Where's the accountability for Solarwinds?
- By Justin Katz
- Mar 24, 2021
A panel of the government's top cybersecurity officials struggled to answer questions from a senate panel on Thursday searching for a person or program to hold accountable in response to the breach of nine federal agencies discovered late last year.
Sen. Rob Portman (R-Ohio), ranking member of the Homeland Security and Government Affairs Committee, pressed the panel to say who is ultimately responsible for the government's failure to stop or detect the intrusion involving SolarWinds Orion.
Brandon Wales, acting director of the Cybersecurity and Infrastructure Security agency, Chris DeRusha, the federal chief information security officer, and Tonya Ugoretz, a senior cybersecurity official at the FBI, all declined to answer the question directly.
The officials generally said each agency has its own roles and responsibilities, both for its own security and responding to an incident such as SolarWinds. Portman also questioned whether the new national cyber director role, a Senate-confirmed position within the White House, is necessary if that person is not ultimately responsible for the government's cybersecurity failures.
Sen. Gary Peters (D-Mich.), the panel's chairman, suggested the $6 billion Einstein program, which monitors activity coming in and out of government networks, should be scrutinized when it comes up for re-authorization in December 2022.
Wales has publicly acknowledged that Einstein was not designed to combat an incident such as SolarWinds. He defended the program during the hearing saying that it has successfully protected against the threats it was designed to combat and that stopping the next attack would mean retaining the elements of Einstein that remain valuable and supplementing it with new tools.
"FireEye did not use an intrusion detection system to detect this threat and they could not. It just would not work that way… We need to supplement what Einstein does looking at the perimeter of networks with what's happening inside the network," Wales said.
The acting CISA director recently told a House panel that his agency is actively looking at new tools for end point detection as a way to stop a future supply chain attack.
Wales acknowledged certain weaknesses to Einstein such as an inability to monitor activity moving to and from the cloud as well as the general proliferation of cloud technology in the federal government.
"I believe the urgency here is clear," Portman said. "The statutory authorization expiring next year gives us a chance to do this. It seems like the significant limitations you've talked about means we need to work together to address the next authorization."
Sen. Maggie Hassan (D-N.H.) asked the acting CISA chief about the agency's implementation of the Continuous Diagnostics and Mitigation program, noting that some federal agencies have struggled to utilize the tools it provides.
Wales said most agencies have managed to deploy the tools and CISA is working with those that still require assistance. He also noted that when CDM was created, agencies had visibility into individual devices in their networks, but CISA did not.
"I think we are now seeing that limitation that that poses on our ability to have a comprehensive understanding of the cyber risk picture of the dot-gov," he said. Wales also said he is hopeful the new administration will issue guidance soon that will help CISA posture itself to have "the right level of visibility" to defend federal networks.
Wales said CISA this week provided federal agencies with detailed guidance on how to evict hostile actors from their networks as well as a forensic scanning tool to be deployed on any device that was running a compromised version of SolarWinds Orion.
This article first appeared on FCW, a Defense Systems partner site.
Justin Katz is a former staff writer at FCW.