Skip to main content
Press Release Published: Feb 26, 2021

Comer: This isn’t the first cyberattack of its kind, nor will it be the last.

Share via Email

Committee holds hearing on largest cyber breach in U.S. history

WASHINGTON – House Committee on Oversight and Reform Ranking Member James Comer (R-Ky.) opened today’s hearing on “Weathering the Storm: The Role of Private Tech in the SolarWinds Breach and Ongoing Campaign,” emphasizing the need to better understand the nature and scope of the 2020 cyberattack. The attack, a massive intelligence gathering operation likely conducted by Russia, successfully compromised multiple federal agencies and private companies.

In his opening statement, Ranking Member Comer highlighted the importance of assessing the extent of the damage caused by the breach and whether the hackers’ access to these vulnerable systems has been cut off. Going forward, he states the federal government must adopt effective solutions to counter foreign adversaries attempting to infiltrate our cyber networks. Doing so, he concludes, ensures Americans are protected against any future or even ongoing attacks.

Below are Ranking Member Comer’s remarks as prepared for delivery.

I want to thank the Chairwoman for having today’s hearing on this extremely important matter

Last year, our federal government was hacked in the largest cyberattack in history. Some of the largest technology companies in the country were also hacked.

The cyberattack took months of planning. It took extreme patience to execute. According to all the experts, it was incredibly sophisticated. The attackers covered their steps so they would not be detected.

And, it was wildly successful.

According to one of our witnesses today, over 1,000 people were involved in the attack. And, the likely culprit of the attack? Russia.

Three months after the attack was discovered, there is a lot we still don’t know: How many government agencies and companies were hacked; What the extent of the damage is; Whether or not the Russians still have access to the systems they hacked, or whether we have been able to successfully kick them out.

You may not have heard about this attack because it hasn’t affected your daily lives. You still go home to a warm house every night. You can still flip on the television at night to watch TV. You can still FaceTime your friends and family.

But, that’s only because the attackers chose not to disrupt those activities.

As far as we know, this attack was an espionage campaign—an intelligence gathering operation only.

But, what the attackers have shown us is none of the software we use in our daily lives is truly safe. The apps we download on our phone, laptops, and tablets – any device can be sabotaged.

Last week, we all prayed for millions of people in Texas as the power grid failed and they froze in their homes. Now, imagine if an adversary had the ability to take our electric grid offline in the dead of winter or peak of summer.

Now, imagine if this took place during a national crisis.

Imagine if an adversary wanted to toy with our financial markets.

Imagine if an adversary had the ability to control supply chains and manipulate whatever they wanted.

It doesn’t take much to realize the horror that would ensue if an adversary were motivated to do any of these things.

The attackers did not take down our electric grid, poison our water supply, or cause chaos in our financial system, among other necessities or occurrences of daily life.

At least this time they didn’t, but that’s not to say they couldn’t have.

The truth is this attack is still ongoing, even today, and has not been completely neutralized

This offers the potential for unforeseen additional damage.

The fact the attackers did not do things that received the attention of Americans going about their everyday lives says nothing of their capability to do so next time.

This isn’t the first type cyberattack of this kind, nor will it be the last.

For far too long cyber security has been addressed as a mere cost of doing business — an add-on, a minor line-item to simply check the box.

This mindset must end.

No one—including Congress, the Administration, or the private sector—can afford to allow this moment to pass without ensuring we finally adopt effective solutions.

I appreciate this opportunity to review what happened in this massive cyberattack that one of our witnesses referred to as the largest ever, and to play a part in developing a game plan for deterring and responding to any future event.

I am convinced, though, that cyber security must not be left to the recesses of academic debate or half-hearted compliance, but instead, it must become a daily focus for all involved in software development, procurement, and operations.

Just contemplate for a moment this particular attack.

Companies which many expect to secure their systems with top notch cyber security were the very ones who failed to identify the attack before damage had already occurred. Some of those organizations are here today.

The same goes for our government agencies who glaringly missed the adversary’s nearly year-long presence freely roaming about on their most sensitive networks.

I believe the time has come to take concrete action to actively defend our nation from foreign cyberattacks just as forcefully, and with the same resources, as we would if the instrument of attack was physical or kinetic.

We don’t sit back when our country is physically breached or our homes and places of business are invaded, and neither should our response be to roll over following an attack in cyberspace.

It is only a matter of time or chance until we are faced with real disruption and destruction.

We must do everything in our power to defend this digital sphere and forecast to our adversaries that we, at last, are no longer asleep at the wheel.