Eight months after Biden signed the executive order to create the Cyber Safety Review Board, it has yet to be set up. This means that critical tasks remain unfinished, including the investigation into the massive SolarWinds spying campaign. It was first discovered over a year ago. Russian hackers stole data from many federal agencies as well as private companies.
The delay, according to some supporters of the new board, could harm national security. It also comes amid growing concern about a possible conflict with Russia over Ukraine which could result in nation-state cyberattacks. A recent advisory was released by the FBI and other federal agencies, focusing on critical infrastructure such as utilities, about Russian state hackers' techniques and methods.
"We won't be ahead of these threats if we take us nearly a whole year to organize a group for investigating major breaches such as SolarWinds," stated Sen. Mark Warner, a Virginia Democrat and leader of the Senate Intelligence Committee. "Such a delay in organizing a group to investigate major breaches like SolarWinds is detrimental to our national safety and I urge the administration speed up its process."
Biden signed the order in May giving the board 90 days to investigate SolarWinds hack after it has been established. However, there is no timetable for the creation of the board. This task has been assigned to Alejandro Mayorkas, Department of Homeland Security Secretary.
DHS responded to questions from The Associated Press by saying that it was still far along in setting up the system and anticipating a "near term announcement", but didn't address why it took so long.
Scott Shackelford is the Indiana University cybersecurity program chair and a proponent of creating a cyber review body. He said that a thorough study of what happened in SolarWinds' past hacks can help prevent similar attacks.
Shackelford stated, "It sure takes, my goodness. quite a while" It's past time that we can see the positive benefits of it standing up.
Although the Biden administration has made cybersecurity a priority and taken steps for better defenses, this is not the first time that lawmakers have complained about the slow pace of progress. Many lawmakers complained last year that it took too long for the administration to name a national cybersecurity director, a position that was created by Congress.
The SolarWinds hack took advantage of vulnerabilities in the software supply chain system. It went undiscovered for most of 2020, despite compromises at many federal agencies and dozens companies, primarily telecommunications providers and information technology providers. SolarWinds is the hacking campaign named after the U.S.-based software company whose product was used in the first stage of the infection.
This hack demonstrated the Russians' ability to reach high-ranking targets. The AP reported previously that SolarWinds hackers had accessed emails belonging to Chad Wolf, the acting Homeland Security Secretary at the time.
Many details regarding the cyberespionage campaign have been kept secret by the Biden administration.
For example, the Justice Department stated in July that at least one email account was compromised by hacker agents at 27 U.S. Attorney offices across the country. The Justice Department did not give details on what information was accessed or what effect such a hack might have had on ongoing cases.
According to a former senior official who was not allowed to talk publicly about the hack and asked anonymity, files were also stolen from the New York-based DOJ Antitrust Division staff. This breach has never been reported before. The Antitrust Division is responsible for investigating private companies and has access highly sensitive corporate data.
Federal government reviews have been conducted on the SolarWinds hack. According to the GAO report, the Government Accountability Office released a report on the SolarWinds hack, as well as another major hacking incident. It found that there was sometimes a slow, difficult process for sharing information between government agency and the private sector. The National Security Council also reviewed the SolarWinds attack last year.
Christopher Hart, an ex-chairman of the National Transportation Safety Board, advocated for the creation a cyber review board. He said that the new board could conduct an independent and thorough examination of SolarWinds hack to identify security gaps or issues that others have not noticed.
Hart stated that "most of the crashes the NTSB really pursues... are ones that are surprising even to security experts." They weren't obvious, but they were things that required deep digging to find out the cause.