WASHINGTON – The military spending bill on which President Trump is threatening to veto includes provisions that would help protect against the kind of widespread Russian hacking discovered in recent days, experts and lawmakers said.
The annual defense authorization law, which Mr. Trump said on Thursday that he would veto, contains a series of recommendations from a bipartisan committee established by congress.
The recent hack on numerous federal agencies by Russia’s elite espionage service has shown the need for new defenses, key lawmakers said.
The military bill contains two dozen provisions to strengthen cyber defenses. It allows the federal government to actively hunt for foreign hackers attempting to penetrate computer networks and appoints a national cyber director to coordinate government defense and responses to such attacks.
“This is an incredibly important bill,” said Senator Angus King, an independent Maine member who co-chaired the bipartisan panel, the Cyberspace Solarium Commission. “This is the most important cyber law ever passed by the US Congress.”
Had those provisions been in effect this year, the Trump administration might have had a better chance of detecting and stopping the breach more quickly, lawmakers said.
But other recommendations from the committee that may also have helped uncover the Russian hack much earlier, including giving the government the power to look for threats on some private networks, didn’t make it into this year’s bill.
Wisconsin Republican Representative Mike Gallagher and co-chair of the committee said it is critical to remember that a private company, FireEye, discovered the Russian hack that exploited vulnerabilities, including in software created by a Texas company called SolarWinds.
“This went unnoticed by US government agencies for months and months,” said Mr. Gallagher. “I think it shows a weakness in the federal defense.”
Russians have been able to leverage vulnerabilities in many federal computer networks and private sector companies to gain wide access. The hackers, who work for Russia’s elite espionage agency, have been with federal agencies for months, at least since March.
On Thursday, the federal Cybersecurity and Infrastructure Security Agency warned that hacking was “a serious risk to the federal government.” Although the warning did not provide details, it confirmed the findings of private cybersecurity experts that the hackers had found multiple ways to enter computer networks.
While the scope of the break-in grows every day as investigators learn more, officials have revealed nothing about what information the Russian spies stole or what they were looking for.
The response from senior Trump administration officials has been muted, but following the announcement by the Cybersecurity and Infrastructure Security Agency, President-elect Joseph R. Biden Jr. that his government would impose significant charges on those responsible for the hack of government systems.
The committee announced its recommendations in March. Congress wrote down 23 of them in the annual military law that passed both houses with veto margins this month. Mr. Gallagher said no one guaranteed the hack would have been stopped, but giving more power to the Department of Homeland Security to hunt for threats in the federal government would have “provided an opportunity” to detect the intrusion earlier. .
“This kind of threat hunting capability is needed, and I think this attack underscores that,” he said.
While the White House was skeptical about some provisions, including the creation of a Senate-confirmed cyber director, Mr Trump’s veto focused on his demands that Congress roll back legal protections for social media companies.
It would be a mistake to break the law, especially after the SolarWinds hack revelations, Mr King said.
“If the question is, are their provisions in the bill that may have protected us, then the answer is yes,” said Mr. King, who is consulting with Democrats. “There’s no guarantee we could have found it, but this is exactly the kind of thing we were concerned about and prompted the creation of the committee.”
The committee was made up of members of Congress and officials from the Trump administration and aimed to make recommendations to strengthen the defense against hacking.
Trump has until next week to veto the bill, and the longer he waits, the more difficult it could be for Congress to overrule his decision, which may require bringing lawmakers to Washington after Christmas or a last vote on January should be suppressed. 3, just before the next conference takes place.
Machinations over the bill’s fate come as congressional criticism grows over the government’s revelations about the Russian hack and the failure of officials to provide detailed briefings.
Pentagon officials have tried to reassure the public that their defenses have held up and that they have found “no evidence of compromise” on their systems so far. The breach exploited a vulnerability in software used by the government and the private sector.
But lawmakers and outside experts viewed the statement with skepticism.
“It is far too early to say there was no danger here. I think the operational assumption must be that the Russians have been given access to highly sensitive information, ”said Jeremy Bash, a former top Pentagon official and CIA official in the Obama administration. “Anyone who gets up after 72 hours and says ‘there is nothing to see here’ has no idea how cyber attacks work. It is dangerous to declare such a thing. “
Mr. Bash, now a consultant at Beacon Global Strategies, said there was no way to say how widespread the breach was within days. It can take months to find out what information the Russians have received.
The hack, Mr. Bash said, demonstrated the need for the kind of cyber director the committee has been pushing for. Such a director would be in a good position to orchestrate a unified federal response and promptly inform Congress and the public of the steps being taken.
“A national cyber director is critical to ensuring that all agencies have a very high standard of cyber defense,” he said. “If the president vetoes the bill, Congress must lift that veto quickly.”
In addition to the director, the military bill contains other provisions aimed at strengthening the Cybersecurity and Infrastructure Security Agency, a branch of the Department of Homeland Security whose head was fired by Mr. Trump after declaring the election vault. It would also increase hacking defense exercises, mandate an assessment of the size of the U.S. Cyber Command’s armed forces, require an annual assessment of the vulnerabilities of key weapon systems, and make it easier for the government to identify experts in recruit and maintain electronic defense.
Even if military law becomes law, there is still more work to be done, said Mr. Gallagher. Members of the committee have urged Congress to spend more money on the kind of threat hunting approved by the bill.
Mr. Gallagher also said he hoped that next year legislation would expand threat hunting work beyond government networks, allowing the federal government to proactively search for foreign invaders on military contractor networks, thereby advancing the defense of threats. public and private networks can be better connected.