House and Senate cybersecurity leaders already are planning to examine the cause and effects of the SolarWinds hack, and touting new cyber tools supplied by the fiscal 2021 National Defense Authorization Act, while some cybersecurity professionals caution that these are preliminary steps on a long road toward effective risk management.
New Senate Homeland Security Chairman Rob Portman (R-OH) and ranking member Gary Peters (D-MI) have already said they will hold hearings and “work on bipartisan comprehensive cybersecurity legislation” in the aftermath of the SolarWinds breaches of federal and private-sector networks. House Homeland Security Democrats also announced a probe into the hack.
Rep. Mike Gallagher (R-WI), Solarium Commission co-chair, last week said: “The SolarWinds espionage campaign emphasized our vulnerabilities in cyberspace and underscored the pressing need for action. Congress must work to make sure this never happens again, and the FY2021 NDAA takes concrete steps to help achieve this goal.”
Gallagher said: “While we are still learning about the scale of this campaign, what we do know is that many of the Cyberspace Solarium Commission’s recommendations included in this bill would have helped the government better respond to the hack. With these provisions, CISA would have enhanced resources and improved threat hunting capabilities, allowing the government to more quickly identify intrusions. The Department of Defense would have a comprehensive plan to strengthen the cyber defense of our nuclear command and control system, preventing malign access to this critical network from even happening. And a National Cyber Director would be able to coordinate a public-private response to dealing with this espionage.”
Likewise, Rep. Jim Langevin (D-RI), a Solarium Commission member, last week said of the NDAA and SolarWinds: “In the wake of what could be one of the most consequential cyber intrusions in our nation’s history, this bill also contains several provisions I authored to better defend Americans and our systems against evolving cyber threats. Most notably, this bill will establish a National Cyber Director to ensure there is someone leading cyber policy and strategy development and coordinating incident response in the Executive Office of the President. Having someone in charge of cybersecurity at the highest levels of government is critical to help prevent an incident of significant consequence that could impact our economy and our way of life.”
New House Homeland Security ranking member John Katko (R-NY) told Inside Cybersecurity that he strongly backs the work of the Solarium Commission and cyber provisions in the NDAA, and promised energetic oversight of implementation efforts.
But some cybersecurity leaders and professionals are saying the provisions in the new law are important but not enough to drive the cultural and organizational shifts needed to confront the vulnerabilities exposed by the SolarWinds incident.
Larry Clinton, head of the Internet Security Alliance, recently praised key pieces of the NDAA in a blog post, but warned: “However, we are kidding ourselves if we think the new NDAA provisions … are anywhere near enough to provide ample defense against the sorts of sophisticated cyber-attacks that are becoming increasingly common against both industry and government. Positive though they are, the NDAA provisions are far too narrow. They are focused primarily on government and follow a traditionally limited vulnerability prevention model.”
A Congressional Research Service report on the SolarWinds attack said there would be “no easy fix.”
CRS concluded: “Given the nature of the SolarWinds attack, it is unlikely existing programs would have prevented this incident.”
The researchers said, “Cybersecurity is not a static goal. Instead, it is a risk management process, which involves continual work. The National Institute of Standards and Technology (NIST) Cybersecurity Framework categorizes this process cycle as: (1) identify; (2) protect; (3) detect; (4) respond; and (5) recover. Much of the recent cybersecurity policy work has been on the first three processes; the SolarWinds attack highlights the need for the last two.”
One private-sector cybersecurity pro with extensive experience working alongside federal agencies observed that the Solarium Commission’s recommendation on continuity-of-economy planning — included in the NDAA — should be useful, but “our whole approach to risk may be wrong.”
“Now it’s bottom-up and based on controls, but you have to work both top-down and bottom-up simultaneously,” the source said, with the top-down aspects defining an entity’s risk tolerance.
“Where was the breakdown?” the source asked of the SolarWinds hack, pointing to several institutional aspects of cyber defense. “Our tools look for lagging indicators, not leading indicators. Signatures don’t tell you if behavior is wrong” on a system.
Steps like pre-programing “honey pots” to fool adversaries, not backing up systems within the same system, and threat hunting can be valuable tools, the source said. “But it’s very straight-line, linear, and not ‘thinking out of the box.’”
“We’re at a crossroads and there are too many holes in our approach,” the source said. “I don’t see a cohesive plan to fix something like this. We have to look holistically at how we’re handling technology and society. We have to keep moving and thinking.”