Jen Easterly, selected to head the Cybersecurity and Infrastructure Security Agency and Chris Inglis, the former National Security Agency deputy director picked to fill the new national cyber director role, faced lawmakers concerned about the spike in ransomware attacks.
President Joe Biden's nominees for the country's top two cybersecurity positions received smooth hearings on Thursday from a Senate panel, but the hearing underscored the precarious situation the federal government faces in securing its networks and conducting oversight of critical industrial sectors.
Jen Easterly, tapped to lead the Cybersecurity and Infrastructure Security Agency and Chris Inglis, the former National Security Agency deputy director and the choice to fill the new national cyber director role faced the Senate as the White House confronts a range of devastating cyberattacks ranging from the supply chain compromise that infected SolarWinds to the recent temporary shutdown of Colonial Pipeline following a ransomware attack.
Those attacks, and others, came up at the hearing on Thursday where Sen. Josh Hawley (R-Mo.) questioned both nominees about the prospect of imposing mandatory cybersecurity standards and breach notification requirements on critical infrastructure providers. Both Easterly and Inglis largely agreed the current system of "voluntary standards" was not working and signaled they would support changes.
"I don't have a sense across the board, but it seems to me that voluntary standards are probably not getting the job done," said Easterly. "There probably is some sort of role for making some of these standards mandatory, to include [breach] notification."
House and Senate lawmakers earlier this week repeatedly questioned Colonial Pipeline chief Joseph Blount about when his company notified certain government agencies in the hours following Darkside's ransomware attack. Lawmakers also pressed Blount to explain why his company "refused" voluntary cybersecurity assessments offered by the Transportation Safety Administration.
Blount defended his company's actions at both hearings, stating the only reason Colonial did not proactively contact CISA is because they understood the FBI planned to do so already. Regarding the TSA assessments, Blount took issue with the word "refused" and said the delays were a matter of timing and schedule, not of willingness. At one point, the energy executive indicated to lawmakers he planned to contact the head of TSA to inquire why his company was being perceived as insubordinate with the agency's requests.
Sen. Rick Scott (R-Fla.) asked the nominees their beliefs on paying ransoms. Inglis said he did not think it is appropriate for businesses to pay a ransom but acknowledged that companies are sometimes left with little choice in the matter.
We need to "hold accountable companies not so much for paying the ransom, but for being in a position where they had to pay the ransom in the first place, for the failure to prepare for that. That is where I think the point of accountability should be placed."
Colonial Pipeline ended up paying a $4.3 million ransom to Darkside, which Blount defended as the right choice and the FBI later partially recovered. Multiple news organizations this week reported the U.S. arm of an international meat-packing company, which was also hit with a ransomware attack, paid an $11 million ransom.
More internally to the federal government, Sen. Rob Portman (R-Ohio), the panel's ranking member, expressed frustration to Easterly and Inglis about a lack of cooperation from CISA and the federal chief information security officer.
Portman described letters he and the panel's chairman, Sen. Gary Peters (D-Mich.), recently sent seeking information about Einstein, a premiere CISA cybersecurity program, and the federal governments practices on cybersecurity more generally.
To date, Portman said, he has only received old or heavily redacted documents and a "list of public websites" in response to the letters.
CISA's responses to Peters' and Portman's letters are particularly pertinent as the two lawmakers oversee Einstein's scheduled re-authorization in 2022.