The powerful chairman of the Senate Intelligence Committee said today a bill that will likely include “mandatory reporting” on cyber incidents and public-private cyber threat intelligence sharing is in the works.
Sen. Mark Warner was clear in his speech to the US Chamber of Commerce that there’s a “recognition that our current system is not working.” For example, if the “bad guys” had wanted the SolarWinds campaign to be something other than cyberespionage, Warner said, then we could have seen a “crushing” result. The SolarWinds campaign was discovered and publicly disclosed by private security company FireEye in December, months after it was launched in March 2020.
Sen. Mark Warner
SolarWinds was not a “one-off,” and the Microsoft Exchange server campaign is a “potentially huge incursion.” He added, “Good cyber hygiene alone will not stop Tier-1 adversaries.”
The senator’s remarks were carefully worded because the issue of public-private cyber information sharing — while widely viewed as necessary and even long overdue by many — is still politically and legally sensitive.
“My hope is we can create this structure… to get to an early warning system” on cyber incidents. He said the legislation will create a model in which companies will more quickly report — perhaps “mid-incident” — cyber incursions. He told the audience that it’s his “evolving belief that 2015 legislation for voluntary sharing is no longer effective.”
The government wants more cyber intelligence from industry. After all, more than 80 percent of US critical infrastructure is owned and operated by the private sector. Many of these private networks are not visible to government entities charged with monitoring threat actors and enacting cyber defenses. Ideally, from the government’s perspective, industry would share this information voluntarily. But much of industry has been hesitant to share cyber incident information with the government for fear of legal liability, brand reputation damage, loss of customers, revenue loss, and a slew of other reasons.
On the one hand, while discussing the legislation in front of the heavily pro-business audience, Warner was careful to speak of “incentives” for companies to report, as well as the importance of privacy and even anonymity for the companies that would provide valuable cyber intelligence to the government. He also noted some existing legal safeguards for companies will remain in place. On the other hand, he was clear that the status quo is no longer working, in his view.
The senator’s remarks come on the heels of a winter and spring full of congressional hearings on the recent SolarWinds and Microsoft Exchange server cyberespionage hacks. A prominent, consistent theme throughout these hearings — from government officials and private executives alike — has been the need to strengthen public-private cyber threat intelligence and information sharing. The idea enjoys broad consensus, but the sticking point is always how to make it happen.
People familiar with the matter told Breaking Defense that CISA knows that 24 federal agencies use Pulse Connect Secure devices, but “it’s too early to determine conclusively how many have actually had the vulnerability exploited.” CISA’s emergency directive last week required all federal civilian agencies to identify and report by 5 p.m. last Friday potential vulnerabilities in Pulse Connect Secure products in use.
Three of the four vulnerabilities in Pulse Connect Secure have been known since at least last year, and patches for the known vulnerabilities are currently available. One vulnerability was discovered this month, and a patch is expected by early May.
CISA said in its activity alert and emergency directive last week that the agency was aware threat actors have been exploiting three of the four vulnerabilities since at least June 2020. The question then arises: If threat actors have been known to be exploiting these vulnerabilities for nearly a year, then why the emergency directive only last week?
Someone familiar with the matter noted, “Over the last year, CISA has issued several alerts urging agencies, governments, and organizations to assess and patch Pulse Connect Secure vulnerabilities. Since March 31, 2021, CISA has been assisting multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor.”
A person familiar with the matter explained, “We [CISA] do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary, and this emergency directive will remain in effect until all agencies operating Pulse Connect Secure servers have applied forthcoming patches that resolve all currently exploited vulnerabilities.”
So far, this person said, “The U.S. government has not made a determination on attribution.”
Warner said he was “glad” the US government publicly attributed the SolarWinds cyberespionage campaign to the Russian Foreign Intelligence Service (SVR). He added the US should continue to “put adversaries on notice” that “there will be consequences” for cyber activities against US entities.
Warner also said he hopes the US and allies can establish “cyber norms” and “cyber red lines,” hopefully even pulling China and Russia into agreements. Warner acknowledged there’s a difference between cyberespionage and, for instance, denial of service, and the senator suggested responses to different types of incidents should be proportional.