The Congressional Record is a unique source of public documentation. It started in 1873, documenting nearly all the major and minor policies being discussed and debated.
“Cyber Security (Executive Calendar)” mentioning the U.S. Dept of Agriculture was published in the Senate section on pages S7700-S7701 on Dec. 18, 2020.
The Department is primarily focused on food nutrition, with assistance programs making up 80 percent of its budget. Downsizing the Federal Government, a project aimed at lowering taxes and boosting federal efficiency, said the Department implements too many regulations and restrictions and impedes the economy.
The publication is reproduced in full below:
Cyber Security
Madam President, 2020 has been a tough year, let's face it. And, unfortunately, it looks like the challenges haven't ended. I came to the floor tonight, primarily, to talk about some shocking and disturbing news we just heard over the last few days, and that is that there has been a massive, highly sophisticated, and ongoing cyber attack that has compromised the networks of multiple Federal agencies and the private sector.
According to reports, for months now--months--hackers--our intelligence experts think they are most likely connected with the Russian Government in some way. That is what they tell us. But these hackers have engaged in an espionage effort to access information in some of our biggest Federal agencies that hold some of our most sensitive data and our most sensitive and important national security secrets.
Also, again, many U.S. private companies were hacked, as well. These hackers are smart. They targeted some of these agencies that do handle things like national security--the State Department, for instance, the Department of Homeland Security, the Department of Energy and its Nuclear Security Administration.
This is scary stuff. Others, like the National Institutes of Health, were hacked. Of course, they are closely involved with our work to respond to the COVID-19 pandemic, so also a lot of important, sensitive information could have been hacked. They are a treasure trove of information. These are agencies that protect our homeland, promote our freedom abroad, and are on the frontlines battling this pandemic.
But what we know today may be just the tip of the iceberg, we are told. Experts expect the number of agencies as well as a number of private companies victimized by this attack will only continue to grow.
The main IT monitoring platform believed to have been hacked was used across the government and by 33,000 private companies. Shockingly, we also know that FireEye, the preeminent cyber incident response firm, was also breached. So think about this. FireEye, which is a company that people call when they are hacked, was hacked.
We are still learning the details about this attack, but what we know is chilling. Federal investigators from the Cybersecurity and Infrastructure Security Agency, CISA, under the Department of Homeland Security, the FBI, and also the Office of National Intelligence, the ODNI, are all working to determine how this happened, what the extent of it is.
But it looks like the main vulnerability was through a SolarWinds' platform, which is an IT monitoring platform widely, again, widely used by the government and the private sector to oversee the operation of other computer networks.
The hackers disguised their entry into these Federal agencies and company systems in a troubling and clever way. They exploited a vulnerability in a security patch sent out by SolarWinds to update its software. I want to emphasize that--the security patches that we all advocate to be installed as soon as possible to protect our networks as basic good cyber hygiene was actually a security breach.
This technique and the breadth of this hack are both unprecedented, and it shows that the Federal Government is still far from where we need to be to handle the cyber security challenges of the 21st century.
As the Permanent Subcommittee on Investigations said in its investigation and report, these alarms that we have been raising over time are ones that we should have paid attention to. In 2019, last summer, Senator Carper and I issued a shocking report that detailed the unacceptable cyber security vulnerabilities in the Federal Government--
vulnerabilities that may very well have played a role in the extent of this breach.
Our report looked back at how well Federal agencies complied with basic cyber security standards over the past decade. Every agency we reviewed failed. And we know that four of those agencies--the Department of Homeland Security, the State Department, the Department of Agriculture, the Department of Health and Human Services--are among those that have been breached in this current cyber attack.
That report from the Permanent Subcommittee on Investigations made clear that Federal agencies were a target for cyber criminals and other nation-state adversaries. In 2017 alone, Federal agencies reported 35,277 cyber incidents. It is the most recent data we have--in 1 year. The number of cyber incidents in 2019 was a little bit less, 28,581. But 2020 will bring what is likely the biggest, most comprehensive breach across the Federal Government in our history.
We also found we are not equipped to handle this threat. Many of the agencies we reviewed didn't even know what applications and platforms were operating on its systems. That begs the question: How can you protect something if you don't even know what you need to protect?
If Federal agencies fail at meeting basic cyber standards, there is no way they are equipped to thwart the kind of sophisticated attack that apparently happened over the past several months. Here, the attackers were meticulous and had a detailed understanding of how to evade intrusion detection practices and technologies. And because the Federal agencies involved were unprepared, the attackers had ample time to cover their tracks, which means evaluating the extent of the damage and kicking them off our networks is going to be incredibly difficult and time-consuming.
Given how widespread this attack is and how much wider it is expected to become, it certainly seems like the Federal Government's current cyber resources are going to be spread incredibly thin.
Congress and the executive branch have failed to prioritize cyber security, and now we find ourselves vulnerable and exposed. We have to do better than this. This breach has to be a wake-up call for all of us.
Over the years, I have worked across the aisle with Senator Peters, Senator Cornyn, Senator Hassan, and others on legislation to beef up our Federal Government cyber capacities, including the Risk-Informed Spending for Cybersecurity Act, the Federal System Incident Response Act, and the DHS Cyber Hunt and Incident Response Team Act, and others. We are proud of this legislation.
Let's be honest. It wasn't enough. We need to do more. We need to not only defend our networks but go on the offense to defer a nation-state, like Russia, and nonstate actors from even considering a future attack like this. That means there needs to be consequences for cyber attacks significant enough to prevent them from happening again and a willingness to act preemptively when warranted.
Congress has to take a hard look at the cyber security capabilities of our Federal agencies. In the next Congress, I will be the top Republican on the Senate Homeland Security and Governmental Affairs Committee, which means I will either serve as its chairman or ranking member, depending on the outcome of a couple of races in Georgia. Senator Peters will be the chair if the Democrats take the majority. I will tell you here tonight, whether I am chairman in January or him, we intend to hold indepth hearings on cyber security. With what has happened, we will also, of course, focus on the origin, scope, and severity of this breach.
Actually, 3 weeks ago, even before this attack was revealed, we met and decided to hold these cyber security hearings, and we are already working on comprehensive legislation to improve our cyber defenses in the Federal Government going forward.
We must now move with a renewed sense of purpose and urgency to learn from this massive attack. We have to remove these hackers from these systems and put in place protections to prevent it from happening again.
As this cyber attack has made clear, we have to redouble our efforts to shore up our defenses. We are two decades into the 21st century, but most of the Federal Government legacy computer systems are from the 20th century. Federal agencies are simply behind the times when it comes to defending themselves against these threats posed in cyber space. The government is trying to respond to sophisticated, 21st century attacks with 20th century defenses. This attack has shown us the consequences of that and should be the catalyst for real bipartisan action here in the next Congress to better defend networks that contain sensitive, personal information, and other information critical to our economy, our healthcare, and the safety and security of all Americans.
I yield the floor.
The PRESIDING OFFICER (Mr. Tillis). The Senator from Ohio.
Mr. PORTMAN. Mr. President, I suggest the absence of a quorum.
The PRESIDING OFFICER. The clerk will call the roll.
The senior assistant legislative clerk proceeded to call the roll.
Mr. BENNET. Mr. President, I ask unanimous consent that the order for the quorum call be rescinded.
The PRESIDING OFFICER. Without objection, it is so ordered.
