[Congressional Record Volume 166, Number 215 (Friday, December 18, 2020)]
[Senate]
[Pages S7700-S7701]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]



                             Cyber Security

  Madam President, 2020 has been a tough year, let's face it. And, 
unfortunately, it looks like the challenges haven't ended. I came to 
the floor tonight, primarily, to talk about some shocking and 
disturbing news we just heard over the last few days, and that is that 
there has been a massive, highly sophisticated, and ongoing cyber 
attack that has compromised the networks of multiple Federal agencies 
and the private sector.
  According to reports, for months now--months--hackers--our 
intelligence experts think they are most likely connected with the 
Russian Government in some way. That is what they tell us. But these 
hackers have engaged in an espionage effort to access information in 
some of our biggest Federal agencies that hold some of our most 
sensitive data and our most sensitive and important national security 
secrets.
  Also, again, many U.S. private companies were hacked, as well. These 
hackers are smart. They targeted some of these agencies that do handle 
things like national security--the State Department, for instance, the 
Department of Homeland Security, the Department of Energy and its 
Nuclear Security Administration.
  This is scary stuff. Others, like the National Institutes of Health, 
were hacked. Of course, they are closely involved with our work to 
respond to the COVID-19 pandemic, so also a lot of important, sensitive 
information could have been hacked. They are a treasure trove of 
information. These are agencies that protect our homeland, promote our 
freedom abroad, and are on the frontlines battling this pandemic.
  But what we know today may be just the tip of the iceberg, we are 
told. Experts expect the number of agencies as well as a number of 
private companies victimized by this attack will only continue to grow.
  The main IT monitoring platform believed to have been hacked was used 
across the government and by 33,000 private companies. Shockingly, we 
also know that FireEye, the preeminent cyber incident response firm, 
was also breached. So think about this. FireEye, which is a company 
that people call when they are hacked, was hacked.
  We are still learning the details about this attack, but what we know 
is chilling. Federal investigators from the Cybersecurity and 
Infrastructure Security Agency, CISA, under the Department of Homeland 
Security, the FBI, and also the Office of National Intelligence, the 
ODNI, are all working to determine how this happened, what the extent 
of it is.
  But it looks like the main vulnerability was through a SolarWinds' 
platform, which is an IT monitoring platform widely, again, widely used 
by the government and the private sector to oversee the operation of 
other computer networks.
  The hackers disguised their entry into these Federal agencies and 
company systems in a troubling and clever way. They exploited a 
vulnerability in a security patch sent out by SolarWinds to update its 
software. I want to emphasize that--the security patches that we all 
advocate to be installed as soon as possible to protect

[[Page S7701]]

our networks as basic good cyber hygiene was actually a security 
breach.
  This technique and the breadth of this hack are both unprecedented, 
and it shows that the Federal Government is still far from where we 
need to be to handle the cyber security challenges of the 21st century.
  As the Permanent Subcommittee on Investigations said in its 
investigation and report, these alarms that we have been raising over 
time are ones that we should have paid attention to. In 2019, last 
summer, Senator Carper and I issued a shocking report that detailed the 
unacceptable cyber security vulnerabilities in the Federal Government--
vulnerabilities that may very well have played a role in the extent of 
this breach.
  Our report looked back at how well Federal agencies complied with 
basic cyber security standards over the past decade. Every agency we 
reviewed failed. And we know that four of those agencies--the 
Department of Homeland Security, the State Department, the Department 
of Agriculture, the Department of Health and Human Services--are among 
those that have been breached in this current cyber attack.

  That report from the Permanent Subcommittee on Investigations made 
clear that Federal agencies were a target for cyber criminals and other 
nation-state adversaries. In 2017 alone, Federal agencies reported 
35,277 cyber incidents. It is the most recent data we have--in 1 year. 
The number of cyber incidents in 2019 was a little bit less, 28,581. 
But 2020 will bring what is likely the biggest, most comprehensive 
breach across the Federal Government in our history.
  We also found we are not equipped to handle this threat. Many of the 
agencies we reviewed didn't even know what applications and platforms 
were operating on its systems. That begs the question: How can you 
protect something if you don't even know what you need to protect?
  If Federal agencies fail at meeting basic cyber standards, there is 
no way they are equipped to thwart the kind of sophisticated attack 
that apparently happened over the past several months. Here, the 
attackers were meticulous and had a detailed understanding of how to 
evade intrusion detection practices and technologies. And because the 
Federal agencies involved were unprepared, the attackers had ample time 
to cover their tracks, which means evaluating the extent of the damage 
and kicking them off our networks is going to be incredibly difficult 
and time-consuming.
  Given how widespread this attack is and how much wider it is expected 
to become, it certainly seems like the Federal Government's current 
cyber resources are going to be spread incredibly thin.
  Congress and the executive branch have failed to prioritize cyber 
security, and now we find ourselves vulnerable and exposed. We have to 
do better than this. This breach has to be a wake-up call for all of 
us.
  Over the years, I have worked across the aisle with Senator Peters, 
Senator Cornyn, Senator Hassan, and others on legislation to beef up 
our Federal Government cyber capacities, including the Risk-Informed 
Spending for Cybersecurity Act, the Federal System Incident Response 
Act, and the DHS Cyber Hunt and Incident Response Team Act, and others. 
We are proud of this legislation.
  Let's be honest. It wasn't enough. We need to do more. We need to not 
only defend our networks but go on the offense to defer a nation-state, 
like Russia, and nonstate actors from even considering a future attack 
like this. That means there needs to be consequences for cyber attacks 
significant enough to prevent them from happening again and a 
willingness to act preemptively when warranted.
  Congress has to take a hard look at the cyber security capabilities 
of our Federal agencies. In the next Congress, I will be the top 
Republican on the Senate Homeland Security and Governmental Affairs 
Committee, which means I will either serve as its chairman or ranking 
member, depending on the outcome of a couple of races in Georgia. 
Senator Peters will be the chair if the Democrats take the majority. I 
will tell you here tonight, whether I am chairman in January or him, we 
intend to hold indepth hearings on cyber security. With what has 
happened, we will also, of course, focus on the origin, scope, and 
severity of this breach.
  Actually, 3 weeks ago, even before this attack was revealed, we met 
and decided to hold these cyber security hearings, and we are already 
working on comprehensive legislation to improve our cyber defenses in 
the Federal Government going forward.
  We must now move with a renewed sense of purpose and urgency to learn 
from this massive attack. We have to remove these hackers from these 
systems and put in place protections to prevent it from happening 
again.
  As this cyber attack has made clear, we have to redouble our efforts 
to shore up our defenses. We are two decades into the 21st century, but 
most of the Federal Government legacy computer systems are from the 
20th century. Federal agencies are simply behind the times when it 
comes to defending themselves against these threats posed in cyber 
space. The government is trying to respond to sophisticated, 21st 
century attacks with 20th century defenses. This attack has shown us 
the consequences of that and should be the catalyst for real bipartisan 
action here in the next Congress to better defend networks that contain 
sensitive, personal information, and other information critical to our 
economy, our healthcare, and the safety and security of all Americans.
  I yield the floor.
  The PRESIDING OFFICER (Mr. Tillis). The Senator from Ohio.
  Mr. PORTMAN. Mr. President, I suggest the absence of a quorum.
  The PRESIDING OFFICER. The clerk will call the roll.
  The senior assistant legislative clerk proceeded to call the roll.
  Mr. BENNET. Mr. President, I ask unanimous consent that the order for 
the quorum call be rescinded.
  The PRESIDING OFFICER. Without objection, it is so ordered.