5 Questions National Policymakers Should Be Asking
This week, IT-firm SolarWinds announced that it had likely suffered “a highly sophisticated, targeted and manual supply chain attack by an outside nation state,” which put the information systems of 18,000 of its customers, including federal agencies, at risk. The Cybersecurity and Infrastructure Security Agency at DHS issued an emergency directive for federal civilian agencies to shut off SolarWinds products immediately and scan their networks for compromise.
So far, three federal departments (Commerce, DHS, and Agriculture) have admitted that they were compromised by the breach, which according to press reports is tied to Russian hackers. Experts worry that the breach will extend much further across the federal government, potentially rivaling the 2015 Office of Personnel Management breach as the costliest in history.
As the 116th Congress comes to a close, lawmakers are poised to enact significant changes to federal law in response to the Cyberspace Solarium Commision (including reestablishing a national cybersecurity director in the White House) demonstrating a renewed interest in legislative reform. With President-elect Biden and a new Congress soon to arrive in Washington, continuing to reexamine national cybersecurity policy should be atop the agenda.
On Thursday at 2pm ET, Lincoln Network will host national cybersecurity thought-leaders for a virtual panel discussion to consider the future of cybersecurity. We are honored to be hosting Maggie Brunner (National Governors Association), Matthew Eggers (U.S. Chamber of Commerce), Kathleen Rice Mosier (Notre Dame University and former SSIC Counsel), and Mark Montgomery (Cyberspace Solarium Commission and Foundation for Defense of Democracies).
As the moderator, I have the privilege of asking these experts to share their thoughts about the future of national cybersecurity. Here are five questions on my mind.
- What can we learn from federal cybersecurity information sharing after 5 years?
In 2015, President Obama signed into law the Cybersecurity Information Sharing Act, which required DHS to establish a voluntary cybersecurity information sharing program to allow companies to share information among themselves and with the federal government. The act provided liability protections for this kind of sharing and required that DHS protect privacy and civil liberties. DHS was required to establish an “Automated Indicator Sharing” program for timely reporting and warnings about cybersecurity threats.
This bill was the result of years of Congressional debate about the role of the federal government in overseeing and supporting private sector cybersecurity. Rather than establishing a broad regulatory framework, as was advanced by the Obama administration in 2012, the cybersecurity information sharing model reflected a compromise between government and industry that focused on voluntary partnerships and best practices developed by NIST.
Since 2015, the Directorate within DHS responsible for managing this program has been renamed and rebranded the Cybersecurtiy and Infrastructure Security Agency (CISA), which has entered the national spotlight recently with its work on election security and the recent dismissal of Director Chris Krebs.
After 5 years, it’s not clear that cybersecurity information sharing has achieved the goals that Congress envisioned. The most recent watchdog review found that CISA had made “limited progress” improving both quality of the information that it shares as well as participation (which included 200 nonfederal partners as of 2018). The Inspector General cited CISA insufficient office staff and limited sharing from partners to the government as key challenges. “Until CISA improves the quality of its information sharing, AIS participants remain restricted in their ability to safeguard their systems and the data they process from attack, loss, or compromise,” the IG warned. In response, CISA promised a new national strategy for the program by September 2021.
The Solarium Commission recommended several changes to strengthen cybersecurity information sharing, including requiring defense industrial base member participation and transitioning from information sharing to “truly shared situational awareness.” Legislative language based on the Commission's recommendations was included in the House Intel Authorization bill (see Section 605 and 606), including establishing a process for the intelligence community to solicit feedback about the information needs of federal partners and to require a federal review of the intelligence community’s information sharing posture. While these provisions are not expected to become law in 2020, they should be atop Congress’s agenda next year.
- How can the federal government, the private sector, and state and local partners better manage supply chain risks?
Another focus area of recent federal policy and Congressional action has been addressing supply chain risk management. In 2018, Congress passed legislation to establish the Federal Acquisition Security Council or FASC, which was aimed to set policy and share warnings about supply chain threats. The recent SolarWinds hack highlights how adversaries can exploit vulnerabilities in IT contractors and service providers to gain entry into federal agencies.
GAO released a timely report this week looking at federal agencies’ current posture for managing supply chain risks. The auditors found that few federal civilian agencies had implemented recommended best practices. “Until agencies implement all of the foundational ICT SCRM practices, they will be limited in their ability to address supply chain risks across their organizations effectively,” the Congressional watchdogs warned. While these best practices likely would not have prevented federal agencies from stopping the SolarWinds breach, GAO’s suggest that federal agencies are vulnerable to similar attacks exploiting supply chain weaknesses.
