Two Democratic senators are calling on the departments of State and Veterans Affairs to brief lawmakers on how their agencies have been impacted by the SolarWinds breach.
The breach, in which suspected Russian government-backed hackers backdoored a network management product called SolarWinds Orion, could have infected thousands of federal government agencies and private sector entities with malware, according to SolarWinds. And although the State Department has reportedly been compromised during the course of the supply-chain espionage operation, the department has not been forthcoming about the extent of the damage, according to Sen. Bob Menendez, D-N.J.
“While several other cabinet agencies that are victims of this cybersecurity breach have publicly acknowledged having been attacked, to date the Department of State has been silent on whether its computer, communication and information technology systems were compromised,” Menendez wrote in a letter he sent Wednesday to Secretary of State Mike Pompeo.
The Department of Commerce was one of the first to confirm a breach. The Department of Energy has also said it found malicious software from the SolarWinds products in its networks. In addition to the State Department, the National Institutes of Health and the Departments of Defense, Homeland Security and Treasury have been compromised.
Sen. Richard Blumenthal, D-Conn., raised concerns Wednesday about the VA canceling a briefing on Capitol Hill this week on the matter without explanation, adding that he is concerned about the VA’s reliance on SolarWinds Orion products.
“I am disappointed that the VA has not been forthcoming about its exposure and investigation into the potential breach,” Blumenthal wrote in a letter addressed to VA Secretary Robert Wilkie.
“Alarmingly, the VA has been described as the ‘biggest spender on [SolarWinds Orion products] in recent years,’ raising deep concerns about the extent of its exposure and the impact on the sensitive data it holds on millions of veterans,” Blumenthal wrote.
A VA spokesperson said the department “is looking into this issue and currently there are no signs of exploitation,” but that “we have taken SolarWinds offline out of an abundance of caution.”
Said a State Department spokesperson: “We are working with the Cyber Unified Coordination Group (UCG) lead agencies and appropriate partners to determine the full scope and impact of these incidents and would refer additional questions to the UCG lead agencies.”
Transparency in the course of investigating a breach is perennially a touchy subject for those that are impacted by it or for those that could be. But in recent days the federal government and lawmakers have seen firsthand just how important it is for affected entities to quickly and publicly share information about cybersecurity incidents. FireEye, the security company that first publicly revealed it had been the victim of a hacking incident two weeks ago, uncovered the SolarWinds breach in the course of investigating, setting off shockwaves around the world.
The senators are just the latest lawmakers to raise alarm about the sweeping SolarWinds espionage operation. On Tuesday, Rep. Adam Schiff, the chairman of the U.S. House Intelligence Committee, requested a briefing from U.S. agencies about the breach. Sens. Sherrod Brown, D-Ohio, and Ron Wyden, D-Ore., have also requested more information about the breach at the Treasury Department, which has reportedly been compromised.
Others, like Wyden, have sharply criticized the federal government for allowing lax product security review processes to reign free for years, raising questions about where Congress may step in to establish stricter curbs on the country’s software supply chain.
Tim Starks contributed reporting.
Updated 12/23/20: with comment from the VA.
Updated 12/24/20: with comment from State.