Congress zooms in on cybersecurity after banner year of attacks

The past 12 months stand as a banner year in the severity of cyberattacks that wreaked havoc on organizations large and small. 

But in the wake of the chaos, a silver lining has emerged around a never before seen level of bipartisan support and genuine interest on Capitol Hill for strengthening the nation’s cybersecurity. 

“Everybody’s consciousness had been raised with respect to threats in cybersecurity, everything from the ransomware attacks, to other different types of cyber intrusions which have taken place,” Rep. Jim Langevin (D-R.I.), chair of the House Armed Services’s cybersecurity subcommittee, told The Hill earlier this month. “We have more awareness now, more members are paying attention to it than ever before.

The changes come after one of the most bruising years in history for cyberspace, with a barrage of high-profile and highly damaging attacks occurring in quick succession.

These included ransomware attacks on Colonial Pipeline, meat producer JBS USA, IT company Kaseya, and scores of schools and hospitals throughout the year that were already under pressure from changes due to the COVID-19 pandemic. 

Incidents also included nation state-backed efforts, such as the SolarWinds hack, which allowed Russian hackers to compromise at least nine federal agencies, and Microsoft Exchange Server vulnerabilities, which were exploited by Chinese hackers and potentially impacted thousands of groups. 

“It seems like a week doesn’t go by that there is not some major new cyber issue that has emerged, so yes, more attention is being paid to it, and more willingness to do something about it,” Langevin said. 

The increasing number of attacks has drawn congressional attention and increased interest on a scale not seen prior to 2021. 

“I am sensing among my colleagues an eagerness to get involved in this issue, and an eagerness to define or introduce legislation that may not be the big ticket item, but can be a point on the board,” Rep. Mike Gallagher (R-Wis.), co-chair of the Cyberspace Solarium Commission, told reporters Wednesday. 

The attack on Colonial Pipeline in May, which crippled fuel supplies in several states for a week before the company chose to pay the hackers the equivalent of around $4.4 million in Bitcoin to regain access to systems, was a key wakeup call. 

While cyberattacks prior to that had been often more damaging, the Colonial Pipeline incident was the first time many Americans fully comprehended the damage that taking down a critical system could do, garnering attention and concern at all levels of government. 

Efforts to address the hack included House and Senate hearings, at which the company’s CEO was grilled by members on both sides of the aisle on the incident, and the House Oversight and Reform Committee eventually concluded that “small lapses” in security led to the breach of Colonial and other incidents. 

“Colonial Pipeline was a real game-changer, eye-opener for many members that maybe were not focused on cyber before,” Langevin said. 

The attack spurred on efforts to set mandatory cyber incident reporting standards, particularly following the SolarWinds breach, which was first discovered due to cybersecurity company FireEye publicly disclosing they had been compromised despite no requirement to do so. 

The effort to pass legislation to give critical infrastructure owners and operators a set amount of time to report a major incident to the federal government and to report if they chose to pay hackers following a ransomware attack built momentum on Capitol Hill throughout the year. 

The bipartisan leaders of the House and Senate Homeland Security committee and the Senate Intelligence Committee came to an agreement over language that was set to be passed as part of the annual National Defense Authorization Act. Concerns from Sen. Rick Scott (R-Fla.) over the scope of the provision led to changes to the language, and while the changes satisfied Scott, the updated bill did not make it into the final version of the NDAA signed into law by President Biden. 

Because of the bipartisan consensus around the need to take further steps to defend the nation against cyber threats, the action is likely to be a speed bump instead of a roadblock. 

“My sense is we were very close on this, and it is clearly one of the major pieces of unfinished business that we should be able to work through early in the new year, that is my intention,” Sen. Angus King (I-Maine), the other co-chair of the Cyberspace Solarium Commission, told reporters Wednesday. 

Congress has not been alone in focusing more attention on cybersecurity during a tumultuous year. 

The Biden administration has made the issue a key priority, including through the nomination and eventual Senate confirmation of both former National Security Agency Deputy Director Chris Inglis to serve as national cyber director and Jen Easterly to lead the Cybersecurity and Infrastructure Security Agency (CISA). Under the leadership of these officials, alongside Anne Neuberger, the deputy national security advisor for Cyber and Emerging Technology, the administration has enhanced the ability to respond to cyber-related crises. 

“Building up the trust between industry and the government has never in my opinion been higher,” Bill Wright, senior director of Government Affairs at software company Splunk, told The Hill earlier this month. “I think this is a huge positive and the current administration deserves a lot of credit for this in this whole-of-nation approach that they are taking to cyber.”

The coordination between the federal government and the private sector has been on full display in recent weeks as security professionals have raced to patch against a widespread vulnerability in Apache logging library log4j, which is baked into systems used by the majority of global organizations. In addition, experts are closely watching potential Russian cyberattacks against Ukraine as Russian troops mass on the Ukrainian border. 

“I just think world events are going to demand that members of Congress pay more attention to these issues,” Gallagher told reporters. 

With cyber threats at home and abroad continuing to cause concern, both Congress and the Biden administration are facing another year during which cyber threats are unlikely to let up, but will face the next 12 months with far more understanding and coordination than a year ago. 

“[The year] 2021 was a series of gut punches,” Wright noted. “I think collectively they all will absolutely have a permanent impact on how the government defends itself.”

-Updated at 11:50 p.m.