In the wake of the SolarWinds campaign, the agency in charge of federal agency cyber defense acknowledges some gaps in both its data collection and network monitoring capabilities.
The federal government's top cybersecurity watchdog still lacks visibility into agency network defenses.
Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, couldn't share data with Sen. Ron Wyden (D-Ore.) about how many federal civilian agencies are segmenting and segregating internal networks in a June 3 response to an earlier letter about the SolarWinds campaign.
Wyden contacted the agency in February 2021 with a list of questions about CISA's capacity to detect zero-day exploits and related anomalous network activity using its $6 billion EINSTEIN sensor system, including why CISA was unable to detect network traffic between agencies that had downloaded a corrupted SolarWinds update package and a remote server that was established by the perpetrators of the SolarWinds exploit to manage the campaign and send additional malware payloads to compromised systems.
Wales agreed with findings presented by Wyden that firewalls configured to block outgoing traffic would have halted the progress of the SolarWinds campaign, but said that such a configuration "is not applicable to all types of intrusions and may not be feasible given operational requirements for some agencies." He also noted that the three-pronged EINSTEIN capability is just one piece of the National Cybersecurity Protection System. One big lesson of the SolarWinds campaign, Wales wrote, is that, "EINSTEIN must be supplemented with capabilities that enable us to look inside the network to better detect in-network intrusions."
More broadly, Wales told the lawmaker that while CISA offers agencies guidance on network segmentation strategies and the adoption of zero trust, it does not "presently have data regarding the percentage of agencies that have segmented and segregated their internal networks."
This information is apparently not sought in reports required under Federal Information Security Modernization Act, although FISMA does require some detail on how high-value asset systems are managed and protected on agency networks.
"CISA has long recommended that agencies segment and segregate their internal networks, which makes it more difficult for intruders to move around and gain access to an organization’s most sensitive information. But CISA is not requiring this cyber defense best practice, or even collecting data from agencies which would reveal how many have followed CISA’s voluntary guidance," Keith Chu, a spokesman for Wyden said in an email to FCW. "CISA already has the authority to require agencies to adopt cybersecurity best practices. It should use it."
Wales wrote that "CISA is continuously evaluating opportunities to use binding operational directives or other authorities to drive appropriate security measures, including to adopt risk-based configuration practices." He added later in the letter that, "we need to rethink our approach to managing cybersecurity across 101 federal civilian executive branch agencies."
Additionally, Wales acknowledged that EINSTEIN's focus on the network perimeter is insufficient given the increase in encrypted network traffic and the proliferation of network endpoints. CISA is planning to use a $650 million spending boost included in the American Rescue Plan Act to "rapidly accelerate the transition from a perimeter defense construct to a construct whereby agencies and CISA will be better situated to identify threat activity within federal networks in near-real-time."