Lawmakers press federal agencies on scope of SolarWinds attack

The bipartisan leaders of a House panel on Wednesday drilled multiple agencies for updates on the SolarWinds hack, a mass cyber campaign that compromised at least nine federal agencies and 100 private sector groups.

Members of the Energy and Commerce Committee sent letters demanding answers to the leaders of the departments of Commerce, Energy and Health and Human Services, as well as the Environmental Protection Agency and the National Telecommunications and Information Administration.

The lawmakers, led by Chairman Frank Pallone (D-N.J.) and ranking member Cathy McMorris Rodgers (R-Wash.), drilled the agencies — several of which were reportedly compromised by the breach — on the impact of the hack, how they are responding to it and how they hope to prevent similar cyberattacks in the future.

“Over the past several years, the Committee on Energy and Commerce has done extensive work on cyber threats, including hearings and investigations examining the information security programs and controls over key computer systems and networks at multiple agencies under the Committee’s jurisdiction,” the lawmakers wrote. 

“Because the SolarWinds attack has potentially affected a wide array of federal agencies and programs, the Committee is seeking to gain a fuller understanding of the scope of the attack and actions being taken to mitigate its effects,” they added. 

The letters were sent as the federal government continues to investigate and respond to the SolarWinds hack.

U.S. intelligence officials have stated that sophisticated Russian hackers were “likely” behind the attack, which took place over the course of a year but was only discovered in December. The breach involved attackers exploiting software from IT group SolarWinds, among other avenues, to gain access to customers. 

Other lawmakers who signed on to the letters included the chairman and ranking member of every House Energy and Commerce subcommittee, including Reps. Bobby Rush (D-Ill.), Fred Upton (R-Mich.), Anna Eshoo (D-Calif.), Brett Guthrie (R-Ky.), Diana DeGette (D-Colo.), Morgan Griffith (R-Va.), Mike Doyle (D-Pa.), Bob Latta (R-Ohio), Jan Schakowsky (D-Ill.), Gus Bilirakis (R-Fla.), Paul Tonko (D-N.Y.) and David McKinley (R-W.Va.).

Federal agencies are still responding to the breach. The Trump administration stood up a unified coordination group in January consisting of multiple intelligence agencies as part of its response, and President Biden asked the Intelligence Community to undertake a review of the scope of the hack when he took office in January.

A senior administration official told reporters last week that agencies are in the midst of finalizing a four-week security review to ensure hackers are out of their systems. The official noted that the U.S. will roll out new technologies to address “gaps” in federal IT, and that a response from the administration to Russia would come in “weeks, not months.”

The House Energy and Commerce panel is not alone on Capitol Hill in responding to the breach. In the House, the Homeland Security and Oversight and Reform committees launched a joint investigation in December, and both panels, with the Senate Intelligence Committee, have hosted hearings on the breach in recent months. 

The Senate Homeland Security and Governmental Affairs Committee will hold a hearing Thursday to examine the federal response to the breach, which will feature testimony from Acting Cybersecurity and Infrastructure Security Agency (CISA) Director Brandon Wales, among others.