CISA looks inward to stop future supply chain attacks

Einstein, a core component of the government's National Cybersecurity Protection System, was unable to stop the Solarwinds compromise because it focuses on attacks coming from outside the network, according to the acting director of the Cybersecurity and Infrastructure Security Agency. CISA is exploring ways to monitor internal "anomalous activities," such as a network management system communicating through an encrypted channel to an entity outside the network, Brandon Wales, acting CISA chief, said at a Feb. 18 event hosted by the Business Council for International Understanding.

"There are things that clearly need to be done to enhance our ability to stop attacks like this in the future. One that we are working on is better insights and visibility into the end points," he said.

"Einstein is actually a collection of capabilities, but they're all focused on the perimeter of monitoring network traffic that's going from outside U.S. government networks to inside the networks," he said. "In the case of a supply chain attack, [the threat] kind of bypasses that. It immediately places itself inside of a network and no perimeter security measure is going to stop it," he continued.

Wales also said work needs to be done on software assurance. While it would be unrealistic for the government to review every line of code for every piece of software it deploys, there are improvements that can be made through contractual language to ensure contractors have appropriate levels of security in place.

"What made SolarWinds so devastating was that SolarWinds devices are normally configured to have broad administrative rights on a network. If a system is like that, if it has broad administrative rights then it requires further hardening inside of your network," he said.

This article was first posted to FCW, a sibling site to Defense Systems.