CIOs and CISOs have spent a long week trying to get a handle on the impact on their networks, systems and data from the SolarWinds cyber attack.
After the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive on Dec. 13, the race was on to detect, mitigate and respond.
And when CISA followed up with an updated cyber alert on Dec. 17, the agencies had yet to begin to fully realize the depth and breadth of the attack.
“The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged,” CISA wrote, “CISA is aware of compromises, which began at least as early as March 2020, at U.S. government agencies, critical infrastructure entities, and private sector organizations by an APT actor. This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered. CISA will continue to update this Alert and the corresponding indicators of compromise (IOCs) as new information becomes available.”
So much for the holiday season as the SolarWinds cyber breach added to what many have called the dumpster fire that is 2020.
Promise to elevate cybersecurity
While the details of the cyber breach continue to emerge and the agencies impacted come to light, Congress and the incoming administration of President-elect Joe Biden are promising to make 2021 an even busier year for CIOs and CISOs.
“I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office. We will elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyber attacks,” Biden said in a Dec. 17 statement. “But a good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place. We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.”
Add to that a growing number of House and Senate legislators who are calling on CISA, the FBI and other agencies to provide details about the extent of the attack on federal networks and systems.
“The [CISA] directive is not optional and mandates federal agency networks to remove the affected software components for the foreseeable future. While this initial protective step was taken and SolarWinds similarly issued a security advisory, Congress needs to be informed of the size, scope, and details of the cyberattack campaign’s impact on the federal government to appropriately respond to this risk,” wrote a bi-partisan group of six Senators from the Committee on Commerce, Science, and Transportation and the Appropriations Subcommittee on Commerce, Justice, Science, and Related Agencies in a letter to the FBI and CISA.
The lawmakers asked for answers to six questions and a briefing as soon as possible.
Not to be outdone, four Democrat leaders of the House Homeland Security and Oversight and Reform committees wrote to the FBI, CISA and the Office of the Director of National Intelligence on Dec. 17 seeking more details on the attack and impact on agencies.
“To that end, we ask that you provide our committee members with any damage assessments of this attack, including interim analyses, as soon as practicable,” the letter stated.
A day later, Sens. Rob Portman (R-Ohio) and Gary Peters (D-Mich.), the expected chairman and ranking member of the Homeland Security and Governmental Affairs Committee depending on how the special election goes in Georgia, pledged to “plan to hold hearings and work on bipartisan comprehensive cybersecurity legislation in the new year.”
Reps. Adam Smith (D-Wash.), chairman of the Armed Services Committee, and Jim Langevin (D-R.I.), chairman of the Armed Services Subcommittee on Intelligence and Emerging Threats and Capabilities, also released a statement promising to “continue to push cyber-and technology-related issues to the forefront of national security.”
‘Current system is broken’
Basically, CIOs, CISOs and other career executives will face a series of tough questions from Congress over the next year. The question is whether lawmakers and the Biden administration will ask the right set of questions.
A senior federal cyber official, who requested anonymity because they didn’t get permission to talk to the press, said the focus from the federal and Congressional leadership has to be around three areas: Why the cybersecurity approach continues to be faulty? What should the priorities of CISA really be? And how can agencies build better resiliency into their networks and systems given cyber incidents will only increase?
“The current way we are doing cybersecurity is broken and for anyone to say otherwise is mistaken. In many ways we were put on notice by the OPM hack and this one is worse just based on the breadth and depth we are seeing. To solve a problem you first need to admit you have one,” the official said. “DHS is trying to protect everything. It needs to focus on the things that are most meaningful. They have plenty of authority. You can surely argue they may not have enough resources or people, but then again no one does. It’s a matter of knowing protecting those things that can cause real death and harm in our society like the health or electric infrastructure. [It] also means we need to do better job of making it harder once the hackers are in the system, which means we make it hard to understand what is real and what is not. We’ve got to be creative and that’s where you use deception and honey pots. If there was some concern about going down that road before, we can’t have it any longer and we have to be more creative.”
