The Department of Homeland Security is examining ways to improve its understanding of foreign cyber activity and attacks targeting U.S. agencies and companies, top department officials said, as the agency reels from two major cyber attacks that have left hundreds of American companies and federal agencies exposed to adversaries.
“We are interested in exploring additional mechanisms through which the government could have a more rapid understanding of malicious activity or actual intrusions affecting critical infrastructure,” a senior Homeland Security official told reporters on Tuesday.
The official spoke to reporters on the condition of anonymity to describe the department’s ongoing work. Homeland Security Secretary Alejandro Mayorkas is scheduled to speak Wednesday at the annual RSA security conference, where he’s expected to lay out the department’s cyber priorities.
The Cybersecurity and Infrastructure Security Agency, or CISA, which is part of DHS, is confronting the fallout from two major attacks.
The first is the Russian attack on SolarWinds, in which Moscow hacked the network software maker’s servers to inject malware that then spread to tens of thousands of the company’s clients, including at least nine U.S. federal agencies and 100 American companies. The second is China’s attack on the Microsoft Exchange server, which also has affected thousands of U.S. and global companies, allowing Beijing to access email and contact information of users.
In both cases, the attackers used cloud servers operated by Amazon and GoDaddy to stage the attacks, blind-siding U.S. intelligence agencies that are prohibited from conducting surveillance on domestic U.S. networks.
Top cyber officials, including Gen. Paul Nakasone, director of the National Security Agency and the U.S. Cyber Command, and Anne Neuberger, the White House’s top cybersecurity official, have said that U.S. agencies couldn’t stop the Russian and Chinese attacks because they were unaware of the attempts.
Testifying last week before the Senate Armed Services Committee, Nakasone highlighted the blind spot in his agency’s ability to detect attacks.
“Our adversaries understand that they can come into the United States and rapidly utilize an Internet service provider, come up and do their activities, and then take that down before a warrant can be issued, before we can actually have surveillance by a civilian authority here in the United States,” Nakasone said.
In an opinion column in the Washington Post on Sunday, former Defense Secretary Robert Gates wrote that in the Obama administration, Gates had proposed creating the position of a deputy director at the NSA who would be a DHS cybersecurity official. That official would have the legal authority to ask the NSA to conduct surveillance on domestic networks and defend against ongoing attacks, Gates wrote.
The new position would come with legal restrictions on how the new authority would be used and would be designed to safeguard Americans from unwanted, unauthorized surveillance, Gates said. The proposal was signed off on by then Homeland Security Secretary Janet Napolitano and received the blessing of the Justice Department, but Gates wrote that “the initiative came to naught, mainly because of bureaucratic foot-dragging and resistance.”
Asked whether such a proposal was being considered now, the DHS officials who briefed reporters declined to address it specifically. One official said the administration is conducting an “in-depth lessons-learned exercise” on both the Russian and Chinese attacks and would offer recommendations once it has completed the review.
CISA, which is allowed by law only to provide advisory services to federal, state and local government agencies and U.S. companies, is not in a position to demand any information from agencies and companies that are affected by a cyber attack, leaving that agency also in the dark about the extent of a major attack.
Lawmakers have called for expanding the powers and budget for CISA to make the agency in charge of all federal government networks that operate under the “dot gov” domain, similar to how the U.S. Cyber Command oversees cybersecurity for the U.S. military network.
Lawmakers also have expressed a renewed interest in passing a federal data breach notification law that would require companies and U.S. agencies to share with CISA if they have been attacked or data has been stolen. Currently, there’s no federal law but only a patchwork of state laws that govern such disclosure.