The SolarWinds case should trigger a rethinking of federal cybersecurity

Federal Chief Information Officers and Chief Information Security Officers didn’t sleep much last week and may not in the foreseeable future.

CIOs and CISOs have spent a long week figuring out the impact of SolarWinds cyberattacks on networks, systems, and data.

After the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on December 13, competition began to detect, mitigate, and respond.

And when CISA followed up on Cyber ​​Alert, which was updated on December 17, authorities were not yet fully aware of the depth and breadth of the attack.

“Solar Winds Orion’s supply chain compromise is Absent “The only initial infection vector used by this APT actor,” CISA wrote. “CISA is aware of breaches that began in private organizations by US government agencies, critical infrastructure entities, and APT actors at least in March 2020. This threat actor is a sophisticated and complex trade in these intrusions. Shows Kraft. CISA expects removing threat actors from compromised environments to be very complex and difficult. This enemy has demonstrated the ability to exploit the software supply chain and the Windows network. An attacker may have additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered. CISA has new information available. We will continue to update this alert and the corresponding Intrusion Trace (IOC) when it becomes. “

This is the only holiday season, with the addition of SolarWinds cyber breaches to what many call the 2020 Recycle Bin Fire.

Promises to increase cyber security

Congress and President-elect Joe Biden have promised to make 2021 an even busier year for CIOs and CISOs, while details of cyber breaches are revealed and affected agencies are revealed. ..

“I would like to make it clear that my administration has made cybersecurity a top priority at all levels of government, and from the moment I take office, dealing with this breach is a top priority. In a statement on 17th May, strengthening cybersecurity as a government-wide requirement, further strengthening partnerships with the private sector, and increasing the infrastructure and people investment needed to defend against malicious cyberattacks. “But proper defense is not enough. In the first place, we need to prevent and prevent serious cyberattacks from our enemies. We, among other things, including coordinating with our allies and partners. , Do it by imposing a large amount of money on the person responsible for such a malicious attack. “

In addition, an increasing number of members of the House and Senate are asking the CISA, FBI, and other agencies to provide details on the extent of attacks on federal networks and systems.

” [CISA] The directive is not an option and requires federal agencies’ networks to remove affected software components in the near future. This first safeguard was taken and SolarWinds issued a security advisory as well, but to properly address this risk, inform Congress of the magnitude, extent and details of the impact of the cyberattack campaign on the federal government. You have to, “the bipartisan writes. In a letter to the FBI and CISA, a group of six senators from the Commerce, Science, Transport Commission and the Expenditure Subcommittee on Commerce, Justice, Science, and Related Agencies.

Lawmakers sought answers and briefings to six questions as soon as possible.

Four Democratic leaders of the House of Representatives Homeland Security, Surveillance and Reform Commission wrote to the FBI, CISA, and the Director of National Intelligence on December 17, seeking more information on the attack and its impact on institutions. ..

“To that end, we ask that you provide the committee members with a damage assessment of this attack, including an interim analysis, as soon as possible,” the letter said.

The next day, Senators Rob Portman (R-Ohio) and Gary Peters (D-Michigan) will be chairing and ranking members of the Land Security and Government Affairs Commission, depending on how the special elections proceed in Georgia. Pledged as follows. We plan to hold hearings and work on a comprehensive bipartisan cybersecurity bill in the new year. “

Rep. Adam Smith (D-Wash.), Chairman of the Armed Services Commission, and Jim Langevin (DR.I.), Chairman of the Armed Services Subcommittee on Intelligence and New Threats and Capabilities, also continued. We have issued a statement promising to do so. Bringing cyber and technology-related issues to the forefront of national security. “

“The current system is broken”

Basically, CIOs, CISOs, and other career executives will face a series of tough questions from Congress next year. The question is whether lawmakers and the Biden administration will ask the correct set of questions.

A senior federal cyber official who demanded anonymity because he was not allowed to talk to the press said the focus from federal and parliamentary leaders needed to focus on three areas. Why is the cybersecurity approach still incomplete? What should CISA priorities really be? And if only cyber incidents increase, how can agencies make their networks and systems more resilient?