For two former federal senior IT officials, both of whom requested anonymity because their current companies provide cybersecurity services to agencies, echoed that same line of thought, saying the question Congress should be getting to isn’t who to blame, but what can be done differently going forward.
Both former executives say agencies are in much better shape than in 2015 when the massive hack of the Office of Personnel Management came to light. But the SolarWinds breach is a different type of incident and requires a different discussion that both Congress and the Biden administration must lead.
“The fact we have multi-factor authentication deployed as widely as we do is just one sign that agencies are significantly more focused on cyber than in 2015,” said one former executive. “But I want to be clear, that doesn’t mean nation state actors who are interested in looking for and deploying zero days and custom written malware can’t get in the door. If they want to, they can get in the door against almost any defenses. So the question is how do agencies approach cyber defenses going forward?”
Poor understanding of Einstein
This brings me to an aside — stories by major, well-respected news organizations about the “failures” of DHS’ Einstein program are both sad and misinformed.
As someone who has followed Einstein since its beginning, it wasn’t designed to stop custom written code, malware embedded in patches and other unknown threats. It wasn’t difficult for the Washington Post or The New York Times to figure that out with a simple Google search. It’s poor reporting and at least some of their former government sources should’ve known better and explained the goals of the intrusion detection and prevention initiative.
Einstein is not perfect by any means, but the money spent to implement is not wasted in light of this attack.
Let’s return to the issue at hand. Agencies continue to face major problems in securing their data and systems despite the progress since the OPM hack. The current federal cyber official disagreed with the premise that agencies are better off since OPM. The sources said there may be some areas like the requirement to have multi-factor authentication and the use of continuous monitoring tools under the Continuous Diagnostics and Mitigation (CDM) program.
“DHS consistently asks for more. They needed the Cybersecurity Information Sharing Act. Then they needed a new name, and now they are getting administrative subpoena authority. But what’s fascinating in all of this is it was the companies telling the government about the hack,” the official said. “So where is DHS or where is the government today in terms of being in better shape to detect, mitigate and respond to this type of attack?”
This is why experts say any future cybersecurity programs, whether the move to zero trust or security operations-as-a-service (SOCaaS), will not be panaceas.
Resiliency is the key
But as the former executives said, the goal is to lower the risk posture of agencies and make them more resilient.
“The question is after this is all over, are agencies going to be still talking about managing risk only from an agency perspective or will they talk about it from an enterprisewide government perspective?” said the second former official. “If we move to SOCaaS, it lets agencies more quickly manage risk from a governmentwide perspective and change the dynamic.”
The former federal executive said that’s where Congress should focus its attention and appropriations efforts and the Biden administration should focus its budget requests to put resources into a solution and not into blaming someone or some agency.
“With the OPM breach, OMB had the ability to shape agency’s actions by holding them accountable publicly and through the budget process. OMB could move funds in 2015 and plan for new investments in 2016,” the former executive said. “The question today is do we know where dollars need to go to accelerate change? I don’t think OMB or CISA have identified what capabilities would have helped protect agencies from the SolarWinds attack. There may not have been any. But at least with SOCaaS and more threat hunting teams, the identification, mitigation and remediation would be faster and less complex.”
The former executive said CISA and its Quality Services Management Office (QSMO) is best to address these and other challenges. Agencies, generally speaking, rely on CISA to provide many of these cyber capabilities already — which is another challenge that CIOs and CISOs faced over the last week that may have impacted their ability to react and adapt.
The first executive said the move to zero trust also would enable the hunting for attacks and the ability to remediate and maintain resiliency.
“In order for agencies to more effectively secure their environments, agencies need to harden their systems and data all the way to the center. They need to encrypt their data and continue to look at what continuous monitoring means going forward,” the former executive said. “What are the investments to get agencies there? Congress needs to understand that and can’t just decry the incidents and point fingers.”