In letters issued Wednesday, a bipartisan group of lawmakers from the U.S. House of Representatives’ Energy and Commerce Committee requested an update from heads of several federal agencies — including Energy Secretary Jennifer Granholm — on their response to last year’s SolarWinds cyberattack.
In addition to Granholm, the letters were addressed to Commerce Secretary Gina Raimondo; EPA Administrator Michael Regan; acting Health and Human Services Secretary Norris Cochran; and Evelyn Remaley, acting assistant secretary of commerce for communications and information at the National Telecommunications and Information Administration.
Reps. Frank Pallone (D-N.J.) and Cathy McMorris Rodgers (R-Wash.) — chair and ranking member of the committee, respectively — along with the chairs and ranking members of the Energy Subcommittee and the Oversight and Investigations Subcommittee Committee signed the letters. They asked for “written answers and any necessary documentation” by March 31 as to:
- whether the recipient’s department has been impacted by the SolarWinds compromise, in addition to the nature and extent of the compromise and impacts on programs;
- specific actions the agencies are taking to investigate and respond to the compromise, along with the schedule for mitigating associated risks;
- how the agencies assess vendors for cybersecurity risks and whether vendors are regularly audited;
- whether each agency is a “sector-specific agency,” as identified in Presidential Policy Directive 21, and whether it takes specific measures to “identify [and protect] its most critical informational and operational infrastructure”; and
- whether the agencies have a plan to reduce the risks of future supply chain attacks.
“The Cyber Unified Coordination Group (UCG) [comprising the FBI, the National Security Agency, the Office of the Director of National Intelligence and the Cybersecurity and Infrastructure Security Agency (CISA)] believes the SolarWinds attack ‘was, and continues to be, a counterintelligence gathering effort.’ Therefore, it is critical that your department take steps to address this ongoing threat,” the letters say. “While your department has provided committee staff initial reports, we now request more details about your understanding of this intrusion and actions your department has taken in response.”
Thousands Affected in Breach
The impact of SolarWinds is still being assessed more than three months after the hack was first reported by U.S. cybersecurity firm FireEye in December 2020. More than 18,000 public- and private-sector organizations, including the Department of Energy and FERC, are already known to have been targeted in the breach of SolarWinds’ Orion network management platform. (See FERC Pushes Cybersecurity Incentives.)
Researchers believe the hackers — which the UCG has reported are “likely Russian in origin” — inserted a backdoor into updates for the platform as early as March 2020, if not before, granting them access to victims’ information technology networks for nearly nine months before discovery. In an emergency directive CISA warned that the adversary is likely “in a strong position to identify any potential (and as yet unknown) vulnerabilities” in the Orion code that could be exploited in the future.
While security agencies believe the breach was primarily aimed at finding sensitive information rather than damaging systems, it is still considered an urgent threat to U.S. cybersecurity that could take radical means to address. Last month Joseph McClelland, director of FERC’s Office of Energy Infrastructure Security, warned that large-scale replacement of affected computer systems “may be the only option” to ensure there are “no footholds left for an adversary to drill into.” (See SolarWinds Recovery May Require Extreme Actions.)
