Lawmakers Worry About WannaCry; House Homeland Security Democrats Want Hearing
Two Democrats on the House Homeland Security Committee Tuesday called for a hearing on how the global WannaCry ransomware attack (see 1705150008 and 1705120055) has hit sectors like telecom supporting the U.S. healthcare industry. Senators told us they, too, are concerned about vulnerability of government and private networks. One plans to introduce legislation soon that would codify the U.S. government’s vulnerabilities equities process (VEP) while a House member expects to introduce a cyber hygiene bill again. The attack also came up Tuesday at a National Institute of Standards and Technology cybersecurity framework event (see 1705160072).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
"From a whole of government standpoint, we need to be better prepared," Mark Warner, D-Va., vice chairman of the Senate Select Committee on Intelligence and co-founder of the Senate Cybersecurity Caucus, told us. He said the incident "again shows the vulnerability of many of our systems." Monday, his news release pressed the Office of Management and Budget and the Department of Homeland Security about what steps they've taken to ensure federal IT systems installed Microsoft patches.
Questions remain, Warner said, as to whether federal, state and local governments installed the patch and if DHS contacted public and private critical infrastructure operations. North Korea may be involved, but "we don't know that for a fact yet," he said. "Virtually none of those devices have any patchability," Warner said of the IoT. "They have no security built in. Many of them have got passwords ... that you can't change. Unfortunately, [the attack] is a taste of the kind of threats we may be facing going forward and I'm not sure whether kind of whole of government or for that matter whole of society is fully prepared."
Sen. Steve Daines, R-Mont., a former tech executive on the Homeland Security Committee, told us he's "very concerned" about the attack. He and a bipartisan group of lawmakers supported an amendment to the FY 2017 National Defense Authorization Act, which passed in December, elevating U.S. Cyber Command to a full unified combatant command in the U.S. military. The WannaCry attack "is another example, another warning shot to the entire world about the threat of cyberattacks and the importance of working to do all that we can to prevent them," he said.
House Homeland Security Committee Democrats Cedric Richmond of Louisiana and Donald Payne of New Jersey said they want a hearing on the cybersecurity posture of the healthcare system and other sectors that support it. The attacks have been "crippling hospitals, utilities, telecommunications, manufacturers, transportation systems, and other critical service providers," Richmond, ranking member on the Cybersecurity and Infrastructure Protection Subcommittee, and Payne, ranking member on the Emergency Preparedness, Subcommittee, wrote John Ratcliffe, R-Texas, who chairs the cybersecurity subcommittee, and Dan Donovan, R-N.Y., who chairs the emergency preparedness subcommittee.
Rep. Eshoo, D-Calif., will soon introduce the Good Cyber Hygiene Act, similar to one she sponsored last session, emailed her spokeswoman. The bill would instruct the National Institute of Standards and Technology, with assistance from the FTC and DHS, to establish voluntary best practices for network security that reflect basic, proactive cyber hygiene practices like not using a default password and regularly installing software updates, the spokeswoman said. The FTC issued a Monday blog post about WannaCry, had hosted a September ransomware workshop (see 1609070044) and has provided guidance to businesses and consumers. It didn't comment further.
Sen. Brian Schatz, D-Hawaii, told us he plans to introduce legislation with Senate Homeland Security Chairman Ron Johnson, R-Wis., that would codify the VEP. His aide later said the bill could be introduced as early as Tuesday. Established during the Obama administration, the process helps the government decide whether to disclose vulnerabilities it has collected to the private sector so a fix can be issued. Experts said the VEP needs to be changed and codified but didn't think it would have made a difference in the WannaCry attack.
Mozilla Chief Legal and Business Officer Denelle Dixon-Thayer called the attack a "clarion call" for changing the government's VEP. If the government has exploits that were compromised, it should share that information with software companies before users are put at risk, she blogged Monday. "Lack of transparency around the government’s decision-making processes here means that we should improve and codify the Vulnerabilities Equities Process in law."