The House Appropriations homeland security subcommittee is about to start a hearing on "Modernizing the Federal Civilian Approach to Cybersecurity" with acting CISA chief Brandon Wales and new CISA Cyber Division head Eric Goldstein.
appropriations.house.gov/events/hearing…
appropriations.house.gov/events/hearing…
Wales and Goldstein will tell Congress that CISA needs better "visibility into agency cloud
environments and end-points," esp. in light of remote work. And they'll announce work with NIST on a "common baseline" of security rules, esp. for logging. docs.house.gov/meetings/AP/AP…
environments and end-points," esp. in light of remote work. And they'll announce work with NIST on a "common baseline" of security rules, esp. for logging. docs.house.gov/meetings/AP/AP…
Wales and Goldstein, whose agency is dealing with SolarWinds and Exchange on top of its regular work, will also deliver this warning to appropriators: CISA's "incident response resources must be fortified now to ensure that we will not be overwhelmed in the future."
Subcommittee chair Lucille Roybal-Allard in her opening statement: “It's clear that we need to be investing much more in preventing and mitigating and responding to cyber intrusions and attacks.”
“It took far too long to become aware that a foreign adversary had infiltrated federal civilian agency networks and exfiltrated sensitive data," Roybal-Allard said. "I am deeply concerned about how long it will take to learn the full extent of that compromise.”
Subcommittee ranking member Chuck Fleischmann to CISA officials: "With limited resources at your disposal, you have done a tremendous job."
Acting CISA Director Brandon Wales is delivering his opening statement.
“If we needed any reminder of the significance of the cyber threats we face to our national and economic security, the last three months, and indeed the last week, should serve as a warning.”
“If we needed any reminder of the significance of the cyber threats we face to our national and economic security, the last three months, and indeed the last week, should serve as a warning.”
“We continue to work this campaign aggressively," Wales says of CISA's response to SolarWinds.
Wales: “We need to rethink our approach to managing cybersecurity across 101 federal civilian executive branch agencies.”
Eric Goldstein, new head of CISA's Cyber Division, speaking now.
“These incidents reflect a need to strengthen our nation's cyber defenses, invest in new capabilities and begin to fundamentally change how we think about cybersecurity.”
“These incidents reflect a need to strengthen our nation's cyber defenses, invest in new capabilities and begin to fundamentally change how we think about cybersecurity.”
CISA's four "strategic growth" areas, per Goldstein:
* Need to increase CISA’s visibility into other agencies’ networks
* Need to expand CISA’s incident response capacity
* Need to improve ability to analyze large volumes of data
* Need to promote adoption of defensible networks
* Need to increase CISA’s visibility into other agencies’ networks
* Need to expand CISA’s incident response capacity
* Need to improve ability to analyze large volumes of data
* Need to promote adoption of defensible networks
Goldstein: "We deeply appreciate Congress's consideration of additional funding to address these priorities," but that money should be considered a "down payment" on a more "sustained effort" to boost CISA.
Roybal-Allard: Any evidence SolarWinds adversaries did more than steal data?
Wales: "We have no evidence at this time that the actor did anything except steal information."
Wales: "We have no evidence at this time that the actor did anything except steal information."
Roybal-Allard: Any federal agencies compromised in Exchange Server hacking activity?
Goldstein: "At this point in time, there are no federal civilian agencies that are confirmed to be compromised," but "this is an evolving campaign, with new information coming in by the hour."
Goldstein: "At this point in time, there are no federal civilian agencies that are confirmed to be compromised," but "this is an evolving campaign, with new information coming in by the hour."
Fleischmann asks about the government's handling of supply chain attacks.
Wales says they're "one of the most challenging [types of attacks] to address, and it's going to take a lot more creative thinking to fully solve it."
Goldstein emphasizes focus on kill chain.
Wales says they're "one of the most challenging [types of attacks] to address, and it's going to take a lot more creative thinking to fully solve it."
Goldstein emphasizes focus on kill chain.
Rosa DeLauro: Why isn’t EINSTEIN more effective? What is its future?
Goldstein: EINSTEIN was originally designed to protect the edge of a network. For various reasons, especially the obfuscating nature of encryption, EINSTEIN can’t see much of what it was designed to see.
Goldstein: EINSTEIN was originally designed to protect the edge of a network. For various reasons, especially the obfuscating nature of encryption, EINSTEIN can’t see much of what it was designed to see.
