approved the creation of a new bureau of international cyberspace policy at the State Department as part of the Cyber Diplomacy Act, a move that could take on more importance in the wake of the massive hack that compromised at least nine federal agencies.

The organization of the State Department’s work on cybersecurity was a contentious issue before reports of the breaches, which U.S. officials believe are of “likely Russian” origin, emerged in December. 

The Trump administration saw security issues in cyberspace as separate from those of human rights, economics and democracy. But members of Congress, including members of the Cyberspace Solarium Commission, say such considerations cannot be divorced and that the legislation approved in a markup Thursday would break down the unhelpful silos. And the focus on international engagement—including at the Cybersecurity and Infrastructure Security Agency—has increased since the hacking campaign, which leveraged access to network management company SolarWinds.     

“I stood up and authorized the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security to defend the nation from cyberattacks,” said Rep. Mike McCaul, the ranking member of the Foreign Affairs Committee who originally authored the legislation. “But we need this mission, and this office at the State Department, so that we can have international norms and standards. When it comes to cybersecurity, if anything, the SolarWinds breach from Russia, I think exemplifies the importance of why we need these international norms and standards.” 

Sen. Marco Rubio, R-Fla., is reluctant to refer to the suspected Russian hacking campaign as an “attack.” During a Senate Intelligence Committee hearing Tuesday, he said he shares the White House’s concerns that the events equate to more than a single incident of espionage and could potentially be disruptive, but “those are not the facts that are in front of us.”

“Everything we have seen thus far indicate that at some level, this was an intelligence operation, and a rather successful one, that was ultimately disrupted,” Rubio said. “While there are a myriad of ways for sovereign states to respond, I caution against the use of certain terms at this time until the facts lead us to the use of terms such as ‘attack,’ and so forth. I've always advocated for standing up to our adversaries. I think that's important. I will continue to advocate for that. But I want to know today what the actors intent seemed to be and the extent of the damage before we categorize it.”

How the events are classified could have a bearing on what is considered acceptable behavior for nation-states. Information collection efforts, as opposed to acts of sabotage, are considered standard, a point Sen. Tom Cotton, R-Ark., also emphasized with his questions.

Microsoft President Brad Smith reiterated calls for the U.S. to play a greater role in establishing international norms of behavior in cyberspace. Testifying before the intelligence panel, Smith noted that the U.S. is not a member of the 2018 Paris Call for Trust and Security in Cyberspace. Seventy-nine countries and 688 companies, including Microsoft, have signed on to the agreement, which centers on nine principles such as non-proliferation.

Intelligence Committee Chairman Mark Warner, D-Va., suggested it might be appropriate to update international rules by making software updates off-limits, along with critical infrastructure such as hospitals.

“I use the analogy that in warfare, you don't bomb the ambulance, should we try to get to a point where we don't bomb the patch, or that you don't hit the hospital literally, or the electoral systems? How do we move towards that system of norms?” he said.

The United Nations has also established 11 norms for responsible behavior in cyberspace. During a U.S. Chamber of Commerce event Tuesday, a leading Estonian official said the real challenge is enforcement. 

Smith pushed for the U.S. to do more on accountability during another hearing Tuesday before the Senate Armed Services Committee.

“I think it needs to start by public accountability with the United States and other governments, as we did in 2017 twice after WannaCry and NotPetya,” he said. “But then there needs to be responses as well, and there should be a range of responses for different circumstances. It needs to be a robust menu, and we’re going to need an executive branch that has the confidence and the support of the American public to carry them out.” 

White House Press Secretary Jen Psaki confirmed Tuesday it will be “weeks, not months” before the Biden administration responds to the hack, though she did not confirm reports that sanctions are being prepared to hold Russia accountable for it and other malign cyber activities. 

“[W]e announced our ongoing review and the president spoke about it in his conversation with President Putin just a few weeks ago. We have asked the Intelligence Community to do further work to sharpen the attribution that the previous administration made about precisely how the hack occurred, what the extent of the damage is, and what the scope and scale of the intrusion is—and we're still in the process of working that through now,” she said. “It will be weeks, not months before we respond, but I'm not going to get ahead of the conclusion of that process.”

Psaki briefly reiterated the point at Wednesday’s daily press briefing, as well.

Sen. Ron Wyden, D-Ore., expressed concerns that reaction to the SolarWinds-involved event would lead to policies that sacrifice privacy. 

During the intelligence hearing, Sens. Martin Heinrich, D-N.M., Ben Sasse, R-Neb., and Richard Burr, R-N.C. all highlighted the hackers’ use of domestic infrastructure, which the National Security Agency cannot legally surveil. 

“Whether it's [the] Russian hack of [the Democratic National Committee] in 2016, the North Korean Sony hack or current supply-chain hacks, we constantly see foreign actors exploiting domestic infrastructure for the command and control to hide the nefarious traffic in legitimate traffic,” Burr said, specifically highlighting Amazon Web Services, in this case. 

AWS said the hackers did use their platform but that it was “not affected.”  

“Here's the problem,” Burr said. “Given the legal restrictions on the intelligence community, we don't have the ability to surveil the domestic infrastructure.” 

During the Senate Armed Services Committee hearing, Sen. Angus King, I-Maine, also raised concerns that the U.S. has gaps in authority when it comes to handling cyberattacks because the Central Intelligence Agency and the National Security Agency are focused on foreign intelligence gathering, leaving the FBI as the de facto body for internal cyber defense.  

The SolarWinds attack exploited the fact that the NSA’s authority is external, Smith told the committee. He emphasized that whatever body ultimately handles domestic cyber defense will need to be prepared to share its threat intel “rapidly, oftentimes immediately” with other parts of the government. 

“I think the first question for the Congress and the executive branch is what part of the government do we want to have assume responsibility for what I'll call the aggregation of threat intelligence domestically,” Smith said. “Is it CISA, is it the FBI, is it somebody else?”

The Department of Homeland Security is increasing the amount recipients of grants it issues through the Federal Emergency Management Agency will be required to spend on cybersecurity by 2.5%, which will be equal to $25 million across the country. 

“Cybersecurity is not only about protecting the federal government. This is certainly a top priority especially now in the wake of the ongoing cyber campaign,” DHS Secretary Alejandro Mayorkas said Thursday during the annual President’s Cup cybersecurity competition.  

The General Services Administration prepared a buyer’s guide of things to consider when shopping for vendors to address advanced persistent threat actors.

“The recent exploitation of SolarWinds products is the latest example of an APT in the Federal space, and led to the issuance of Emergency Directive 21-01 to mitigate the compromise,” reads a blog GSA published with the guide Tuesday. “The Buyer’s Guide provides key considerations organizations can take while evaluating potential APT products, solutions, and services.”

The House committees on Oversight and Reform and Homeland Security will hold a joint hearing Friday on the roles of private tech companies in the hacking campaign. Smith will testify along with FireEye CEO Kevin Mandia and the current and former CEOs of SolarWinds.

Mila Jasper and Brandi Vincent contributed to this report.