Senators Demand More Coordination in SolarWinds InvestigationWarner and Rubio Call for Designation of Leader of Four-Agency Effort
See update on the Biden administration's appointment of a leader for SolarWinds supply chain attack investigation.
Citing a lack of coordination and transparency, U.S. Sens. Mark Warner and Marco Rubio of the Intelligence Committee are urging the four federal agencies investigating the cyberattack that targeted SolarWinds and other organizations to designate a leader for their investigative efforts.
"The threat our country still faces from this incident needs clear leadership to develop and guide a unified strategy for recovery, in particular a leader who has the authority to coordinate the response, set priorities and direct resources to where they are needed," the two senators say.
Warner, a Democrat who chairs the committee, and Rubio, the Republican vice chairman, wrote a letter Tuesday to the four agencies that comprise the Cyber Unified Coordination Group, which was launched to investigate the attack that targeted SolarWinds, other tech firms and several federal agencies.
In the letter, the two senators say there's been a lack of coordination among the FBI, the Office of Director of National Intelligence, the U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency.
Several cybersecurity experts who are following the investigation say that having a point person for the SolarWinds investigation might help clarify exactly what happened in the attack.
"The timing [of the letter] is a bit curious, but my sense - from the outside looking in - is that the investigation is now at a stage in which enough is known with a high enough degree of confidence that coordination, rather than discovery, is now the main priority," says Scott Shackelford, chair of Indiana University's cybersecurity program.
Earlier, Alejandro Mayorkas, the newly confirmed secretary of the Department of Homeland Security, said that one his initial priorities would include reviewing all available intelligence on the SolarWinds supply chain hack and scrutinizing the government's cybersecurity programs (see: New DHS Secretary Pledges to Investigate SolarWinds Hack).
'Disjointed and Disorganized'
Rubio and Warner write that without a single leader coordinating the investigation, briefings about the investigation are causing concern and confusion among lawmakers.
"The briefings we have received convey a disjointed and disorganized response to confronting the breach," the senators write. "Taking a federated rather than a unified approach means that critical tasks that are outside the central roles of your respective agencies are likely to fall through the cracks."
While the investigation into the attack is still in its early stages, the Cyber Unified Coordination Group has stated that the cyberattack was likely a cyberespionage operation conducted by a hacking group with ties to Russia. Investigators are exploring whether the attackers used other attack vectors besides SolarWinds to target businesses and federal agencies, including the Treasury, Homeland Security, Energy and Commerce departments (see: SolarWinds Hackers Cast a Wide Net).
Spokesmen for the FBI and ODNI acknowledged they have received the senators' letter, but they declined to comment.
A CISA spokesman says that the agency does not comment on congressional correspondence, and a representative of the NSA could not be reached for comment.
A Step in Right Direction
The complexity of the Solarwinds supply chain attack investigation requires multiple agencies to be involved, Shackelford says. But he agrees that having a point person to release findings would be a step in the right direction.
"Given what we know about attributing this incident, I can't think of any single agency - even the FBI - that would have all the resources and reach necessary to address the myriad aspects and implications in play here," he says.
Shackelford also suggests that the federal government should create a National Cybersecurity Safety Board - akin to the National Transportation Safety Board - to investigate and address these types of cyber incidents.
Chris Pierson, CEO and founder of security firm BlackCloak, says any investigation involving multiple agencies needs a point person to coordinate findings and provide briefings on what has been discovered.
"Some agencies are going to be more focused on identification and remediation, others on criminal investigations, and yet others on what is the impact to our nation's security and how can we counter the threat offensively," Pierson says. "As this is perhaps the largest cybersecurity incident to affect our nation and government agencies, the situation calls for a lead to coordinate the flow of information to interested parties and de-confliction of teams who are overlapping each other."
Frank Downs, a former NSA offensive threat analyst who is now director of proactive services at the security firm BlueVoyant, says that having a single point person would help lawmakers and others better understand all aspects of the attack. That person could ensure that lawmakers "are aware of the important factors regarding the hack, rather than getting caught up in the minutia," Downs says.
"Additionally, having a single reportable person will work for the agencies involved," he says. "Instead of battling over representation to Congress, this individual will most likely have a team that each agency can inform, allowing their voices to be heard and their data to be aggregated before presentation to the Senate."
Microsoft's security team recently said that the Office 365 suite of products did not serve as an initial entry point for the hackers who targeted SolarWinds.
SolarWinds CEO Sudhakar Ramakrishna also noted that the investigation could not point to a specific vulnerability in Office 365 as part of the attack, but he said that the hackers may have compromised an email account that allowed them to gain initial access into the network before planting a backdoor into a software update for the company's Orion network monitoring platform.
Meanwhile, acting CISA Director Brandon Wales told The Wall Street Journal that the SolarWinds attackers likely gained access to targets using a multitude of methods, including password spraying and through exploits of vulnerabilities in cloud software.