with Aaron Schaffer

Nomination hearings for President-elect Joe Biden's top security picks reveal gaps in knowledge about a massive government hack that could slow down the new administration's response plans.

Avril Haines, Biden's nominee for director of national intelligence, told members of the Senate Intelligence Committee yesterday that she has yet to receive a full classified briefing on the matter.

Haines told the committee the hack was a major concern and she has a lot more to learn about what we know about this. 

Biden's first major cybersecurity challenge will be dealing with the fallout and recovery from a Russian hacking campaign that infiltrated at least eight federal agencies and hundreds of companies and organizations. Major players on Biden's cybersecurity team heading into the problem largely in the dark could complicate an already tricky issue.

It's extremely disconcerting because it puts the incoming members of administration at a serious deficit of information for the transition, said Betsy Cooper, director of the Aspen Institute’s Tech Policy Hub and a former Homeland Security Department cybersecurity official. “There's a deficit of security and preparation that could have been avoided.”

Haines has received some classified information on the hack, a Biden transition team spokesperson told me.

She isn't the only major Biden nominee to lack key information.

Alejandro Mayorkas, nominee for secretary of homeland security, told members of the Senate Homeland Security and Governmental Affairs Committee he has been “studying [the hack] intensely as a private citizen.”

“Should I have the privilege of serving as the secretary, I will avail myself of the best and latest intelligence,” Mayorkas added.

The Biden campaign declined to comment on what briefings Mayorkas had received and referred to his statement during the hearing. 

There's a natural deficit in staff that can get to work during transitions as some officials await congressional approval or security clearances, says Cooper. 

The Biden campaign has accused the outgoing Trump administration of making the transition even more difficult by rejecting a number of requests for briefings on classified information. 

Mayorkas will have a huge undertaking in reviewing DHS's cyberoperations in light of the hack, he acknowledged.

“[Cybersecurity and Infrastructure Security Agency] must improve the cyber hygiene of the federal government, the many departments and agencies throughout it, Mayorkas told Homeland Security Chair Rob Portman (R-Ohio). It must strengthen the public-private partnership not only for the benefit, of course, of the federal government but for the benefit of the private sector itself.”

But that work could be stalled by a hold on his nomination by Sen. Josh Hawley (R-Mo.).

Democrats are urging their colleagues to quickly confirm Mayorkas and other nominees in light of the massive SolarWinds attack and other pressing security concerns, Nick Miroff and Maria Sacchetti report.

DHS "is the lead agency charged with combating these threats and more, and it needs qualified, Senate-confirmed leadership in place immediately, Sen. Gary Peters (D-Mich.) said in a statement.

Even with pending nominations and some slots unfilled, Biden won't be without a cyber team on his first day.

The Biden transition team has filled its National Security Council with a host of seasoned cybersecurity experts, including the top National Security Agency official Michael Sulmeyer, whose appointment the Biden team announced late Monday, and the NSA's departing cyber director Anne Neuberger.

Lawmakers and experts  express high confidence in Biden's team.

Cooper agreed, though she urged the administration to quickly finalize its picks for White House cybersecurity czar and director of DHS's Cybersecurity and Infrastructure Agency.

“There is a real cohort of experienced cyber security professionals that are getting tapped for these roles,” said Cooper. “I have great confidence that they'll be able to pick up and move the administration forward.”

Programming note: Please welcome our new researcher Aaron Schaffer. You can reach him at aaron.schaffer@washpost.com or follow him on Twitter @aaronjschaffer.

The keys

Sulmeyer brings a defensive mindset to a Biden cyber team filled with offensive operations experience.

Military leaders should treat defense of networks “as an essential requirement, not an afterthought to be dealt with only after something goes wrong,” NSA Director Paul Nakasone and Sulmeyer argued in Foreign Affairs in August.

Sulmeyer is the second Nakasone aide selected for a top Biden White House job, along with NSA cyber chief Anne Neuberger, who was picked for the new role of deputy national security adviser for cyber and emerging technology.

Sulmeyer drew praise from a wide array of cybersecurity experts.

Facebook security policy head Nathaniel Gleicher:

John Hultquist, VP at Mandiant Threat Intelligence at FireEye:

Chris Painter, a top cyber official in the Obama administration:

Nick Sinai, the Obama administration’s deputy chief technology officer:

The Biden administration also announced that Third Way Senior Vice President Mieke Eoyang will join as the Pentagon’s deputy assistant secretary of defense for cyber policy, according to Defense One

Trump signed a last-minute executive order to keep foreign hackers out of U.S. cloud products.

Biden’s Commerce Department will, as part of the order, propose regulations for record-keeping and identity verification of the firms’ foreign account holders. Under the order, the Biden administration could also ben “foreign malicious cyber actors" from accessing the software.

Abuse of cloud computing companies “has played a role in every cyber incident during the last four years, including the actions resulting in the penetrations of United States firms FireEye and SolarWinds,” outgoing national security statement Robert O’Brien said in a statement.

FireEye released a new tool so companies can scan for attacks like the one used in SolarWinds.

A new investigative tool, released by the company yesterday, will flag activity that may be a sign of methods used by attackers in the SolarWinds hack. Organizations can then use techniques outlined in the white paper released by FireEye yesterday to make sure they can remove the hackers for good.

It's not just the SolarWinds hackers that are exploiting cloud-based services, FireEye warns.

“We've also seen other attackers use this to maintain access in the cloud,” Matt McWhirt, a lead on the FireEye team that developed the tool, told me. “If an attacker wants to get access to timely and relevant information and communications, they're going to go after [cloud-based services.]”

Cybersecurity company Malwarebytes comes forward as a victim of the SolarWinds hackers.

The company is not a SolarWinds user, but it says the same hackers were involved, Raphael Satter at Reuters reports. The findings point to a much larger campaign by the likely Russian group than just the one against SolarWinds. The hackers accessed limited internal company emails, but Malwarebytes has found no evidence hackers accessed client-facing tools.

Chat room

The New York Times's Sheryl Gay Stolberg dug into the question of whether Joe Biden's favorite high-tech spin bike could pose a cybersecurity threat. The answer? Maybe.

She writes: “…cybersecurity experts say, if Mr. Biden wants his bike, he can surely have it, though it might bear little resemblance to the off-the-assembly-line version after the Secret Service and the National Security Agency are finished with it. (There have been news reports that Michelle Obama has a modified Peloton, but her spokeswoman would not confirm them.)”

That didn't stop online chatter:

The New York Times's Shira Ovide:

Privacy lawyer Whitney Merrill:

Here's a solution from journalist Andrew Feinberg:

Secure log off