Beyond the federal government, apparent weaknesses also exist in state and local government supply chain risk management. In a new report released this week, I highlight how state and local governments have purchased commercial off-the-shelf technologies with known vulnerabilities that federal agencies have banned. Since state and local governments face a challenging threat environment with limited resources, federal agencies should prioritize information sharing about threats in COTS technologies and restrict the use of federal grant funding to prohibit their purchase.
- How can the federal government better secure its own networks with the latest evidence that the Einstein intrusion detection system is not up to task?
The latest federal data breach revealed longstanding challenges in the federal government’s approach to securing federal networks, including by using an intrusion and detection system that experts have warned was outdated. The Washington Post covered this aspect of the ongoing investigation of the SolarWinds breach last night:
“The hackers also shrewdly used novel bits of malicious code that apparently evaded the U.S. government’s multibillion-dollar detection system, Einstein, which focuses on finding new uses of known malware and also detecting connections to parts of the Internet used in previous hacks.But Einstein, operated by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), was not equipped to find novel malware or Internet connections....”
As a former Senate HSGAC staffer, I recall that DHS strongly advocated for authorizing and requiring federal agencies to implement Einstein, despite serious questions about its utility. In a January 2015 staff report for former Senator Tom Coburn, my colleagues and I warned that the DHS intrusion and detection system “can only detect known fingerprints—malware that changes its signatures can be effectively impossible to detect by signature-based intrusion detection like NCPS.”
When the Obama administration succeeded in convincing Congress to authorize Einstein in December of that year (disclosure: which my colleague and I worked on), Congress included language requiring that DHS:
“shall regularly assess through operational test and evaluation in real world or simulated environments available advanced protective technologies to improve detection and prevention capabilities, including commercial and noncommercial technologies and detection technologies beyond signature-based detection, and acquire, test, and deploy such technologies when appropriate.”
That DHS needed to update its intrusion detection and prevention system was well known at the time. A month after Congress passed the law, GAO issued a report warning that Einstein offered: “a limited ability to detect potentially malicious activity entering and exiting computer networks at federal agencies.” But a 2018 follow up GAO report found that DHS has not made progress updating the system as required by Congress. GAO reported that DHS planned to deploy new technology with “detection capabilities that are intended to assess agency network activity and identify any anomalies that may indicate a cybersecurity compromise,” by the end of 2022 or nearly 7 years after Congress enacted the law.
- Are additional organizational reforms needed to the federal government’s approach to cybersecurity?
Many of the federal government’s ongoing cybersecurity challenges, including the limited success of information sharing and inability to defend federal networks, involve the Department of Homeland Security and its newly rebranded agency CISA. While CISA and former Director Krebs have earned praise for elevating the rebranded agency and focusing on enhancing cyber defenses for election systems, DHS’s role in the federal government’s ongoing cybersecurity problems cannot be overlooked.
It is time that Congress consider whether the small agency is being asked to do too much. While the Intelligence Community has publicly warned that nation-state adversaries use cyber means to challenge our economy and national security, CISA has only an $1.5 billion budget with 2,700 positions. (To put that budget into context, the federal government spends $10 billion on the Head Start preschool program and reportedly lost $75 billion on improper payments last year.)
While former Director Krebs often described the organization’s mission as leading national risk management efforts, CISA’s legislative and operational responsibilities included both cybersecurity and infrastructure protection. The latter mission included a range of responsibilities, such as managing a workforce of chemical facility security inspectors to leading national efforts to support school safety. Given the threat, it would make sense for Congress to further streamline CISA and even move it out of DHS to create an independent agency.
The Solarium Commission focused its organizational reform recommendations on the reestablishment of the national cybersecurity director within the White House. But the Commission and Congress should consider broader organizational reforms moving forward.
- Is the U.S. government spending enough on cybersecurity?
The imbalance between CISA’s budget and broad responsibilities for cybersecurity and national infrastructure protection highlights a broader issue with the gap between the scope of the cybersecurity challenge with federal spending on efforts to address it.
The White House’s annual budget request now includes a chapter on cybersecurity funding. For FY2021, the administration requested $18.8 billion in reportable cybersecurity funding (level with 2020 budget) while explaining that some aspects of the federal government’s budget are not included in this estimate due to sensitivities. OMB reports that just $8.5 billion of that was focused on the categories for cybersecurity risk management described by NIST (identify, protect, detect, respond, and recover) in its framework.
In 2018, the White House Council of Economic Advisors estimated that “malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.” Given the scope of the cybersecurity threat to the United States, additional federal spending is justified. Congress has opportunities to improve efficiencies and prioritize spending on other security-related programs. For example, GAO’s oversight of the Department of Defense alone since 1999 has yielded an estimated $275 billion in savings.
Please join us tomorrow to consider these and other questions about the future of cybersecurity with some of the nation's top experts.