Senators Cite Colonial Pipeline Hack in Calling for Cyber Response and Recovery Fund

Sen. Rob Portman R-Ohio, speaks during a Senate Homeland and Governmental Affairs Committee hearing to examine improving Federal cybersecurity, Tuesday, May 11, 2021 on Capitol Hill in Washington.

Sen. Rob Portman R-Ohio, speaks during a Senate Homeland and Governmental Affairs Committee hearing to examine improving Federal cybersecurity, Tuesday, May 11, 2021 on Capitol Hill in Washington. (Tasos Katopodis/Pool via AP)

A hearing on federal agencies’ response to the SolarWinds hack drew attention to communication issues, both with the private sector and within the government.

The cyberattack that has shut down a major supply line for energy to much of the East Coast is the kind of event that would have triggered a release of funding outlined in legislation to help the government respond to such incidents, key senators said in a hearing Wednesday.

“I know we're here today to focus on federal cybersecurity. But I think it's important to discuss the attack that we have just recently seen on Colonial Pipeline, one of the largest attacks on critical infrastructure in our history,” Sen. Gary Peters, D-Mich., said. “Last month, Ranking Member, [Rob] Portman [R-Ohio] and I introduced the Cyber Response and Recovery Act which would give the Secretary of Homeland Security the authority to declare a significant incident and use [the] Cyber Response and Recovery Fund after events like this.”

Peters, chairman of the Senate Homeland Security and Government Affairs Committee, was leading a hearing on the federal government’s efforts to improve its cybersecurity following the SolarWinds hack, which was part of a campaign that compromised scores of organizations, including nine federal agencies.

The chair and ranking member touted their legislation while drawing attention to what they said were lapses in both public and private entities’ communications with the government.

The Cyber Response and Recovery Fund that the legislation creates would keep $20 million available for DHS’ Cybersecurity and Infrastructure Security Agency to reimburse other departments they need to call in to help respond to cyberattacks and to get information out to related entities to mitigate the impact of such events.

But in Colonial's case, Brandon Wales, CISA’s acting director, told Portman that the company did not contact CISA after they were targeted by ransomware criminals. CISA was engaged only after the FBI brought them in and still does not possess the technical details that would help them to advise other critical infrastructure entities, Wales said.

Wales said this is understandable since it’s still early in the response, and that CISA has a good relationship with Colonial, but Portman did not accept that argument.  

“It seems to me we also have to worry about these attacks—whether they're direct cyberattacks on the federal government or whether they’re attacks on the private sector, whether they are ransomware attacks—being communicated to CISA, in that, you know, you've got the expertise, we’ve passed a lot of funding already and a lot of bipartisan legislation to help you all have the tools that you need,” Portman said. “Seems to me we got to be sure that communication flow is happening.”

Portman also took issue with the different ways in which the departments of Commerce and Health and Human Services responded to the SolarWinds hack. While Commerce declared it a major cyber incident and reported it to CISA and to Congress, HHS did not classify it that way. 

“I must say I'm concerned that HHS didn't report,” Portman said. “I mean under [the Federal Information Security Modernization Act] it's pretty clear, when you look at the definition that a report would have been required: any incident likely to result in multiple harm to national security interests, foreign relations or economy, or a breach involving personal identifiable information. So maybe we need to tighten up that FISMA requirement.”

Janet Vogel, the chief information security officer for HHS, testified at the hearing along with Commerce CISO Ryan Higgins.

“We felt that we had not lost any data. We had also firewalled everything appropriately, that there wouldn't be follow-up activity,” Vogel testified. “We determined right away we did not believe this was a major incident. Certainly very sophisticated, and complicated event, but we confirmed with CISA, and also our [Office of Management and Budget] desk officer, our determination that we would not declare a major incident at that time.”