GAO releases SolarWinds hack report, notes issues with agencies' info sharing and evidence collection

The chair of the House Oversight Committee indicated she would advance legislation on the issue

The Government Accountability Office (GAO) outlined its findings from the 2020 SolarWinds hack, noting that threats to information technology systems are increasing.

Government agencies coordinated in response to the hack, but sharing of information was "often slow, difficult, and time consuming," according to the report. It added that "collecting evidence was limited due to varying levels of data preservation at agencies."

solarwinds

The SolarWinds Corp. logo is seen on a sign at the headquarters in Austin, Texas on April 15, 2021 in Austin, Texas.  (SUZANNE CORDEIRO/AFP / Getty Images)

Thursday's report covered both the SolarWinds attack by Russian Foreign Intelligence Service and a Chinese government affiliate's "likely" exploitation of a vulnerability on the Microsoft Exchange Server.

A representative for Microsoft declined to comment. A SolarWinds spokesperson told FOX Business: "Today’s GAO report confirms details previously released about the highly sophisticated SUNBURST attack targeting SolarWinds and other technology companies. Further, the GAO analysis of the National Security Council (NSC) after-action report on the Cyber Unified Coordination Group (UGC) investigation into the SUNBURST attack highlights the criticality of improving public-private engagement, and that coordination and information-sharing needs to be a two-way street between government and the private sector."

"As noted in the report, information sharing between federal agencies and the private sector aided investigations and helped speed up response efforts. We strongly agree enhanced public-private collaboration is necessary to protect the nation's cyberinfrastructure from threats by foreign governments."

SOLARWINDS HACK ONE YEAR LATER, CYBERSECURITY EXPERTS SAY WE'RE NO BETTER OFF

House Oversight Reform Chair Rep. Carolyn Maloney, D-N.Y., expressed concern about the GAO's findings and indicated she would propose new legislation.

"More than a year after the discovery of the devastating SolarWinds attack, in which the Russian government was able to gain network access to nine federal agencies, it’s clear that there are still significant gaps in the federal government’s ability to respond to advanced cyberattack," she said in a statement released Thursday.  

Microsoft

This July 3, 2014 file photo shows Microsoft Corp. signage outside the Microsoft Visitor Center in Redmond, Wash. (AP Photo Ted S. Warren, File / Associated Press)

"It’s troubling that the federal government was still working to remove cyberattackers from agencies’ networks six months after the attack was discovered, and I am alarmed to hear that cyberattackers may still have as-yet-undiscovered access to federal networks."

"The federal government continues to be a top target for nation-state adversaries, and the report released today underscores the urgent need for Congress to update and strengthen the Federal Information Security Management Act, or FISMA. Ranking Member Comer and I have released discussion draft legislation to do just that. I look forward to working with my colleagues on this bipartisan legislation to meet the challenges of the cyber landscape."

WHAT IS SOLARWINDS? A LOOK AT THE HACKED SOFTWARE COMPANY IN THE CROSSHAIRS

The SolarWinds incident has resurfaced considerations of the U.S.' information security apparatus.

The GAO said Thursday it had made a long list of recommendations and was monitoring agencies' progress.

CLICK HERE TO READ MORE ON FOX BUSINESS

"Since 2010, GAO has made about 3,700 recommendations to agencies aimed at remedying cybersecurity shortcomings," the report read.

"As of November 2021, about 900 of those recommendations had not yet been fully implemented. GAO will continue to monitor federal agencies' progress in fully implementing these recommendations, including those related to software supply chain management and cyber incident management and response."

FOX Business' Bradford Betz contributed to this report.