WASHINGTON – The military spending bill that President Trump is threatening to veto contains provisions that would help protect against the type of large-scale Russian hacking uncovered in recent days, experts and lawmakers say.
The recent hack into numerous federal agencies by Russia’s elite spy service demonstrated the need for new defenses, key lawmakers said.
The military bill contains two dozen provisions aimed at strengthening cyber defenses. It gives the federal government the ability to actively search for foreign hackers trying to penetrate computer networks and establishes a national cyber director who would coordinate the government‘s defenses and responses to such attacks.
“This is an incredibly important bill,” said Senator Angus King, an independent from Maine who was co-chair of the bipartisan panel, the Cyberspace Solarium Commission. “This is the most important computer legislation ever passed by the United States Congress.”
If those provisions had been in place this year, the Trump administration could have better detected and stopped the violation more quickly, lawmakers said.
But other recommendations from the commission that could also have helped uncover Russian hacking much earlier, including giving the government the power to search for threats on certain private networks, were not included in the bill. this year.
Rep. Mike Gallagher, Republican of Wisconsin and co-chair of the commission, said it was essential to remember that a private company, FireEye, had discovered Russian hacking that exploited vulnerabilities, including in software created by a Texan company called SolarWinds.
“It went undetected for months and months by US government agencies,” Gallagher said. “I think this shows a weakness in federal defense.”
The Russians were able to use vulnerabilities in a large number of federal computer networks and private sector companies to gain broad access. The hackers, who work for the elite Russian spy agency, have been in federal agencies for months, at least since March.
On Thursday, the Federal Agency for Cybersecurity and Infrastructure Security warned that the hack was “a serious risk to the federal government.” While the warning did not contain any details, it confirmed findings from private cybersecurity experts that hackers had found multiple routes into computer networks.
While the scope of the intrusion grows daily as investigators learn more, officials have not revealed anything about the information the Russian spies stole or what they were looking for.
The response from senior Trump administration officials has been muffled, but after the Cybersecurity and Infrastructure Security Agency’s announcement, President-elect Joseph R. Biden Jr. said his administration would impose substantial costs on those responsible for hacking the government systems.
The commission announced its recommendations in March. Congress wrote 23 in the annual military bill that was passed by both houses with veto margins this month. Mr Gallagher said no one guaranteed the hack would have been stopped, but giving the Department of Homeland Security more power to hunt threats across the federal government would have provided a “chance” to detect the intrusion sooner. .
“This type of threat hunting capability is necessary, and I think this attack underscores that,” he said.
While the White House viewed certain provisions with skepticism, including the creation of a Senate-confirmed cyber director, Mr. Trump’s veto threat focused on his demands that Congress remove legal protections for companies from social media.
Opposing the legislation would be a mistake, especially after the SolarWinds hack was revealed, King said.
“If the question is whether their provisions in the bill could have protected us, the answer is yes,” said King, who caucus with the Democrats. “There is no guarantee that we could have found it, but it is exactly the sort of thing that worried us and which motivated the creation of the committee.
The commission included members of Congress and officials from the Trump administration and aimed to make recommendations to strengthen defenses against piracy.
Mr Trump has until next week to veto the bill, and the longer he waits, the harder it could be for Congress to overturn his decision, which could require lawmakers to be brought to Washington after Christmas , or to organize a last vote on January. 3, just before the session of the next Congress.
Machinations over the bill’s fate come as criticism from Congress grows over the administration’s revelations about the Russian hack and officials failing to provide detailed briefings.
Pentagon officials have tried to reassure the public that their defenses are holding and have so far found “no evidence of compromise” on their systems. The intrusion exploited a vulnerability in software used in the public and private sectors.
But lawmakers and outside experts viewed the statement with skepticism.
“It is far too early to claim that there is no danger here. I think the operating assumption has to be that the Russians have had access to extremely sensitive information, ”said Jeremy Bash, a former senior Pentagon and CIA official in the Obama administration. “Anyone who gets up after 72 hours and says ‘there is nothing to see here’ is completely unaware of how cyber attacks work. It is dangerous to make such a proclamation.
Mr Bash, now a consultant at Beacon Global Strategies, said it was impossible to tell in a few days how extensive the intrusion was. It could take months to find out what information the Russians had.
The hack, Mr Bash said, demonstrated the need for the type of cyberdirector the commission lobbied for. Such a director would be in a good position to orchestrate a unified federal response and promptly notify Congress and the public of action taken.
“A national cyber director is essential to ensure that all agencies have a very high level of cyber defense,” he said. “If the president veto the bill, Congress should quickly overturn that veto.”
Besides the director, the military bill includes other provisions aimed at strengthening the Cybersecurity and Infrastructure Security Agency, a branch of the Department of Homeland Security whose head was fired by Mr. Trump after proclaiming the safe elections. It would also establish more exercises on hacking defenses, require a review of the size of US cyber command forces, require an annual review of vulnerabilities in major weapon systems, and facilitate the recruitment and retention of defense experts. electronic by government.
Even if the military bill becomes law, there is still work to be done, Mr Gallagher said. Members of the commission urged appropriators in Congress to devote more funds to the type of threat hunting operations permitted by the bill.
Mr Gallagher also said he hoped next year’s legislation could expand threat-hunting work beyond government networks, allowing the federal government to proactively search for foreign intruders on corporate networks. ‘military contractors, to better connect the defenses of public and private networks.