More federal victims of SolarWinds hacking likely to come forward, CISA chief says

In an interview, Brandon Wales reflected on the “blind spots” in federal defenses exploited by the hackers.
Brandon Wales, DHS, CISA
Brandon Wales testifies Dec. 2, 2020, before a Senate Homeland Security and Governmental Affairs Subcommittee. (Benjamin Freed / Scoop News Group)

The number of federal agencies confirmed to have been breached in a suspected Russian espionage campaign will likely increase as the investigation continues, the head of the U.S Cybersecurity and Infrastructure Security Agency said.

“The number [of federal victims] is likely to grow with further investigation,” Brandon Wales, CISA’s acting director, said in an interview Friday. “That being said, we do believe that the number will remain extremely small because of the highly targeted nature of this campaign. And that is going to be true for both government and private-sector entities compromised.”

Wales is a career civil servant who found himself at the helm of the Department of Homeland Security’s cybersecurity agency in mid-November after President Donald Trump fired Chris Krebs. Wales has been quarterbacking CISA’s response to a sweeping breach of federal and corporate networks, in which suspected Russian hackers exploited the reach of software made by the contractor SolarWinds in a long-running spying operation.

As the investigation unfolds, Wales said, it is clear that his agency needs additional authorities and resources to prevent such a detrimental hack in the future. He called the hacking campaign “one of the most complex and challenging that this agency has ever faced in the cyber arena.”


The full scope of the hack has yet to be made public. Intelligence agencies and CISA said on Jan. 5 that “fewer than 10” federal agencies had been compromised in activity that was “likely Russian in origin.” The departments of CommerceEnergy and Justice are among the agencies that have publicly confirmed a breach.

CISA has been in the spotlight because it is responsible for helping civilian agencies secure their networks. The National Defense Authorization Act, which became law Jan. 1, gives CISA new authorities to more proactively hunt on other agencies’ networks for vulnerabilities or breaches. That’s not all that needs to change to prevent another SolarWinds-type hack, according to Wales.

Wales said he and his team have identified places “where we think that the fundamental structure” of data protection on civilian federal networks needs to “evolve.” For example, significant changes in how CISA draws on IT security services to defend networks could be necessary to avoid a SolarWinds redux — or at least mitigate such an incident’s impact, Wales said.

“Some of that has to do with our ability to gain a sufficient level of insight and visibility inside of agency networks and with agency cloud deployments,” he said. “Those are critical areas that were blind spots both for us and in some cases for the agencies themselves. It’s why we were not able to detect this earlier and it’s what’s going to have to change to stop it from happening [again].”

Working closely with Biden on SolarWinds


Responding to the suspected Russian hacking operation has been an intense undertaking, in terms of resources and personnel, at CISA. The agency has been helping other agencies clean up their breaches, working with technology firms like Microsoft to determine what other tricks the suspected Russian hackers deployed, and briefed lawmakers without knowing the full scope of the hacking campaign — all during a pandemic and volatile presidential transition.

Wales’ role in the response has been more than just CISA’s interim caretaker. The 15-year veteran of DHS has been providing insights to the incoming Biden administration about the scale of the SolarWinds hack, and says he plans to stay at the agency in the new administration, though CISA will likely get a new White House-nominated director.

“The most important thing that the new administration could do is take a careful look at what we are learning from this SolarWinds compromise and helping us work with both the White House, [the Office of Management and Budget] and Congress to ensure that CISA and others have the right resources and authorities to prevent this from happening again,” Wales said.

There is pressure on U.S. investigators from lawmakers, private companies and the public to be as forthcoming as possible with details on the SolarWinds espionage campaign and who was responsible. Sen. Mark Warner, D-Va., last week accused the White House of “water[ing] down” an interagency statement linking the hacking to Russia, which has denied involvement.

Wales declined to comment on Warner’s allegation, but pledged that the interagency group would “continue to speak to the American public about this incident.” Whether more detailed public attribution of the hack to Russia is coming is up to the intelligence community, he said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts