CISA lacks insights into agency network defenses

The Cybersecurity and Infrastructure Security Agency doesn’t have the data to determine if agencies are segmenting and segregating their networks, according to CISA acting Director Brandon Wales.

In a June 3 response to questions from Sen. Ron Wyden (D-Ore.) about the 2020 SolarWinds attack and the role the EINSTEIN cybersecurity system plays in protecting federal networks, Wales said that while his agency “continues to develop and promulgate guidance to encourage network segmentation,” it does not know the percentage of agencies that have segmented and segregated their internal networks.

This information is apparently not sought in reports required under Federal Information Security Modernization Act, although FISMA does require some detail on how high-value asset systems are managed and protected on agency networks.

Wyden contacted CISA in February 2021 with a list of questions about CISA's capacity to detect zero-day exploits and related anomalous network activity using its $6 billion EINSTEIN sensor system, including why CISA was unable to detect network traffic between agencies that had downloaded a corrupted SolarWinds update package and a remote server that was established by the exploit’s perpetrators to manage the campaign and send additional malware payloads to compromised systems.

Wales agreed with findings presented by Wyden that firewalls configured to block outgoing traffic would have halted the progress of the SolarWinds campaign, but he added that such a configuration "is not applicable to all types of intrusions and may not be feasible given operational requirements for some agencies." He also noted that the three-pronged EINSTEIN capability is just one piece of the National Cybersecurity Protection System. One big lesson of the SolarWinds campaign, Wales wrote, is that, "EINSTEIN must be supplemented with capabilities that enable us to look inside the network to better detect in-network intrusions."

Additionally, Wales acknowledged that EINSTEIN's focus on the network perimeter is insufficient given the increase in encrypted network traffic and the proliferation of network endpoints. CISA is planning to use a $650 million spending boost included in the American Rescue Plan Act to "rapidly accelerate the transition from a perimeter defense construct to a construct whereby agencies and CISA will be better situated to identify threat activity within federal networks in near-real-time."

Wales wrote that "CISA is continuously evaluating opportunities to use binding operational directives or other authorities to drive appropriate security measures, including to adopt risk-based configuration practices." He added later in the letter that "we need to rethink our approach to managing cybersecurity across 101 federal civilian executive branch agencies."

This article was first posted to FCW, a sibling site to Defense Systems.