Ranking Member Katko Opening Statement at Hearing on SolarWinds Cyber Campaign

WASHINGTON, DC– Rep. John Katko (R-NY), Ranking Member of the House Committee on Homeland Security, today delivered the following opening statement at a full-committee hearing entitled, “Weathering the Storm: The Role of Private Tech in the SolarWinds Breach and the Ongoing Campaign.”

As everyone in this hearing knows, we are in the midst of arguably the most devasting cyber espionage campaign ever waged against our nation.

With each passing day, we learn more about the tactics, techniques, procedures, and unprecedented sophistication surrounding this campaign.

While a number of details remain elusive, the overall picture is slowly coming together. And much of this incremental clarity is due to what we have learned from our private sector partners, so I appreciate their steady engagement in this whole of society response. I also recognize that we need more of this private sector sharing.

I hope we can spend our time during this hearing evaluating the best paths forward. How can the cybersecurity community do more than just bounce back, but also bounce forward from these events?

From my vantage point, we now know enough to identify five initial lanes of policy response.

First, we need to seriously rethink our fragmented approach to .gov security by centralizing authority with the Cybersecurity and Infrastructure Security Agency (CISA) where possible.

While CISA’s federal hunt authority from the FY2021 NDAA is a welcomed step in the right direction, CISA still does not have the proper authorities, resources, or holistic visibility into the federal networks enterprise to effectively defend, and nimbly respond to, attacks.

Second, we need to better understand the nature and extent of third-party cyber risks.

With no disrespect at all meant to Mr. Ramakrishna, relatively few people had even heard of SolarWinds in early December 2020, yet its products are leveraged by most of the Fortune 500, with a relationship between vendor and customer that inherently enables a high degree of administrative privilege on the host network.

In this interconnected web of hardware, software, and services that underpin our way of life, where are there concentrated sources of risk that could result in cascading or systemic impact if we assume there is a breach? We need to better illuminate answers to these questions.

Third, once we identify the potentially concentrated sources of cyber risk, we need to ensure that vendor certification processes actually reduce that risk – not create perfunctory compliance exercises.

There are a number of vendor certification or risk judgment regimes in various stages of operationalization across the federal government, with DoD’s Cybersecurity Maturity Model Certification (CMMC) and the Federal Acquisition Security Council (FASC) garnering the most headlines.

Let’s work together to ensure these regimes accomplish our common goal of actually reducing risk.

Fourth, we need to drive better software assurance and development lifecycle practices across the entire ecosystem. Whether software flaws are deliberate or not, the software supply chain represents an attack vector that if exploited, leaves the potential for a “digital pandemic” of sorts – where the impact of one bad line of code can be felt across the entire country.

Lastly, we must impose real costs on cyber adversaries like Russia, China, Iran, and North Korea.

While there is no silver bullet, deterrence still matters. Naming and shaming, indictments, sanctions, offensive measures where appropriate – these should all be tools in our toolkit. From the sophisticated nation state-led incident, to the more routine, such as ransomware, the cost/benefit analysis of cyber aggression still favors adversaries too often. In short, they are winning the modern-day arms race and we need to step up.

I welcome the recent announcement by the administration to begin to hold Russia accountable through sanctions. I hope those sanctions are real, I hope they are firm and I hope they are severe.

I imagine we’ll also hear a constructive dialogue today about breach notification and incident reporting.

An undeniable gap in our country’s cybersecurity posture is the fact that there is not a consistent, overarching incentive for industry to disclose a breach. As a result, our federal agencies are often operating in the dark, instead of having access to the aggregate data regarding the tactics, techniques, and procedures of bad actors.

As we move forward, we must consider approaches to close this gap. Whether that should be partnership based or compulsory – or a hybrid – is yet to be seen, and I welcome robust private sector feedback on this issue.

These are all necessary and worthy policy conversations for our homeland security. But we also must not lose sight of the immediate need to put necessary resources towards the federal .gov SolarWinds response.

I feel strongly that any executive branch actions related to SolarWinds must build upon, and bolster, CISA’s mission as the lead Federal civilian cybersecurity agency – as I recently stated in a letter to President Biden.

I again want to thank our witnesses for testifying today, and I look forward to hearing from you all on an issue of great bipartisan interest for the nation.