President-elect Joe Biden’s choices to take on key cabinet roles outlined their approaches to pressing cybersecurity issues facing the new administration during Senate confirmation hearings on Tuesday.
A suspected Russian hacking operation that has exposed frailties in federal defenses, as well as conspiracy theories that inspired the Jan. 6 siege of the Capitol, loomed large at the hearings, which came a day before Biden’s inauguration. Of note: Biden’s picks for Homeland Security chief and Director of National Intelligence said they will get a clearer picture of the SolarWinds hacking campaign after getting classified briefings on the matter.
Here are the highlights from Tuesday’s confirmation hearings.
Alejandro Mayorkas, Secretary of Homeland Security nominee
Immigration issues dominated the discussion between Alejandro Mayorkas, Biden’s nominee for DHS chief, and Senate lawmakers. The inability of DHS and other federal departments to stop alleged Russian hacker from exploiting software built by the federal contractor SolarWinds, though, was a recurring theme.
Mayorkas flatly told lawmakers that U.S. government’s defenses against hacking were out of step with the urgency of the threats.
“We have to do a much better job than we are doing now,” Mayorkas told the Senate Homeland Security and Governmental Affairs Committee. He pledged to make “the cybersecurity of our nation…one of my highest priorities.”
Sen. Rob Portman, R-Ohio, the committee chairman, suggested that DHS’s Cybersecurity and Infrastructure Security Agency (CISA) was “stretched too thin” in terms of resources and personnel to catch the SolarWinds hackers. Mayorkas didn’t address that comment directly, but made clear that he wants to strengthen the agency. (Biden has proposed providing CISA with an additional $690 million for network defenses.)
“CISA must improve the cyber hygiene of the federal government, of the many departments and agencies throughout it,” said Mayorkas, who served as deputy Homeland Security secretary in the Obama administration. “I think this is going to require an all-of-government approach, and there is a great amount that will rest on the shoulders of CISA.”
In the aftermath of the SolarWinds hack, lawmakers have scrutinized two DHS-run cybersecurity programs that the government spends hundreds of millions of dollars on annually. One is an intrusion detection service known as Einstein, the other is a contracting vehicle called Continuous Diagnostics and Mitigation that allows agencies to buy cyber-defense tools.
Mayorkas told lawmakers he would conduct a “thorough review” of both programs to see if they are designed and executed “to stop a threat such as SolarWinds.” If not, he said he would explore other tools needed to defend agency networks.
The DHS secretary nominee also said he needed more information, including classified data, to fully understand the breadth of the SolarWinds hack.
Avril Haines, Director of National Intelligence nominee
Biden’s pick for Director of National Intelligence, Avril Haines, testified that she has not yet had a full classified briefing on the details of the SolarWinds campaign, underscoring the incomplete information that some members of the incoming administration have on the espionage operation.
Haines, who previously served as deputy director of the CIA and principal deputy national security advisor to President Barack Obama, expressed concern about the extent to which the government was caught off-guard by SolarWinds.
“It was pretty alarming that we found out about it through a private company as opposed to being able to detect it ourselves,” Haines said, referring to how FireEye, and not the U.S. government, first uncovered the breach.
Haines suggested, as has Biden, that there should be consequences for the hackers responsible, but she did not elaborate on what those consequences might be.
Haines’ confirmation hearing covered other key security issues, including the way QAnon conspiracy theories spread online. Haines told Sen. Martin Heinrich, D-N.M., she would share a threat assessment on QAnon with Congress.
Heinrich first asked the FBI and DHS to share a threat assessment on QAnon last month, noting that QAnon adherents had undermined U.S. democratic institutions by spreading “false and dangerous conspiracy theories” about the November election. QAnon believers were among the extremists who stormed the Capitol building on Jan. 6 in an apparent attempt to stop Congress from certifying November’s election results.
Haines’ testimony also touched on the murder of journalist Jamal Khashoggi. Haines told Sen. Ron Wyden, D-Ore., that as DNI she would abide by the law and provide an unclassified intelligence report on who was responsible for the murder of Khashoggi, whose associates were reportedly surveilled via spyware in advance of his murder
The CIA has reportedly assessed the killing was ordered by Saudi Crown Prince Mohammed bin Salman, whose government has since been accused of using spyware produced by an Israeli software surveillance firm, NSO Group, to spy on other journalists and critics of the Saudi Kingdom.
The ODNI under the Trump administration was supposed to share an unclassified report with Congress about Khashoggi’s killing last January, but failed to do so.
Lloyd Austin, Secretary of Defense nominee
The confirmation hearing for Biden’s nominee for Secretary of Defense, Lloyd Austin, touched on multiple cybersecurity issues. Namely, Austin told Sen. Mike Rounds, R-S.D., Tuesday he thinks speed matters in running the U.S. government’s offensive cyber-operations, and applauded the government’s recent offensive cyber-operations guided by the Department of Defense‘s offensive cyber strategy known as “defend forward.”
“Having an offensive [cyber] capability that we’re able to use, I think, is really important, and so I applaud the efforts that have been made in the past,” Austin said of the strategy, which DOD’s Cyber Command has been using to shape its offensive cyber campaigns. “I look forward to … getting under the hood and getting back to understand how the process works to ensure coordination across the agencies.”
Sen. Angus King, I-Maine, one of the co-chairs of the Cyberspace Solarium Commission, the bipartisan congressional commission on cybersecurity, noted during Austin’s testimony that he looks forward to discussing the commission’s priorities.