The SolarWinds supply chain compromise and the recently announced exploitation of vulnerabilities in Microsoft Exchange have lent even more urgency to the Department of Homeland Security’s “urgent improvements across four areas of strategic growth,” Cybersecurity and Infrastructure Security Agency Acting Director Brandon Wales said.
Wales told the Senate Homeland Security and Governmental Affairs Committee last week that “while these lines of effort are in response to this intrusion, they form the framework around which we think about our response to any cyber incident.”
“First, we must increase CISA’s visibility into cybersecurity risks across the federal civilian executive branch and, where feasible, across nonfederal entities,” he said. “Second, we must expand CISA’s incident response capacity. Third, we must improve our ability to analyze large volumes of cybersecurity information in order to rapidly identify emerging risks and direct timely mitigation. And fourth, we must drive adoption of defensible network architectures, including by progressing toward zero trust environments.”
Wales called cybersecurity investments in the American Rescue Act, including an extra $650 million for CISA, “an important down payment on the cybersecurity capabilities,” but “we are not stopping there.”
“We are still responding aggressively to this campaign,” he said, touting the rollout of a new website that “consolidates information and resources on best practices for remediating compromised systems and preparing federal departments and agencies for long-term actions to build more secure resilient networks” and last week’s provision to compromised federal agencies “detailed guidance on evicting the adversary from networks.”
“We also released the CISA Hunt and Incident Response Program, or CHIRP, a multifunction forensic scanning tool to assist network defenders with detecting threat actor activity on vulnerable SolarWinds devices.”
Wales said the SolarWinds and Microsoft Exchange incidents “highlight the lengths to which sophisticated adversaries will go to compromise our networks.”
“They will use never-seen-before tradecraft, exquisite techniques and zero-day vulnerabilities to defeat our current cybersecurity architecture. Knowing that, we must raise our game,” he said. “We need modern cybersecurity governance and capabilities. We need cybersecurity tools and services that provide us a better chance of detecting the most sophisticated attacks. And we need to rethink our approach to managing cyber security not only across the federal civilian executive branch agencies, but also across our most critical infrastructure.”
FBI Cyber Readiness, Outreach, and Intelligence Branch Deputy Assistant Director Tonya Ugoretz said the incidents “underscore the essential value of using law enforcement authorities, voluntary sharing by third parties, and victim cooperation.”
“Our pre-established relationships with the public and private sectors throughout the country are critical to identifying the threat, understanding its scope, and investigating its origin in order to protect others. And this sharing and collaboration across agencies does not just happen at the moment of an incident but requires trust-based relationships built over time,” Ugoretz said.
“By leaning into those partnerships, all of us together who are combating malicious cyber activity become stronger when we weaken the perpetrators together,” she added. “In that vein, I want to say that I truly appreciate the proactive cooperation of the private sector in this incident, and all the victims who have come forward… these incidents drive home what we already know, that only a whole-of-society approach will be effective against these threats.”
Chris DeRusha, the federal chief information security officer at the Office of Management and Budget, told senators that “we’re at a crossroads for our nation’s cybersecurity.”
“At OMB, we’re also working to ensure that agency budgets are aligned to immediate response needs to the SolarWinds incident, while identifying opportunities to harden IT against future attacks. We fully acknowledge that security is expensive when done properly, but it is even more costly when it is neglected,” he said. “In addition to funding, we must also invest in our IT workforce. Today, federal agencies struggle to attract competitive talent, keep pace with private sector pay and hire quickly enough to replace departing employees. This administration will rely on programs that work, such as the Scholarship for Service CyberCorps, which brings promising talent into government at the start of their careers. We’ll also continue to grow the U.S. Digital Service and Technology Transformation Service at GSA.”
DeRusha stressed that “to maintain our defense in the long run, we must direct resources where they are most needed across government.”
“The cybersecurity funding in the American Rescue Plan is extremely important, but it is just a down payment,” he said. “We have decades of technical debt to pay off, and the pace of modernization must accelerate.”