Experts: Bill under veto threat bolsters hacking defenses
WASHINGTON — The military spending bill that President Donald Trump is threatening to veto contains provisions that would help protect against the kind of broad Russian hacking discovered in recent days, according to experts and lawmakers.
The annual defense authorization bill, which Trump as recently as Thursday said he would veto, contains a range of recommendations from a congressionally established bipartisan commission.
The recent hack on numerous federal agencies by Russia’s elite spy service demonstrated the need for new defenses, key lawmakers said.
The military bill contains two dozen provisions to strengthen cyberdefenses. It gives the federal government the ability to actively hunt for foreign hackers trying to penetrate computer networks and establishes of a national cyberdirector who would coordinate the government’s defenses and responses to such attacks.
“This is an incredibly important bill,” said Sen. Angus King, I-Maine, who was co-chairman of the bipartisan panel, the Cyberspace Solarium Commission. “This is the most important cyber legislation ever passed by the U.S. Congress.”
Had those provisions been in place this year, the Trump administration might have had a better shot at detecting and stopping the breach more quickly, lawmakers said.
But other commission recommendations that might have also helped discover the Russian hack far sooner, including giving the government the power to search for threats on some private networks, did not make it into this year’s bill.
Rep. Mike Gallagher, R-Wis., co-chairman of the commission, said it was critical to remember that a private company, FireEye, discovered the Russian hack that exploited vulnerabilities, including in software made by a Texas company called SolarWinds.
“This went undetected for months and months by U.S. government agencies,” Gallagher said. “I think it shows a weakness of the federal defense.”
Russians have been able to use vulnerabilities in a large number of federal computer networks and private sector companies to gain broad access. The hackers, working for Russia’s elite spy agency, have been inside federal agencies for months, at least since March.
On Thursday, the federal Cybersecurity and Infrastructure Security Agency warned that the hacking was “a grave risk to the federal government.” While the warning contained no details, it confirmed findings by private cybersecurity experts that the hackers had found multiple ways into the computer networks.
While the scope of the intrusion expands each day as investigators have learned more, officials have revealed nothing about what information the Russian spies stole or what they were seeking.
The response from senior Trump administration officials has been muted, but after the announcement by the Cybersecurity and Infrastructure Security Agency, President-elect Joe Biden said his administration would impose substantial costs on those responsible for the hack of the government systems.
The commission announced its recommendations in March. Congress wrote 23 of them into the annual military bill that passed both houses with veto-proof margins this month. Gallagher said that none guaranteed the hack would have been stopped but that giving the Department of Homeland Security more power to hunt for threats across the federal government would have provided “a shot” at detecting the intrusion earlier.