House bill tasks CISA with SolarWinds report

Rep. Ritchie Torres (D-N.Y.) at a Sept. 2021 House hearing.

Rep. Ritchie Torres (D-N.Y.) at a Sept. 2021 House hearing. Al Drago/Getty Images

A key lawmaker on the House Homeland Security Committee wants more details on what was breached and what was lost when the SolarWinds Orion platform was compromised in a supply chain attack.

One lawmaker is looking for a full accounting of the damage done to federal networks as a result of the supply chain hack perpetrated via the SolarWinds Orion platform in 2020.

Rep. Ritchie Torres (D-N.Y.), the vice chairman of the House Homeland Security Committee, introduced a bill this week that would task the Cybersecurity and Infrastructure Security Agency with a report, in consultation with the Office of the National Cyber Director, detailing the impact of the SolarWinds hack on federal information systems, federal agencies and other critical infrastructure.

Among other things, Torres wants CISA to report on which systems were accessed and compromised by hackers, what information was exploited, exfiltrated or altered, and whether ongoing repercussions pose threats to national security.

The highly sophisticated hack was initially discovered in December 2020 by cybersecurity firm FireEye. A state-sponsored actor, “likely Russian in origin,” according to a joint intelligence bulletin from January 2021, was able to install malware into as many as 18,000 customer systems of the SolarWinds Orion platform, which typically has high privilege levels to support routine information technology updates. (SolarWinds estimates that 100 customers were actually breached by malware installed via the compromised updates.) 

The Departments of Justice, Treasury, Commerce and Energy and the National Institutes of Health were acknowledged targets of the exploit – but government agencies have not acknowledged the level of damage done to their networks, the extent of the penetration and what secrets were stolen.

The bill calls for a report from CISA to the House Homeland Security Committee and its Senate counterpart on the damage incurred in the breach within 120 days of its enactment into law. Torres also wants CISA to include updates on efforts to implement the Biden administration’s cybersecurity executive order, recommendations on addressing existing security gaps that permitted the SolarWinds breach to take place, information on potential blind spots and information gaps facing CISA’s investigators as well as the reasons for those gaps and recommendations on ways in which such gaps could be eliminated.

Torres offered a version of the bill as an amendment to the fiscal year 2023 National Defense Authorization Act. 

Additionally, the chair and ranking member of the House Homeland Security Committee offered a much broader cybersecurity amendment to the 2023 NDAA this week. That measure includes a rewrite of Department of Homeland Security acquisition authorities to focus on cybersecurity, software and supply chain risks. That bipartisan amendment also calls for a new senior position of assistant secretary for trade and economic security. That official would chair a new body called the DHS Trade and Economic Security Council.