Legislation seeking to amend the annual National Defense Authorization Act wants the Government Accountability Office to investigate.
A new public-private body within the Department of Homeland Security has said all it plans to say on the incident referred to as “SolarWinds,” under an executive order mandate. That order came in response to the intrusion event’s compromise of several federal agencies and high-profile tech companies.
“We have fully complied with the executive order,” said Rob Silvers, undersecretary for policy at DHS. “The White House and the Department of Homeland Security together determined that when the board was launched, that at that point in time, the best use of the board's expertise and resources was to examine the recent events involved in the Log4j vulnerability.”
In line with Executive Order 14028, Silvers is chair of a new Cyber Safety Review Board. He spoke to reporters Wednesday alongside DHS Secretary Alejandro Mayorkas and Heather Adkins, Google vice president for security engineering and deputy chair of the CSRB. DHS arranged the media call in advance of the board releasing its first report Thursday.
The executive order—issued in May, 2021, five months after the SolarWinds event was revealed—gave specific instructions for the board’s formation, including that initial efforts focus on dissecting that incident, which also leveraged Microsoft’s Active Directory Federation Services to move laterally within victim networks with hijacked credentials.
The order did not set a timeline for DHS establishing the board but said, once launched, it should submit recommendations gleaned from its review of the incident to the DHS secretary within 90 days.
DHS announced formation of the board in February, but said it would instead prioritize studying vulnerabilities and remediation efforts related to the open source software library called Log4j.
Pressed on the issue, Adkins told reporters, “We found many parallels between the Log4j event and the SolarWinds incident, when it comes to our recommendations and how software is securely developed and released to the community, as well as how the community itself responds and comes together to join in the public-private partnership.”
The main recommendation of the report is that organizations continue to exercise vigilance regarding Log4j for years to come. It also suggested the DHS secretary “explore the feasibility of establishing a Software Security Risk Assessment Center of Excellence.” With the exception of references in its footnotes, the report does not mention the SolarWinds incident at all.
After DHS announced in February that the focus of the report would change, House Homeland Security Committee Chair Bennie Thompson, D-Miss., said he was, “pleased to see the Biden administration taking this proactive step.”
But Rep. Ritchie Torres, D-N.Y., who is vice chair of the committee, isn’t ready to let the issue go. In legislation offered as an amendment to the annual National Defense Authorization Act, he calls on the CISA director and the office of the national cyber director to conduct the SolarWinds autopsy and report to Congress. He also calls on the Government Accountability Office to investigate the board’s actions.
“The Comptroller General of the United States shall evaluate the activities of the Cyber Safety Review Board established pursuant to Executive 14 Order 14028, with a focus on the Board’s inaugural review announced in February 2022,” the amendment reads, noting GAO should “assess whether the Board has the authorities, resources and expertise necessary to carry out its mission of reviewing and assessing significant cyber incidents.”