EINSTEIN “has grown somewhat stale over time and now does not provide the visibility that CISA needs," Goldstein says.
For that reason, CISA is "urgently moving our detection capabilities from that perimeter layer into agency networks."
For that reason, CISA is "urgently moving our detection capabilities from that perimeter layer into agency networks."
DeLauro: Timing on transition?
Goldstein: “The transition is underway now.” We have pilots going. With funding from Congress, we’ll be able to accelerate those pilots.
He says "it will be iterative" and can't give ETA at the moment.
Goldstein: “The transition is underway now.” We have pilots going. With funding from Congress, we’ll be able to accelerate those pilots.
He says "it will be iterative" and can't give ETA at the moment.
Wales adds: The $650m in the Covid bill “is a down payment" on things like this transition.
"It accelerates some of these efforts. But this is going to require sustained investment” for both CISA and other agencies.
"It accelerates some of these efforts. But this is going to require sustained investment” for both CISA and other agencies.
DeLauro really wants a cost and timing estimate for this repositioning of CISA's visibility efforts.
“Every month that goes by, we are at risk” for SolarWinds/Exchange repeats, she says.
“Every month that goes by, we are at risk” for SolarWinds/Exchange repeats, she says.
DeLauro: Did 2020 election security work distract from things like SolarWinds and contribute to its success?
Wales: No. We can "work multiple problems. … I do not believe that the election distracted us. If anything, it has further honed our capabilities" e.g. coordination.
Wales: No. We can "work multiple problems. … I do not believe that the election distracted us. If anything, it has further honed our capabilities" e.g. coordination.
John Rutherford asked a series of questions about CDM demployment. Kinda wonky stuff, but the gist is that Wales and Goldstein say CDM deployment is going well and the program has given agencies the visibility necessary to implement CISA's emergency directives.
Dutch Ruppersberger asks about CISA's resource needs.
Wales: “Without a doubt, to accomplish the scale of the mission that we have, we need more resources.”
Wales: “Without a doubt, to accomplish the scale of the mission that we have, we need more resources.”
Wales: “The money" in the Covid bill "is a down payment on the scale of capabilities, tools and resources we need.”
Ruppersberger also mentioned the force structure assessment that the FY21 NDAA required CISA to complete.
Wales says CISA is working on that assessment and expects to brief the Hill "later this year."
Wales says CISA is working on that assessment and expects to brief the Hill "later this year."
Ashley Hinson asks who was behind SolarWinds and Exchange.
Wales reiterates that USG has said SolarWinds is likely Russian and says govt is still assessing and will share more information "soon."
Says USG hasn't attributed Exchange yet.
Wales reiterates that USG has said SolarWinds is likely Russian and says govt is still assessing and will share more information "soon."
Says USG hasn't attributed Exchange yet.
Hinson: Can you talk about what your long-term threat hunting plans are?
Goldstein: “What we want to move to is a paradigm where CISA is able to continuously assess security data from agencies on an ongoing basis for evidence of compromise."
Goldstein: “What we want to move to is a paradigm where CISA is able to continuously assess security data from agencies on an ongoing basis for evidence of compromise."
Lauren Underwood asks how the Covid funding will help CISA protect non-federal partners.
Wales: The new incident response funding “will free up necessary capabilities and will allow us to support more state, local and private sector entities that are coming to us for support.”
Wales: The new incident response funding “will free up necessary capabilities and will allow us to support more state, local and private sector entities that are coming to us for support.”
Underwood: How should Congress help protect state and local governments?
Wales: No specific proposal to outline today. But we know we need to “identify additional mechanisms by which we can provide that level of support.”
Wales: No specific proposal to outline today. But we know we need to “identify additional mechanisms by which we can provide that level of support.”
Underwood asks about CISA workforce diversity.
Wales says 35% of employees are women but doesn't have stat for employees of color.
He says CISA plans to accelerate diverse recruitment efforts as pandemic allows.
Wales says 35% of employees are women but doesn't have stat for employees of color.
He says CISA plans to accelerate diverse recruitment efforts as pandemic allows.
Goldstein: "This is unequivocally one of my top priorities. Diversity and inclusion is a national security issue, and it is an urgent imperative for us to have a cybersecurity workforce that reflects the diversity of this country."
Steven Palazzo asks for stats on private-sector hacking.
Wales: "One of the challenges in answering your question with more specificity is that we are entirely dependent upon the private sector voluntarily sharing information with us..."
