WASHINGTON — Ranking Member Bob Menendez (D-N.J.) is calling on Secretary of State Mike Pompeo to provide the Senate Foreign Relations Committee details on the extent of the recent Russian-backed SolarWinds cyberattack targeting the State Department along with other federal agencies. In a new letter, the Senator formally requested a briefing for committee members on the security breach and the efforts that the State Department and the Trump administration are taking to mitigate its impacts and defend against future attacks.
The letter reads:
Dear Mr. Secretary,
I am writing to request a classified briefing for Members of the Senate Foreign Relations Committee by appropriate senior department officials on the Russian-backed SolarWinds breach and the cyber infiltration of U.S. government and private sector systems and networks as soon as possible after the Senate reconvenes on Jan. 4, 2021.
It is critical that the Senate Foreign Relations Committee receive a briefing on the extent of the security breach and the efforts that the department is taking to mitigate its impacts and defend against future attacks. Furthermore, it is essential that critical sectors within private industry and the American public more broadly understand the nature of the threat that our nation faces from the Kremlin and their persistent exploitation of cyberspace, the internet, and social media for their malign ends.
While several other cabinet agencies that are victims of this cybersecurity breach have publicly acknowledged having been attacked, to date the Department of State has been silent on whether its computer, communication, and information technology systems were compromised. For the committee briefing I would therefore appreciate better understanding of:
- The department’s assessment of the nature, scope, design, and intent of the breach, including those responsible for the operation;
- When the Department of State became aware of the SolarWinds breach, if the department has experienced similar intrusions in 2019 or 2020, and whether any such hacks breached departmental systems;
- The department’s assessment of what systems or materials that may have been compromised, including as it relates to the confidentiality and integrity of data, mapped, exfiltrated, or otherwise placed at risk, and the steps that have been and will be taken to mitigate any such damage;
- Any ongoing risk that cyber intruders may still persist in any departmental systems, including ongoing efforts to identify and expel any intrusions and to manage any potential damage or exposure;
- Any cooperation and coordination with other relevant USG [U.S. government] agencies or offices to address the attack, identify attackers or breaches, conduct diagnostics, and repair departmental systems, including by granting other appropriate elements of the USG access to departmental systems for such purposes;
- The steps the department is taking to assess risks within the cybersecurity supply chain and any steps the department considers necessary to mitigate those risks;
- An assessment of the breach of and risks to cyber-physical devices;
- Any steps currently being taken or contemplated to prevent future attacks; and,
- Foreign policy measures and diplomatic recommendations or other steps recommended or taken by the department to respond to the SolarWinds breach and to deter any future such attacks.
Mr. Secretary, I know you share my concerns about the potential for damage that this attack presents to our nation and to the Department of State. I look forward to working with you to arrange for a briefing and a fuller discussion of these issues.
With all the best for a safe, happy, and healthy New Year.