Denys Rudyi - Fotolia
A U.S. Senate committee wanted answers on how national cybersecurity preparedness and responsiveness can be improved. Federal cybersecurity officials provided a straightforward response: more funding.
Before the Colonial Pipeline attack occurred, the Senate Committee on Homeland Security and Governmental Affairs planned to hold a hearing on how federal agencies and departments responded to the widespread SolarWinds cyber attack, which allowed cyber attackers to gain access to critical information through the Orion software platform used by private companies and federal agencies.
The hearing took place Tuesday, where representatives from federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), responded to questions from Senate leaders, who wanted to know what more could be done to help federal agencies and the nation prepare for the increased likelihood of cyber attacks. Senators pointed to the Colonial Pipeline attack, which forced the company to halt its oil distribution, as a primary example of risks such attacks pose.
Sen. Rob Portman (R-Ohio), ranking member of the committee, pointed to SolarWinds and another cyber attack, Pulse Secure, a VPN product for remote access, as two that are particularly unsettling. Both attacked federal infrastructure but neither attack was detected by federal security initiatives or personnel.
"The SolarWinds and Pulse Secure VPN attacks targeted federal agencies and yet it was private sector companies that discovered them," Portman said during the hearing. "That should be concerning to all of us. Despite all the increased funding … not one of these federal intrusions was discovered by the federal government. Cyber attacks are going to continue to be a threat and the federal government needs to be able to identify those threats and defend against them."
Sen. Rob PortmanRanking member, Senate Committee on Homeland Security and Governmental Affairs
CISA acting director Brandon Wales, a witness at the hearing, said more investment is needed to replace legacy systems, mitigate cloud migration challenges, improve interagency communication and visibility so that threats can be uncovered faster, and hire more cybersecurity professionals.
Response to SolarWinds
Senate committee members pressed Wales, as well as CISOs for the Department of Health and Human Services and the Department of Commerce, on how they became aware of malicious activity related to the SolarWinds cyber attack, what communication about the attack occurred between the agencies, and what steps agencies took to find compromises and shore up defenses.
The attack went undetected for months as it was spread through periodic software updates, with cybersecurity company FireEye -- which was also impacted -- calling attention to the attack. The Biden administration recently named the Russian Foreign Intelligence Service as the perpetrator of the attack and imposed economic sanctions on the country in response.
Wales said the agency provided technical assistance to affected entities that requested it as they identified and mitigated potential compromises. He said CISA's response also included scoping out the cyber campaign, sharing information and detections, supporting short-term remediation and providing guidance for long-term network recovery.
Ryan Higgins, CISO at the Department of Commerce, said the department was one of the first federal agencies to identify a potential systemic compromise due to the SolarWinds attack, determine it was a major incident and immediately coordinate with CISA for assistance. The department participated in the Cyber Unified Coordination Group stood up in response to the incident and supported information sharing across the government for all affected agencies. HHS CISO Janet Vogel said the agency also coordinated with CISA to begin mitigation of any potential impact of the malware.
What can be improved going forward
Wales said SolarWinds and other recent cyber incidents, including the attack on Microsoft Exchange, have brought about an "unprecedented and robust collaboration between the public and private sector," which he believes will continue to be critical in identifying malicious cyberactivity.
"Industry identified the threats and informed us with little delay," he said. "And in the case of the Exchange vulnerabilities, we were able to work together to take collective action to mitigate potential risks. The government provided the forum, but industry partnerships allowed us to quickly reduce the population of susceptible servers and notify potential victims at a scale that the government alone could not achieve."
Wales said the agency also needs to rethink its approach to cybersecurity and made the case for additional funding mechanisms for state and local governments to modernize legacy systems with better cybersecurity tools, such as dedicated preparedness grants for cybersecurity, which he said Congress is considering. He also recommended establishment of a Cyber Response and Recovery Fund, which would provide cybersecurity assistance to state and local governments through CISA.
As part of making a case for more funding, Wales outlined what CISA plans to do with an additional $650 million allotted to the agency in the American Rescue Plan passed in March. CISA is expanding its cyber defense team to do more hunts for threats within federal agencies, deploying new technologies and sensors inside of agency networks for greater visibility, and deploying pilot cloud environments to test the most effective ways to defend and protect them as federal agencies migrate data to the cloud.
Wales said federal agencies must also continue to transition from legacy systems to more modern, defensible and secure infrastructure.
Indeed, Higgins said the commerce department's long-term recovery plan includes migrating to modern cybersecurity infrastructure, upgrading security features in existing products and transitioning to cloud-centric models and replacing legacy on-premises infrastructure.
Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget, she was a general reporter for the Wilmington Star-News and a crime and education reporter at the Wabash Plain Dealer.