Senate Homeland Security Leaders Seek SolarWinds Accountability

The government’s “haphazard" SolarWinds response “made it extremely clear our ability to respond did not match the severity of the crisis,” Peters said. “The process and procedures for responding to cyberattacks desperately needs to be modernized, including improving the Federal Information Security Modernization Act, which has not been updated since the creation of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.”

“To adapt to the evolving cybersecurity threat, both the public and private sector need a centralized, transparent and streamlined process for sharing information,” Peters said. “In the event of a future attack, this will be critical to mitigating the damage.” He plans to refile the Supply Chain Counterintelligence Training Act, which aims to ensure federal officials who manage supply chain risks are trained to recognize and mitigate foreign actors’ counterintelligence threats. Senate Intelligence Committee members are drafting a mandatory cyber breach reporting measure (see 2103040066).

“We have to take a hard look at federal cybersecurity strategy,” Portman said. Any legislation “we consider needs to address the broad set of risks facing our federal networks and needs to ensure there is proper expertise and accountability in the U.S. government,” including whether the newly established role of national cyber director should be the person ultimately responsible when cyberattacks affect federal networks. “There also have to be consequences,” he said.

There should be “lines of authority” and “accountability” within the federal cybersecurity apparatus, Peters said. Portman was concerned the presence of multiple cybersecurity officials across federal agencies, including the CISA director, federal chief information security officer within OMB and FBI Cyber Division head, led to duplicative roles and a “lack of accountability.” He questioned the efficacy of a Senate-confirmed national cyber director role if that person isn’t ultimately the one responsible for breaches.

Federal CISO Chris DeRusha, FBI Cyber Division's Tonya Ugoretz and acting CISA Director Brandon Wales didn’t directly say who should be the point person, only noting their agencies’ roles. U.S. government cyber coordination “has never been stronger,” Wales said. Everyone has a key role, and we “work quite well together,” DeRusha said. The FBI is working to understand who carried out the attack and why, while coordinating with CISA, said Ugoretz: The agency will deliver an after-action report to Congress.

Portman cited “the failures of the federal government’s front-line” Einstein defense program as one culprit for the SolarWinds intrusion. CISA’s Einstein “has cost approximately $6 billion and is supposed to detect and prevent cyber intrusions at federal agencies. Clearly, it was not effective in stopping the SolarWinds breach, or even recognizing that it occurred,” since FireEye reported it. It’s “a good time to consider” Einstein’s “utility” because Congress must consider whether to reauthorize it once its current authorization sunsets at the end of 2022, Portman said.

Wales urged Portman not to dismantle Einstein, saying it “continues to perform as it was designed” and protects “against the things it was designed to” guard against. Einstein was “not designed to detect unknown threats” and instead monitors the network perimeter, he said. “There was no intrusion detection system that detected” the SolarWinds hack. FireEye “did not use an intrusion detection system to detect this threat, and they could not,” Wales said. “It just would not work that way.”

“We need to keep the pieces of Einstein that provide significant value” but should also examine how to “supplement” and improve the program, Wales said. Additional tools might be able to “look inside the network for threats” in a way that Einstein, as currently constituted, can’t. The $650 million CISA received as part of the recently enacted American Rescue Plan Act is a “down payment” to that work, he said.