Senate Homeland Security Committee is beginning a hearing on the federal response to the SolarWinds campaign.
Federal CISO, acting CISA director, and senior FBI cyber official are testifying.
hsgac.senate.gov/understanding-…
We previewed what to expect in MC: subscriber.politicopro.com/newsletter/202…
Federal CISO, acting CISA director, and senior FBI cyber official are testifying.
hsgac.senate.gov/understanding-…
We previewed what to expect in MC: subscriber.politicopro.com/newsletter/202…
HSGAC Chair Gary Peters: “The process and procedures for responding to cyberattacks desperately needs to be modernized,” including by reforming FISMA and streamlining information sharing.
Peters: “It is clear from the gravity of this threat that we need to examine whether CISA, the FBI and other agencies have what they need to protect the American people.”
Peters: “This hearing is the first of several that we are going to be holding on this issue. We must tackle this problem, we must do it swiftly, but we must also do it comprehensively.”
Ranking member Rob Portman: “It's been three months since we learned this attack, and there's still a lot, frankly, that remains unknown.”
Portman notes that CISA's EINSTEIN network monitoring program failed to stop SolarWinds.
“EINSTEIN’s authorization expires at the end of next year, so it's a good time to consider its utility and how it can be improved.”
“EINSTEIN’s authorization expires at the end of next year, so it's a good time to consider its utility and how it can be improved.”
“I believe we're at a crossroads for our nation’s cybersecurity,” Federal CISO Chris DeRusha tells the committee. "This incident should serve as both a wakeup call and a galvanizing opportunity... to tackle these problems...with renewed resolve."
DeRusha thanks Congress for approving $650m for CISA and $1b for the Technology Modernization Fund in the Covid bill.
“We fully acknowledge that security is expensive when done properly, but it is even more costly when it is neglected.”
“We fully acknowledge that security is expensive when done properly, but it is even more costly when it is neglected.”
OMB is leading federal agencies in moving to zero-trust architecture, DeRusha says, but "successful implementation will require a shift in mindset and focus at all levels within federal agencies." No kidding.
Peters: Core reason for these failures and what are you doing about that?
Wales: Lack of visibility. Our defenses still rely on perimeter sensors that look for known malicious activity. We're moving more into the interior of networks to hunt for threats.
Wales: Lack of visibility. Our defenses still rely on perimeter sensors that look for known malicious activity. We're moving more into the interior of networks to hunt for threats.
Wales: How do we know SolarWinds threat isn’t still lurking in networks?
Wales: “CISA is working with each [affected agency] to ensure that they have executed the remediation of their networks that provides us a degree of confidence that the adversary is no longer present.”
Wales: “CISA is working with each [affected agency] to ensure that they have executed the remediation of their networks that provides us a degree of confidence that the adversary is no longer present.”
On the attribution front, FBI's Tonya Ugoretz says, "The effort to develop that information investigatively continues."
"We find that it's most powerful when we are able to say, with detail and as transparently as possible, how exactly adversaries conducted this activity and ultimately who was behind it," Ugoretz says.
Portman: Who should be held accountable when a cyberattack happens?
DeRusha says multiple agencies have to work together.
Portman: So no one is accountable?
DeRusha: “Everyone has a key role to play here [with] their authorities, and we work quite well together.”
DeRusha says multiple agencies have to work together.
Portman: So no one is accountable?
DeRusha: “Everyone has a key role to play here [with] their authorities, and we work quite well together.”
Portman: Shouldn’t the National Cyber Director be the one with ultimate accountability?
Wales: FISMA makes agency heads accountable for their defenses. NCD envisioned as a coordinator, particularly for incident response.
Wales: FISMA makes agency heads accountable for their defenses. NCD envisioned as a coordinator, particularly for incident response.
Carper asks Wales and Ugoretz if they would support a national data breach disclosure law. Both say yes, citing the need for more information about the tactics that adversaries are using.
Carper: Any agency communication or collaboration issues that we should try to fix?
Wales: “We are very happy with the degree of collaboration we are getting and what that relationship looks like between CISA [and other agencies] when it comes to [these] types of compromises.”
Wales: “We are very happy with the degree of collaboration we are getting and what that relationship looks like between CISA [and other agencies] when it comes to [these] types of compromises.”
Maggie Hassan asks about CDM deployment.
Wales notes that, in some cases, CDM tools have given agencies more visibility into their networks but haven't given CISA that same visibility, which was part of the problem with SolarWinds.
Wales notes that, in some cases, CDM tools have given agencies more visibility into their networks but haven't given CISA that same visibility, which was part of the problem with SolarWinds.
Wales: "We are hopeful that new guidance will come out of the administration soon that will move us towards … having broader and deeper insights into [agency networks]."
Hassan: What are you planning to build on top of CDM?
Wales: Better endpoint detection and response capabilities so we can spot and stop malicious activity more quickly, before it can spread.
Wales: Better endpoint detection and response capabilities so we can spot and stop malicious activity more quickly, before it can spread.
Jacky Rosen: Are you considering expanding your vulnerability disclosure program requirement to federal vendors?
Wales: No. “It's not clear that we would necessarily need to do that through a directive.” We could use the contracting process.
Wales: No. “It's not clear that we would necessarily need to do that through a directive.” We could use the contracting process.
In response to a Hawley Q about reported Chinese hacking of several agencies through a different SolarWinds bug reuters.com/article/us-cyb… both Ugoretz and Wales say those news reports were "inaccurate."
Wales: "That reporting was inaccurate. The National Finance Center was not targeted as far as we know” in any SolarWinds-related campaign, as Reuters reported.
Ossoff: Was SolarWinds a counterintelligence failure?
Ugoretz: Intel failures usually mean failures of imagination, failures to share intel, or failures to synthesize that intel. “In the case of the SolarWinds incident, none of those three things happened.”
Ugoretz: Intel failures usually mean failures of imagination, failures to share intel, or failures to synthesize that intel. “In the case of the SolarWinds incident, none of those three things happened.”
Ossoff: “I find it troubling that we can’t simply establish...that, operationally, this kind of breach is a counterintelligence failure.”
Ugoretz: "Our insight into adversary threat activity, especially among our most sophisticated cyber adversaries...is fragmentary.”
Ugoretz: "Our insight into adversary threat activity, especially among our most sophisticated cyber adversaries...is fragmentary.”
And with that, the hearing has ended.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
