Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
News
Regulation, Standards and Compliance
Risk & Compliance

New bill asks CISA to report on impact of SolarWinds cyber incident

July 12, 2022
New bill asks CISA to report on impact of SolarWinds cyber incident

A new legislative bill has been brought into the U.S. House of Representatives that requires the Cybersecurity and Infrastructure Security Agency (CISA) to submit a report on the impact of the SolarWinds cyber incident on information systems owned and operated by federal departments and agencies and other critical infrastructure, and for other purposes. Apart from analyzing the cyber resilience at these installations, the bill seeks answers from the CISA on which systems were accessed and compromised by hackers, what information was exploited, exfiltrated or altered, in addition to whether ongoing repercussions pose threats to national security.

The bill, titled ‘Building Cyber Resilience After SolarWinds Act of 2022’ has been introduced by Rep. Ritchie Torres, a Democrat from New York and vice chairman of the House Homeland Security Committee. The bill has since been referred to the Committee on Oversight and Reform, and in addition to the Committee on Homeland Security, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.

The discovery of the SolarWinds attack began on Dec. 8, 2020, when cybersecurity firm FireEye said that they had fallen victim to a nation-state attack. The FireEye security team reported their Red Team toolkit, containing applications used by ethical hackers in penetration tests, was stolen.

The SolarWinds attack turned out to be one of the largest supply chain attacks that cyber attackers exploited after merely placing the malicious code into a new batch of software distributed by SolarWinds as an update or patch. The SolarWinds cyber incident affected several organizations reporting breaches to their networks within a few days of each other, with an immediate and potentially ongoing impact on approximately 18,000 customers, spread across multiple sectors.

According to the provisions of the bill, the CISA director shall in consultation with the National Cyber Director and the heads of other relevant federal departments and agencies carry out an investigation to evaluate the impact of the SolarWinds cyber incident on information systems owned and operated by federal departments and agencies, and, to the extent practicable, other critical infrastructure. 

Furthermore, the director shall review the extent to which federal information systems were accessed, compromised, or otherwise impacted by the SolarWinds incident, and any potential ongoing security concerns or consequences arising from such incident. Additionally, the director will evaluate the extent to which information systems that support other critical infrastructure were accessed, compromised, or otherwise impacted by the SolarWinds incident, where such information is available to the director.

The bill also called upon the CISA director to assess any ongoing security concerns or consequences arising from the SolarWinds incident, including any sensitive information that may have been accessed or exploited that threatens national security. Furthermore, the director shall implement U.S. President Joe Biden’s Executive Order 14028 issued in May last year, and efforts taken by the director, the heads of federal departments and agencies, and critical infrastructure owners and operators to address cybersecurity vulnerabilities and mitigate risks associated with the SolarWinds cyber incident.

The Building Cyber Resilience After SolarWinds bill said that not later than 120 days after the date of the enactment of the Act, the CISA director shall submit to the Committee on Homeland Security in the House of Representatives and Committee on Homeland Security and Government Affairs in the Senate a report, containing the findings, recommendations to address security gaps, improve incident response efforts, and prevent similar cyber incidents. 

Additionally, it shall include any areas where the CISA director lacked the information necessary to fully review and assess such elements, the reason the information necessary was unavailable, and recommendations to close such informational gaps.

The bill also said that within a year after the date of the enactment of the Building Cyber Resilience After SolarWinds bill, the Comptroller General of the United States shall evaluate the activities of the Cyber Safety Review Board established pursuant to Executive Order 14028. The assessment shall focus on the Board’s inaugural review announced in February this year, and assess whether the Board has the authorities, resources, and expertise necessary to carry out its mission of reviewing and assessing significant cyber incidents.

Last October, the House approved legislation called the DHS Software Supply Chain Risk Management Act, introduced by Rep. Torres, to strengthen software and information technology supply chains at the DHS. The legislation also helps protect against attacks similar to the SolarWinds cyber incident.

The U.S. Government Accountability Office (GAO) scrutinized in a January report the federal responses to the SolarWinds network management software and the exploitation by likely Chinese government affiliates of a vulnerability in the Microsoft Exchange Server.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation