CISA still has work to do to fix agency weaknesses revealed by SolarWinds, watchdog says

The Cybersecurity and Infrastructure Security Agency still hasn’t fixed key planning and resource gaps that hindered its ability to respond to the SolarWinds hack, like having a plan for backup communication systems in the case of an attack on the main network, according to a new watchdog report. 

CISA, which is the government’s main cybersecurity agency, lacked such a plan during the fallout of the discovery of the SolarWinds breach in 2020, leaving it to “improvise” when its unclassified network for email and data was compromised.

“CISA coordinates federal agencies’ defense against cyberattacks, but the SolarWinds response revealed that CISA did not have adequate resources — backup communication systems, staff or secure space — to effectively respond to threats,” the report said. “CISA improved its ability to detect and mitigate risks from major cyberattacks, but work remains to safeguard federal networks.

The breach happened via malicious code in software updates for SolarWinds products, allowing perpetrators to gain intelligence within companies and government agencies. The U.S. government has since stated that Russian intelligence is likely behind the attack, although Russian officials have denied being involved.

During the attack, CISA didn’t have an alternative communication system in place to use when its usual network used for email and data communication, including incident response, was compromised, according to the report.

The end result was “the frequent loss or delayed delivery of critical information throughout its response, which led to significant confusion, inefficient operations and a reduction in leadership’s ability to manage the response effort.”

The report later noted, “Unless resource, staffing and planning issues are corrected, CISA will remain heavily dependent on old or unfinished systems, a scarce cybersecurity talent pool, and tools that do not provide necessary visibility into persistent cyber threats.”

CISA Director Jen Easterly said in comments included in the report that the agency is making a continuity of operations and supplemental plan addressing communication systems, both recommended by the watchdog, by the end of this year.

The inspector general also calls out a “need for significant improvements in CISA’s network visibility and threat identification technology.”

At the time of the breach’s discovery, CISA still did not have all the data it needed from agencies for its federal Continuous Diagnostics and Mitigation Dashboard, meant to consolidate information about vulnerabilities within agencies and across the government, according to the report. Since the breach, however, CISA officials have touted progress in adding more data to the dashboard.

The report also calls out the importance of the unfinished automated malware analysis capability, called Malware NextGen, still being built at the agency, and the need for more data analytics capabilities for CISA’s National Cybersecurity Protection System. Easterly wrote that the agency is working on formally establishing a Cyber Analytic and Data System with those data analytics capabilities.

CISA also continues to struggle with staffing.

The agency’s cybersecurity division was 38% understaffed as of August 2022, according to the report. Across the agency, 1,201 of 3,620 full-time CISA positions were unfilled at that point.

Among the problems are a tight market and lengthy hiring timelines in government, as well as a shortage of hiring managers within the agency and burnout and retention problems, according to the report.

The Department of Homeland Security debuted a new human resources system for cybersecurity workers in late 2021, but as of August 2022, the system had only yielded around 21 hires between the DHS Chief Information Office and CISA.

Easterly wrote that a final assessment on CISA’s workforce gaps is expected by the end of the calendar year.

The report also details a lack of classified spaces for employees working with sensitive information and resulting problems during SolarWinds response. 

The watchdog offered four recommendations, all of which the agency agreed with.

Easterly wrote in comments included in the report that the agency is “building on” a 2021 executive order on cybersecurity and SolarWinds response “through transformational cultural, organizational and technological changes to continue to make meaningful progress toward protecting federal networks and systems.”