- Senators questioned the ability of federal agencies to detect and prevent supply chain cyberthreats, during a congressional hearing on SolarWinds Thursday. An outdated cyberthreat program, gaps in intelligence sharing and an unfilled White House cyber coordinator are contributing to the concern.
- The private sector's ability to detect the SolarWinds intrusion first was an issue for Senator Ron Portman, R-OH. "FireEye is one of the firms folks call when they discover a breach; so here the very people we call when we get hacked got hacked itself," he said.
- The SolarWinds hack — and subsequent data breach — was a failure in Einstein, the government's "frontline defense program," said Portman. The Einstein system is supposed to provide the "baseline of security" across federal agencies for detecting and blocking cyberattacks from escalating, according to the Cybersecurity & Infrastructure Security Agency (CISA).
Though former Department of Homeland Security officials have called for the cyberthreat system to be more readily available across agencies, the Einstein program was deemed outdated by former federal CISO Greg Touhill. Einstein "clearly" was ineffective in preventing the SolarWinds incident, said Portman.
But Einstein is limited by its design. It's intended to detect intrusions based on network perimeters, said Brandon Wales, acting director of CISA. SolarWinds went undetected because there is no intrusion protection system anywhere.
"FireEye did not use an intrusion detection system to detect this threat and they could not. It just would not work that way," he said.
For comprehensive cyberthreat intelligence, security stakeholders require data from the private sector and foreign allies, beyond what the FBI alone can provide. Federal law enforcement has limited purview of adversarial activity on private networks.
While CISA shares a portion of security accountability, agency heads are responsible for securing systems as part of the Federal Information Security Management Act (FISMA). "And they have failed," said Portman. "We know FISMA is not working."
Wales expects the highly anticipated, and yet-to-be-filled national cyber director role to mitigate some of the tensions between security responsibilities.
One point of contention is the need to modernize federal response to major incidents. Federal agencies are planning to align budgets for "immediate response needed to the SolarWinds incident" with the $1 billion for the Technology Modernization Fund and $650 million for CISA, as part of the American Rescue Act, said Christopher DeRusha, federal CISO for the Office of Management and Budget, during the hearing.
In addition to direct SolarWinds response, agencies are using funds to harden defenses. "We fully acknowledge that security is expensive when done properly, but it is even more costly when it is neglected," DeRusha said.
But offensive cyber measures are cheaper than defensive. Russia President Vladimir Putin can hire 8,000 hackers "for the price of one jet fighter," said Senator Angus King, D-ME, and co-chair of Cyberspace Solarium Commission, on a press call Wednesday.