“The current way we do cybersecurity is broken and others are wrong. In many ways, we were notified by the OPM hack, which we see. It’s getting worse based solely on the breadth and depth of the problem. To solve the problem, we must first admit that there is a problem, “said officials. “DHS is trying to protect everything. We need to focus on what makes the most sense. They have a lot of authority. You certainly may not have enough resources or people. I can argue that no one has it. It’s a problem to know that we protect things that can cause real death or harm to our society, such as health and electrical infrastructure. is. [It] It also means that once a hacker breaks into your system, you need to do better work to make it more difficult. This makes it difficult to understand what is real and what is not. We have to be creative, and that’s where you use deception and honeypots. If we were previously concerned about going that path, we can no longer get it and must be more creative. “

For two former federal officials who demanded anonymity because the current company is providing cybersecurity services to government agencies, the same problem that Congress should face is not the fault of anyone, but what it can do. I repeated my thoughts. In the future, another way.

Both former executives say the agency is in much better shape than in 2015, when a major hack of the Human Resources Department came to light. However, the SolarWinds breach is another type of incident that requires another debate that must be led by both Congress and the Biden administration.

“The fact that multi-factor authentication is as widespread as we are is one sign that government agencies are more focused on cyber than in 2015,” said one former executive. I will. “But I want to make it clear that it doesn’t mean that nation-state officials interested in finding and deploying zero-day attacks and custom-made malware can’t get into the door. If they want. , They can enter the door to almost any defense, so the question is how government agencies will tackle cyber defense in the future. “

Insufficient understanding of Einstein

This puts me aside — the story by the main, respected press about the “failure” of the DHS Einstein program is sadly and at the same time misleading.

As a follower of Einstein from the beginning, it is not designed to stop custom-written code, patch-embedded malware, or other unknown threats. It wasn’t hard for the Washington Post or The New York Times to figure it out with a simple Google search. The reports are inadequate, and at least some of the previous government sources should be better aware of and explain the goals of the intrusion detection and prevention initiative.

Einstein is by no means perfect, but the money spent on implementation in the light of this attack is not wasted.

Let’s get back to the problem at hand. Despite progress since the OPM hack, agencies continue to face major data and system protection challenges. Current federal cyber officials have disagreed with the premise that government agencies have an advantage since the OPM. According to sources, there may be areas such as the requirements for multi-factor authentication and the use of continuous monitoring tools under the Continuous Diagnostics and Mitigation (CDM) program.

“DHS is consistently asking for more. They needed cybersecurity information sharing legislation. Then they needed a new name, and now they are empowered with administrative subpoenas. But what’s fascinating in all these respects is that companies are talking to the government about hacking, “said officials. “So where is the DHS in terms of being better at detecting, mitigating, and responding to this type of attack, or where is the government today?”

That’s why experts say that future cybersecurity programs aren’t a panacea, whether it’s a transition to zero trust or security operations as a service (SOCaaS).

Elasticity is the key

However, as former executives said, the goal is to reduce the risk attitude of government agencies and increase their resilience.

“The question is, after all this is done, will the agency still discuss risk management only from the agency’s perspective, or will it be from the company-wide government’s perspective?” Said a second former employee. “Migrating to SOCaaS allows government agencies to manage risk more quickly and change their dynamics from a government-wide perspective.”

Former federal officials should focus on Congress’s attention and budgetary efforts, and the Biden administration focuses on budget demands to devote resources to solutions rather than blaming anyone or any agency. He said he should guess.

“The OPM breach allowed the OMB to shape the actions of government agencies by making it publicly accountable and through the budgeting process. The OMB moved funds in 2015 and was new in 2016. We may plan to invest, “said a former executive. “The question today is whether we know where the dollar needs to go to accelerate change. What features OMB and CISA can help protect government agencies from SolarWinds attacks? I don’t think I’ve identified it. Maybe it wasn’t, but at least with SOCaaS and more threat hunting teams, identification, mitigation, and remediation will be faster and easier. “

Former executives said CISA and its Quality Services Management Office (QSMO) are ideal for addressing these and other challenges. Generally speaking, agencies rely on CISA to already provide many of these cyber features. This is another challenge that CIOs and CISOs faced last week and may have affected their ability to respond and adapt.

The first executive said the move to Zero Trust would enable the search for attacks and the improvement and maintenance of resilience.

“In order for agencies to protect their environment more effectively, they need to upgrade their systems and data to the center. They encrypt their data and see what continuous monitoring means in the future. We need to continue to consider it, “said a former executive. “What is the investment to get the agency there? Congress needs to understand that and not just blame the case and point.”

The SolarWinds case should trigger a rethinking of federal cybersecurity

Source link The SolarWinds case should trigger a rethinking of federal cybersecurity

Back to top button