Who's to blame for SolarWinds?

Follow Us Get the newsletter Hi, this is Alyza on the cybersecurity team. U.S. lawmakers are looking for someone to blame. Recent major cyber-attacks have blindsided U.S. companies and officials. But unlike, say, a terrorist bombing or a more pedestrian crime, it's not clear which government agencies are responsible for the attacks' prevention and cleanup.  "When a cyber-attack happens, who do we hold accountable?" Senator Rob Portman, the Republican from Ohio, asked cyber officials from the White House Office of Management and Budget, Federal Bureau of Investigation and Department of Homeland Security at a committee hearing last week. "It seems to me, somebody needs to be in charge." Portman's remarks captured a sentiment that has been percolating in Washington since December, when suspected Russian hackers were found to have compromised popular software by Texas-based SolarWinds Corp. in a cyber espionage campaign that breached approximately 100 U.S. companies and nine government agencies. Nearly three months later, Microsoft Corp. revealed that China-based hackers exploited vulnerabilities in its Exchange software for email, conducting an attack that cybersecurity analysts say has affected tens of thousands of victims. There are plenty of government organizations with some cybersecurity oversight. The Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, oversees cyber defenses within civilian agencies, all of which have their own staff. The National Security Agency is responsible for tracking foreign cyber threats. On top of that, the White House National Security Council, the FBI, the Office of the Director of National Intelligence and U.S. Cyber Command all have roles to play in U.S. cybersecurity, in addition to assistance from from the private sector. "Because everyone's got a key role to play, it is really about ensuring that we have the appropriate governance structures in place to manage these events together, and that we're keeping clear lines of communication as we work through these things," according to Chris DeRusha, who serves as the Federal Chief Information Security Officer and testified at the hearing. Officials are debating whether a more streamlined approach would be more effective. It's one of the reasons Congress mandated a new executive branch position, National Cyber Director, as part of the 2021 National Defense Authorization Act. However, the position has yet to be filled—a delay that, according to the Washington Post, may be the result over friction within the government over who should be in charge of key cybersecurity tasks. "The idea that Congress had for the National Cyber Director was a way to drive coordination at the White House, particularly related to coordinating incident response," Brandon Wales, the acting head of the Cybersecurity and Infrastructure Security Agency—which is known as CISA and operates as part of DHS—testified last week. "But the position doesn't exist yet, so I think a lot of this will be determined from how we establish the identification of roles and responsibilities for its office." In the meantime, U.S. cyber officials are trying new approaches to securing key networks, including working with companies that are central to critical infrastructure and U.S. national security functions. For example, this month, CISA and the NSA jointly released guidance on technologies that could help operators of key networks handle future attacks that are similar to the SolarWinds and Microsoft hacks. The guidance—which is focused on protecting a piece of the internet that that is often likened to a phone book because it connects domain names with IP addresses—was the result of a pilot study by the Department of Defense and the NSA. Such initiatives may offer a glimpse of how the government is working with companies to try to boost security. But it still doesn't settle the question of where the buck stops in the U.S. government when the next major hack is revealed. "If everyone is in charge," noted Portman at the hearing, "then no one is in charge." —Alyza Sebenius If you read one thing The popular trading app Robinhood has filed confidentially for an initial public offering, report Bloomberg's Matthew Monks and Katie Roof. The app has reshaped the brokerage business and even Wall Street itself.  Paid Post Report: Cloud CPU Benchmarks. This cloud CPU benchmarking and analysis includes Linode, AWS, Azure, Google Compute Engine, Alibaba, and DigitalOcean. The report reveals how VPS offerings from these cloud providers stand up in price, performance, and overall value. Read more. Linode And here's what you need to know in global technology news Amazon Web Services gets a new boss: Adam Selipsky of Salesforce will replace Andy Jassy as the leader of the giant Amazon cloud unit.  A New York regulator found that Goldman Sachs didn't use discriminatory practices in deciding whether to offer credit to prospective Apple Card customers.  Delivery app GoPuff, which acquired the liquor chain BevMo! in November, has doubled its valuation to $9 billion.  In a recent flurry of deals, Peloton has acquired companies dealing with wearable devices, artificial intelligence, digital voice assistants and interactive workout mats. Prince Harry works for a startup now.    Like Fully Charged? | Get unlimited access to Bloomberg.com, where you'll find trusted, data-based journalism in 120 countries around the world and expert analysis from exclusive daily newsletters.   You received this message because you are subscribed to Bloomberg's Fully Charged newsletter. Unsubscribe | Bloomberg.com | Contact Us Bloomberg L.P. 731 Lexington, New York, NY, 10022