A review by the Office of Inspector General (OIG) has found that the Cybersecurity and Infrastructure Security Agency (CISA) has improved its ability to detect and mitigate risks from major cyber attacks since the SolarWinds breach discovery in 2020. The watchdog added however, that work remains to safeguard Federal networks.
The SolarWinds Incident
In 2019, a threat actor, later identified as the Russian Foreign Intelligence Service, carried out a campaign of cyber attacks that breached computing networks at SolarWinds, a Texas-based network management software company. The threat actor conducted a software supply chain attack, taking advantage of security vulnerabilities to plant malware (malicious code) in a software update that SolarWinds sent to its clients. When a client installed an infected update, the malware would spread, allowing access to the client’s networks and systems. The attack was highly sophisticated and used new techniques and advanced tradecraft to remain undetected for more than a year.
Because the U.S. government widely uses SolarWinds software to monitor network activity on Federal systems, this incident allowed the threat actor to breach infected agency information systems. SolarWinds estimated that nearly 18,000 of its customers could have received a compromised software update. Of those, the threat actor targeted a subset of high-value customers to exploit, including DHS and multiple other Federal agencies, primarily for espionage. The operation was first detected and reported to CISA by a private sector cybersecurity firm.
CISA participated in a task force with other Federal agencies to coordinate a government-wide response to the SolarWinds breach. The task force worked from December 2020 through April 2021 to discover the impact and mitigate the effects of the cyberattack. After CISA completed its SolarWinds response, it prepared several after-action reports that identified lessons learned, capability gaps, and areas for improvement. CISA reported it needed a better communication process, more visibility into Federal agencies’ networks, and increased authority to find cyber threats on Federal networks.
The Department of Homeland Security (DHS) spent $93 million in FY 2022 alone to mitigate effects of the SolarWinds breach, support recovery solutions, and reduce vulnerabilities.
OIG determined that the SolarWinds response revealed that CISA did not have adequate resources to effectively respond to threats. Specifically, OIG found that CISA did not have an alternative communication system to use when its main network was compromised, enough staff to achieve its mission, or the secure space required to effectively work with available intelligence. This occurred because CISA’s continuity, strategic workforce, and workspace allocation plans were either not complete or did not meet functional mission needs. As a result, CISA could not effectively coordinate its Federal response efforts or use intelligence information from partner agencies.
CISA is chronically understaffed. CISA officials told OIG that attracting personnel with the right experience and training who are willing to accept the pay scale (typically half of the industry standard), and able to obtain a security clearance, is difficult. Furthermore, hiring can take 6 to 12 months for government employees and contractors with the hard-to-find cyber-specific skillsets required. Exacerbating this, CISA does not have enough hiring managers and support staff, further prolonging the hiring process. CISA officials also told OIG that after employees do get hired, they work extra hours, burn out quickly, and often leave, which starts the hiring cycle over again.
Despite these hiring difficulties, OIG found that CISA does not have a multi-year strategic workforce plan to help ensure it hires staff with the right knowledge, skills, and abilities to achieve goals and address workforce needs.
OIG did however note improvements in other areas. In response to the May 2021 Executive Order on Improving the Nation’s Cybersecurity, CISA is improving its ability to detect and mitigate cyber intrusions. OIG’s review found that CISA completed most of the required tasks in the Executive Order, and it improved its information sharing and coordination. OIG reported that the only task not completed at the time of its review was the development of a collaboration framework for cybersecurity and incident response activities for Federal cloud technology.
CISA’s after-action reports on the SolarWinds response identified gaps in the technologies and capabilities needed for cyber incident prevention, detection, and mitigation. Before the breach, CISA had begun to bolster its automated cyber threat detection and to develop its malware analysis and data analytics capabilities. However, OIG said CISA still needs to receive all the necessary cybersecurity data from other Federal agencies’ dashboards and complete its plans for development of malware and data analytics capabilities. Until these efforts are completed, OIG is concerned that CISA may not always be able to effectively detect and mitigate major cyberattacks or meet the U.S. government’s demand for cyber capabilities that protect Federal networks and systems.
OIG praised CISA for its efforts to strengthen cybersecurity collaboration and communication, noting in particular CISA’s Joint Cyber Defense Collaborative, which was established in August 2021 to reinforce its relationships with private sector and interagency partners. The watchdog also acknowledged CISA’s work to help agencies find vulnerabilities. In January 2022, CISA launched a vulnerability disclosure platform website, which gives members of the public a way to report vulnerabilities and issues to DHS and other participating agencies.
CISA began developing Malware NextGen in May 2019 to help achieve its mission of providing operational and technical assistance to its partner agencies. Malware NextGen is a flexible cloud-based platform for analyzing malicious code received from agencies and partners. CISA analysts extract the code for manual analysis, allowing them to quickly prioritize, investigate, and resolve malware analysis requests. OIG found that the Malware NextGen capability is still under development, even though the program was authorized to operate in March 2022 and is the only viable malware analysis option for many of CISA’s mission partners. CISA is developing additional functionality for Malware NextGen, with updated technology to improve timely and effective identification of malicious activity and exploitation. According to CISA, when the next development phase is complete, Malware NextGen will automate analysts’ ability to reverse engineer malware to analyze code, identify potential adversaries’ behavior, and mitigate threats. It will also incorporate automated data and trend analysis tools. CISA has not yet determined when it expects to finish the program’s analysis functions.
OIG also reported that CISA Is developing data analytics capability for the National Cybersecurity Protection System (NCPS) but does not have a comprehensive plan for it. CISA started the planning process and received $25 million in the FY 2023 budget as “bridge funding” to allow continued investment in infrastructure and analytics capabilities until the FY 2024 budget is appropriated. CISA officials told OIG that the comprehensive plan will be completed before FY 2024. OIG is concerned that, until then, CISA is developing analytics capabilities using the legacy NCPS program without an approved program structure or plan describing how the new project meets strategic priorities.
To help CISA address the shortcomings remaining, OIG has made four recommendations:
- Update CISA’s Continuity of Operations Plan and develop and implement an information system contingency plan, to ensure availability of redundant systems, capabilities, and communication methods to use if primary systems or networks are compromised.
- Require the facility and operations staff conduct an assessment to determine whether secure facility space is appropriately sized and configured to meet operational needs and document any changes necessary for staff to obtain and maintain appropriate access to intelligence information.
- Require an assessment to document the levels of staffing, resources, and intelligence access needed for operational divisions, cyber detection and mitigation capabilities, and support functions.
- Create and implement a long-term plan for the Cybersecurity Division that includes provisions for ownership, operations, and maintenance of the NCPS’s data analytics capabilities.
CISA concurred and aims to complete efforts to meet all four recommendations by the end of the calendar year.
OIG’s findings follow a January 2022 report from the Government Accountability Office (GAO) which found that CISA and other agencies have taken steps to improve cybersecurity following lessons learned in the SolarWinds incident, such as coordinating with the private sector. While GAO’s report was largely positive, some shortcomings were noted, particularly regarding information sharing.