The Hack Roundup: State Department Cyber Office Clears Committee Amid Push for International Norms

Sorbis/Shutterstock

The House Foreign Affairs Committee unanimously approved the creation of a new bureau of international cyberspace policy at the State Department as part of the Cyber Diplomacy Act, a move that could take on more importance in the wake of the massive hack that compromised at least nine federal agencies.

The organization of the State Department’s work on cybersecurity was a contentious issue before reports of the breaches, which U.S. officials believe are of “likely Russian” origin, emerged in December. 

The Trump administration saw security issues in cyberspace as separate from those of human rights, economics and democracy. But members of Congress, including members of the Cyberspace Solarium Commission, say such considerations cannot be divorced and that the legislation approved in a markup Thursday would break down the unhelpful silos. And the focus on international engagement—including at the Cybersecurity and Infrastructure Security Agency—has increased since the hacking campaign, which leveraged access to network management company SolarWinds.     

“I stood up and authorized the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security to defend the nation from cyberattacks,” said Rep. Mike McCaul, the ranking member of the Foreign Affairs Committee who originally authored the legislation. “But we need this mission, and this office at the State Department, so that we can have international norms and standards. When it comes to cybersecurity, if anything, the SolarWinds breach from Russia, I think exemplifies the importance of why we need these international norms and standards.” 

Sen. Marco Rubio, R-Fla., is reluctant to refer to the suspected Russian hacking campaign as an “attack.” During a Senate Intelligence Committee hearing Tuesday, he said he shares the White House’s concerns that the events equate to more than a single incident of espionage and could potentially be disruptive, but “those are not the facts that are in front of us.”

“Everything we have seen thus far indicate that at some level, this was an intelligence operation, and a rather successful one, that was ultimately disrupted,” Rubio said. “While there are a myriad of ways for sovereign states to respond, I caution against the use of certain terms at this time until the facts lead us to the use of terms such as ‘attack,’ and so forth. I've always advocated for standing up to our adversaries. I think that's important. I will continue to advocate for that. But I want to know today what the actors intent seemed to be and the extent of the damage before we categorize it.”

How the events are classified could have a bearing on what is considered acceptable behavior for nation-states. Information collection efforts, as opposed to acts of sabotage, are considered standard, a point Sen. Tom Cotton, R-Ark., also emphasized with his questions.

Microsoft President Brad Smith reiterated calls for the U.S. to play a greater role in establishing international norms of behavior in cyberspace. Testifying before the intelligence panel, Smith noted that the U.S. is not a member of the 2018 Paris Call for Trust and Security in Cyberspace. Seventy-nine countries and 688 companies, including Microsoft, have signed on to the agreement, which centers on nine principles such as non-proliferation.

Intelligence Committee Chairman Mark Warner, D-Va., suggested it might be appropriate to update international rules by making software updates off-limits, along with critical infrastructure such as hospitals.

“I use the analogy that in warfare, you don't bomb the ambulance, should we try to get to a point where we don't bomb the patch, or that you don't hit the hospital literally, or the electoral systems? How do we move towards that system of norms?” he said.

The United Nations has also established 11 norms for responsible behavior in cyberspace. During a U.S. Chamber of Commerce event Tuesday, a leading Estonian official said the real challenge is enforcement

Smith pushed for the U.S. to do more on accountability during another hearing Tuesday before the Senate Armed Services Committee.

“I think it needs to start by public accountability with the United States and other governments, as we did in 2017 twice after WannaCry and NotPetya,” he said. “But then there needs to be responses as well, and there should be a range of responses for different circumstances. It needs to be a robust menu, and we’re going to need an executive branch that has the confidence and the support of the American public to carry them out.” 

White House Press Secretary Jen Psaki confirmed Tuesday it will be “weeks, not months” before the Biden administration responds to the hack, though she did not confirm reports that sanctions are being prepared to hold Russia accountable for it and other malign cyber activities. 

“[W]e announced our ongoing review and the president spoke about it in his conversation with President Putin just a few weeks ago. We have asked the Intelligence Community to do further work to sharpen the attribution that the previous administration made about precisely how the hack occurred, what the extent of the damage is, and what the scope and scale of the intrusion is—and we're still in the process of working that through now,” she said. “It will be weeks, not months before we respond, but I'm not going to get ahead of the conclusion of that process.”

Psaki briefly reiterated the point at Wednesday’s daily press briefing, as well.

Sen. Ron Wyden, D-Ore., expressed concerns that reaction to the SolarWinds-involved event would lead to policies that sacrifice privacy. 

During the intelligence hearing, Sens. Martin Heinrich, D-N.M., Ben Sasse, R-Neb., and Richard Burr, R-N.C. all highlighted the hackers’ use of domestic infrastructure, which the National Security Agency cannot legally surveil. 

“Whether it's [the] Russian hack of [the Democratic National Committee] in 2016, the North Korean Sony hack or current supply-chain hacks, we constantly see foreign actors exploiting domestic infrastructure for the command and control to hide the nefarious traffic in legitimate traffic,” Burr said, specifically highlighting Amazon Web Services, in this case. 

AWS said the hackers did use their platform but that it was “not affected.”  

“Here's the problem,” Burr said. “Given the legal restrictions on the intelligence community, we don't have the ability to surveil the domestic infrastructure.” 

During the Senate Armed Services Committee hearing, Sen. Angus King, I-Maine, also raised concerns that the U.S. has gaps in authority when it comes to handling cyberattacks because the Central Intelligence Agency and the National Security Agency are focused on foreign intelligence gathering, leaving the FBI as the de facto body for internal cyber defense.  

The SolarWinds attack exploited the fact that the NSA’s authority is external, Smith told the committee. He emphasized that whatever body ultimately handles domestic cyber defense will need to be prepared to share its threat intel “rapidly, oftentimes immediately” with other parts of the government. 

“I think the first question for the Congress and the executive branch is what part of the government do we want to have assume responsibility for what I'll call the aggregation of threat intelligence domestically,” Smith said. “Is it CISA, is it the FBI, is it somebody else?”

The Department of Homeland Security is increasing the amount recipients of grants it issues through the Federal Emergency Management Agency will be required to spend on cybersecurity by 2.5%, which will be equal to $25 million across the country. 

“Cybersecurity is not only about protecting the federal government. This is certainly a top priority especially now in the wake of the ongoing cyber campaign,” DHS Secretary Alejandro Mayorkas said Thursday during the annual President’s Cup cybersecurity competition.  

The General Services Administration prepared a buyer’s guide of things to consider when shopping for vendors to address advanced persistent threat actors.

“The recent exploitation of SolarWinds products is the latest example of an APT in the Federal space, and led to the issuance of Emergency Directive 21-01 to mitigate the compromise,” reads a blog GSA published with the guide Tuesday. “The Buyer’s Guide provides key considerations organizations can take while evaluating potential APT products, solutions, and services.”

The House committees on Oversight and Reform and Homeland Security will hold a joint hearing Friday on the roles of private tech companies in the hacking campaign. Smith will testify along with FireEye CEO Kevin Mandia and the current and former CEOs of SolarWinds.

Mila Jasper and Brandi Vincent contributed to this report. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.