The acting director of the Cybersecurity and Infrastructure Security Agency today said his agency is looking various changes to protect federal networks in the wake of the massive breach discovered late last year.
The acting director of the Cybersecurity and Infrastructure Security Agency today acknowledged the weaknesses in a premiere cybersecurity program and previewed a range of
issues CISA is now examining in the wake of the massive breach into multiple federal networks.
"There are things that clearly need to be done to enhance our ability to stop attacks like this in the future. One that we are working on is better insights and visibility into the end points," Brandon Wales, acting CISA chief, said today at an event hosted by the Business Council for International Understanding.
Wales' comments come the day after Anne Neuberger, the deputy national security advisor for cyber and emerging technology, said the White House is planning "executive action" both to mitigate the damage done by the breach involving SolarWinds Orion as well as options for a response against those responsible.
"We're also working on close to about a dozen things," Neuberger said in a Wednesday press briefing in the White House. "Likely, eight will pass to be part of an upcoming executive action to address the gaps we have identified in our review of this incident."
Wales on Thursday when asked about Einstein, a core component of the government's National Cybersecurity Protection System, acknowledged the program could not stop the supply chain attack the government discovered in December 2020.
"Einstein is actually a collection of capabilities, but they're all focused on the perimeter of monitoring network traffic that's going from outside U.S. government networks to inside the networks," he said. "In the case of a supply chain attack, [the threat] kind of bypasses that. It immediately places itself inside of a network and no perimeter security measure is going to stop it," he continued.
Wales said CISA is exploring ways to monitor activities internally for "anomalous activities" such as a network management system communicating through an encrypted channel to an entity outside the network.
He also said work needs to be done on software assurance. While it would be unrealistic for the government to review every line of code for every piece of software it deploys, there are improvements that can be made through contractual language to ensure private vendors have appropriate levels of security in place.
"What made SolarWinds so devastating was that SolarWinds devices are normally configured to have broad administrative rights on a network. If a system is like that, if it has broad administrative rights then it requires further hardening inside of your network," he said.