Federal officials stress unprecedented levels of coordination as lawmakers continue probe of SolarWinds

March 18, 2021

Senators on the Homeland Security Committee took their turn probing the federal response to the SolarWinds hack at a hearing that featured CISA, OMB and FBI officials citing extensive interagency cooperation, while lawmakers pressed on the need for more high-level direction and for upgrading the government’s overall approach to cyber defense.

“After the SolarWinds hack likely perpetrated by the Russian government our agencies were asked to self-analyze and review the effects of the attack when many did not have the capability to do so. This haphazard approach made it extremely clear that our ability to respond did not match the severity of the crisis,” Chairman Gary Peters (D-MI) said in his opening statement.

“The process and procedures for responding to cyberattacks desperately needs to be modernized including improving the Federal Information Security Modernization Act which has not been updated since the creation of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency,” Peters said. “In order to adapt to the evolving cybersecurity threat both the public and private sector need a centralized, transparent, and streamlined process for sharing information.”

Ranking member Rob Portman (R-OH) raised concerns about lack of overall accountability within the executive branch for cyber efforts as well as possible duplication of efforts, which he said must be addressed in any FISMA update. He questioned how a new National Cyber Director would fit into the equation. Portman also drilled down on shortcomings in the “Einstein” detection system.

Sen. Tom Carper (D-DE), a former Homeland Security Chairman, cautioned that Congress needs to do some self-examination as well, pointing to the dozens of committees that claim jurisdiction over the Department of Homeland Security and cyber issues in particular.

House Energy and Commerce leaders this week posed questions to multiple departments on responses to the breach. The House Homeland Security and Oversight committees held a joint hearing on SolarWinds on Feb. 26. House Homeland leaders of both parties have argued repeatedly that oversight authority of DHS must be streamlined.

CISA Acting Director Brandon Wales said in response to a question from Portman: “What I will say is that the ability for the government to work together on cybersecurity incidents, I would argue, has never been stronger, in part based upon a lot of work from our career officials at the FBI, CISA, DNI and NSA, we are working more collaboratively.”

Wales said, “There is more joint engagement with the private sector, with our federal agency partners, to ensure that there is not duplication of effort, that we’re all bringing our unique expertise, skills and abilities when we have cybersecurity incidents or we need to help agencies prepare ahead of time. And I think we would hope that any new addition to that is additive and is strengthening that collaboration that currently exists and making it stronger.”

Federal CISO Christopher DeRusha in his opening statement highlighted collaborative efforts, saying, “Immediately after agencies detected the SolarWinds incident, OMB began coordinating with the Cyber Unified Coordination Group, or UCG, which is leading the overall response to this incident. OMB continues to work with the UCG and agency executives to collect data on the impact of the event and identify capability and resourcing gaps for responsive recovery efforts at the agencies. My office is leveraging its partnerships with CIOs and CISOs across federal government, leading regular council meetings where I identify common challenges, sharing best practices and coordinate a consistent approach to federal cybersecurity.”

DeRusha told Portman, “I believe that again as I said everyone has a key role to play here in their authorities and we work quite well together. I don’t believe that it is an issue because we have these type processes where we are coordinating and streamlining all of our response efforts.”

Overall, DeRusha cited “decades of underinvestment in federal IT,” and said “this administration is committed to investing in infrastructure, systems and people needed to build back better. We greatly appreciate the support from members of this committee on the American Rescue Plan, which has laid the foundation for renewed investment in our cybersecurity. With the additional $650 million in funding for CISA, the federal government is going to be able to provide enhanced monitoring of our networks and faster response times when incidents do occur.”

Further, he said, “The additional $1 billion provided to the Technology Modernization Fund will expand our opportunities to resolve cybersecurity challenges posed by aging federal IT systems.”

And, DeRusha said, “Finally, I’d like to highlight OMB’s role in leading agencies to transition to what we’re calling Zero Trust paradigm. Zero Trust moves us away from the historic approach of protecting IT networks at the perimeter and instead assumes that a network may be compromised at any given time. In this new model, real-time authentication tests users, blocks suspicious activity and prevents adversaries from the kind of privilege escalation that was demonstrated in the SolarWinds incident. Many of the tools we need to implement this model already exist within industry and agency environments, but successful implementation will require a shift in mindset and focus at all levels within federal agencies.”

The FBI’s Tonya Ugoretz, acting assistant director of the cyber division, stressed voluntary collaboration with industry and the victims of hacks. “The SolarWinds incident and the current incident involving the Microsoft Exchange Server vulnerability underscore the essential value of using law enforcement authorities, voluntary sharing by third parties, and victim cooperation,” she said.

“As a government, we would not know the identities of most of the affected entities without using all of these tools, including legal process and the information we learned from our incident response engagements,” Ugoretz said. “Our pre-established relationships with the public and private sectors throughout the country are critical to identifying the threat, understanding its scope, and investigating its origin in order to protect others. And this sharing and collaboration across agencies does not just happen at the moment of an incident but requires trust-based relationships built over time.”

Wales, who said it’s time to “rethink” the approach to cyber – echoing a refrain from a public policy campaign spearheaded by the Internet Security Alliance’s Larry Clinton – cited various immediate steps that he said are already underway.

He said “one of the main areas that we plan on focusing including with the resources provided through the American Rescue Act are looking inside of networks moving from the perimeter, from the network inside of networks to the endpoint to the critical servers and workstations deployed throughout the federal government to ensure that we have the right level of insight.”

Wales said, “Now again it needs to be a right balance. Those perimeter security sensors are still valuable, we use them to both protect as well as to forensically look back and see where activity may have been and so we can conduct investigations. But … that balance was too far out of whack in the past. It is too focused on the network and not enough inside of networks at the host.”

Legislation on industrial control systems

Also today, the House Homeland Security Committee approved H.R. 1833 by ranking member John Katko (R-NY), a bill designed “to provide for the responsibility of the Cybersecurity and Infrastructure Security Agency to maintain capabilities to identify threats to industrial control systems, and for other purposes.”

Under the bill, CISA is directed to:

  • (1) lead Federal Government efforts to identify and mitigate cybersecurity threats to industrial control systems, including supervisory control and data acquisition systems.
  • (2) maintain threat hunting and incident response capabilities to respond to industrial control system cybersecurity risks and incidents.
  • (3) provide cybersecurity technical assistance to industry end-users, product manufacturers, other Federal agencies, and other industrial control system stakeholders to identify, evaluate, assess, and mitigate vulnerabilities.
  • (4) collect, coordinate, and provide vulnerability information to the industrial control systems community by, as appropriate, working closely with security researchers, industry end-users, product manufacturers, other Federal agencies, and other industrial control systems stakeholders.
  • (5) conduct such other efforts and assistance as the Secretary determines appropriate.

Homeland Security Secretary Alejandro Mayorkas in testimony this week before the House Homeland Security Committee noted CISA’s growing focus on “systemically important critical infrastructure,” while CISA has prioritized collaboration with industry on ICS security under an initiative pushed by former Director Christopher Krebs.

| Inside Cybersecurity March 18, 2021