Wales: "One of the challenges in answering your question with more specificity is that we are entirely dependent upon the private sector voluntarily sharing information with us..."
"The more that information is held by compromised private sector entities, the less we are able to protect everyone else," Wales said. "And so I think that is something that we are eager to work with Congress to see how that can be addressed."
Pete Aguilar: How does CISA plan to implement NDAA threat hunting authority, given that there are different models?
Goldstein: “We are not seeing this as an either/or proposition.” We’ll deploy EDR tools on agency networks & encourage those agencies to aggregate their own data.
Goldstein: “We are not seeing this as an either/or proposition.” We’ll deploy EDR tools on agency networks & encourage those agencies to aggregate their own data.
Aguilar: How would each threat hunting approach affect your funding needs?
Goldstein: Three variables to consider. First: people with necessary expertise. Second: tools and sensors to collect data. Third: infrastructure to analyze data.
Goldstein: Three variables to consider. First: people with necessary expertise. Second: tools and sensors to collect data. Third: infrastructure to analyze data.
As round 2 begins, Roybal-Allard asks a key question: Why does CISA plan to spend "a significant portion" of its Covid bill funding on upgrading O365 licenses to get more log data? Why isn’t this part of the basic package, given how key log data is?
Goldstein doesn't confirm that this is happening.
“As part of our funding request, we do intend to develop a process to improve the level of cloud security across the federal govt.” One option for that is upgrading licenses from existing vendors, but there are other options too.
“As part of our funding request, we do intend to develop a process to improve the level of cloud security across the federal govt.” One option for that is upgrading licenses from existing vendors, but there are other options too.
Goldstein: “We do hope that these sorts of investments will be built into baseline requests going forward, but we do recognize that this will be a long journey.”
Fleischmann: How much of a difference will the Covid bill funding make?
Goldstein: “This investment will absolutely make a demonstrable impact in federal cybersecurity. At the same time, it is incremental step.”
Goldstein: “This investment will absolutely make a demonstrable impact in federal cybersecurity. At the same time, it is incremental step.”
Fleischmann: What beyond supply chain attacks do you see as our biggest vulnerabilities?
Goldstein: “The gravest risk” we see is an adversary compromising an industrial control system in a way that could have health-and-safety impacts.
Goldstein: “The gravest risk” we see is an adversary compromising an industrial control system in a way that could have health-and-safety impacts.
Goldstein on Oldsmar: “That incident, although not resulting in immediate harm, should be a clarion call for this country for the risk that we face from cyber intrusions into these critical systems.”
Ruppersberger: Can you share more detail on how the new money will help you expand your incident response capability?
Goldstein: Deploying sensors to increase visibility; expanding threat hunting abilities; improving data-analysis work; & moving agencies to better networks.
Goldstein: Deploying sensors to increase visibility; expanding threat hunting abilities; improving data-analysis work; & moving agencies to better networks.
Goldstein: “None of these activities will be fully actualized by the money in the ARA, so we are going to need longer term investment by CISA and by individual agencies across all four of these paths.”
Rutherford asked how focused CISA is on ICS security.
Wales: “Industrial control systems is among our highest priorities.”
Wales: “Industrial control systems is among our highest priorities.”
Goldstein: CISA has two lines of effort on ICS security: supporting ICS operators through services like vulnerability assessments, and raising the CI community's cyber “baseline,” since many entities, especially municipally run ones, can’t afford pricey solutions.
Price asks about health-care sector cybersecurity.
Wales: “We have worked hard over the past year to increase the cybersecurity profile of this industry.”
Wales: “We have worked hard over the past year to increase the cybersecurity profile of this industry.”
Wales: “We have seen through our efforts [that] the speed at which this sector is patching vulnerabilities that we can see through external scans improved dramatically.”
Wales: "We think that this [partnership with the health-care sector] will pay long-term dividends beyond the pandemic, in the form of our relationship with the sector, their ability to utilize our resources and their overall cybersecurity baseline.”
Palazzo: Are you working with other agencies to develop a plan for protecting critical systems like space technologies?
Goldstein: Yes, we work closely with DoD and other partners to build security into emerging technologies.
Wales: We’ve been meeting with the Space ISAC.
Goldstein: Yes, we work closely with DoD and other partners to build security into emerging technologies.
Wales: We’ve been meeting with the Space ISAC.
And the hearing has now wrapped.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
