HSGAC Chair Gary Peters: “The process and procedures for responding to cyberattacks desperately needs to be modernized,” including by reforming FISMA and streamlining information sharing.
Peters: “It is clear from the gravity of this threat that we need to examine whether CISA, the FBI and other agencies have what they need to protect the American people.”
Peters: “This hearing is the first of several that we are going to be holding on this issue. We must tackle this problem, we must do it swiftly, but we must also do it comprehensively.”
Ranking member Rob Portman: “It's been three months since we learned this attack, and there's still a lot, frankly, that remains unknown.”
Portman notes that CISA's EINSTEIN network monitoring program failed to stop SolarWinds.
“EINSTEIN’s authorization expires at the end of next year, so it's a good time to consider its utility and how it can be improved.”
“I believe we're at a crossroads for our nation’s cybersecurity,” Federal CISO Chris DeRusha tells the committee. "This incident should serve as both a wakeup call and a galvanizing opportunity... to tackle these problems...with renewed resolve."
DeRusha thanks Congress for approving $650m for CISA and $1b for the Technology Modernization Fund in the Covid bill.
“We fully acknowledge that security is expensive when done properly, but it is even more costly when it is neglected.”
OMB is leading federal agencies in moving to zero-trust architecture, DeRusha says, but "successful implementation will require a shift in mindset and focus at all levels within federal agencies." No kidding.
Peters: Core reason for these failures and what are you doing about that?
Wales: Lack of visibility. Our defenses still rely on perimeter sensors that look for known malicious activity. We're moving more into the interior of networks to hunt for threats.
Wales: How do we know SolarWinds threat isn’t still lurking in networks?
Wales: “CISA is working with each [affected agency] to ensure that they have executed the remediation of their networks that provides us a degree of confidence that the adversary is no longer present.”
On the attribution front, FBI's Tonya Ugoretz says, "The effort to develop that information investigatively continues."
"We find that it's most powerful when we are able to say, with detail and as transparently as possible, how exactly adversaries conducted this activity and ultimately who was behind it," Ugoretz says.
Portman: Who should be held accountable when a cyberattack happens?
DeRusha says multiple agencies have to work together.
Portman: So no one is accountable?
DeRusha: “Everyone has a key role to play here [with] their authorities, and we work quite well together.”
Portman: Shouldn’t the National Cyber Director be the one with ultimate accountability?
Wales: FISMA makes agency heads accountable for their defenses. NCD envisioned as a coordinator, particularly for incident response.
Carper asks Wales and Ugoretz if they would support a national data breach disclosure law. Both say yes, citing the need for more information about the tactics that adversaries are using.
Carper: Any agency communication or collaboration issues that we should try to fix?
Wales: “We are very happy with the degree of collaboration we are getting and what that relationship looks like between CISA [and other agencies] when it comes to [these] types of compromises.”
Maggie Hassan asks about CDM deployment.
Wales notes that, in some cases, CDM tools have given agencies more visibility into their networks but haven't given CISA that same visibility, which was part of the problem with SolarWinds.
Wales: "We are hopeful that new guidance will come out of the administration soon that will move us towards … having broader and deeper insights into [agency networks]."
Hassan: What are you planning to build on top of CDM?
Wales: Better endpoint detection and response capabilities so we can spot and stop malicious activity more quickly, before it can spread.
Jacky Rosen: Are you considering expanding your vulnerability disclosure program requirement to federal vendors?
Wales: No. “It's not clear that we would necessarily need to do that through a directive.” We could use the contracting process.
In response to a Hawley Q about reported Chinese hacking of several agencies through a different SolarWinds bug reuters.com/article/us-cyb… both Ugoretz and Wales say those news reports were "inaccurate."
Wales: "That reporting was inaccurate. The National Finance Center was not targeted as far as we know” in any SolarWinds-related campaign, as Reuters reported.
Ossoff: Was SolarWinds a counterintelligence failure?
Ugoretz: Intel failures usually mean failures of imagination, failures to share intel, or failures to synthesize that intel. “In the case of the SolarWinds incident, none of those three things happened.”
Ossoff: “I find it troubling that we can’t simply establish...that, operationally, this kind of breach is a counterintelligence failure.”
Ugoretz: "Our insight into adversary threat activity, especially among our most sophisticated cyber adversaries...is fragmentary.”
And with that, the hearing has ended.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Interestingly, the National Intelligence Officer for Cyber disagreed with the conclusion that China didn't interfere. They put more stock in evidence showing that "Beijing preferred...Trump's defeat and the election of a more predictable member of the establishment instead."
In a separate document, DHS/CISA and DOJ/FBI say they investigated the right-wing conspiracy theories about foreign voting machine rigging and results tampering, and that they're "not credible." dhs.gov/sites/default/…
At WH briefing, national security adviser Jake Sullivan says the U.S. is "still gathering information" about the "scope and scale" of the Microsoft Exchange hacking campaign.
Sullivan: "The precise number of systems that have been exposed by this vulnerability and have been exploited, either by non-state threat actors or ransomware hackers or others, that is something that we are urgently working with the private sector to determine."
Sullivan: "It is certainly the case that malign actors are still in some of these Microsoft Exchange systems, which is why we have pushed so hard to get those systems patched, to get remediation underway."
One year ago today, the WHO declared the coronavirus a pandemic, Tom Hanks got Covid, schools and sports shut down, and normal life in America evaporated for everyone not already working from home.
NBC just published a great collection of people's last "normal" photos, and they are absolutely haunting. nbcnews.com/specials/the-l…
"The cascade of announcements felt like a turning point in the crisis ... Ordinary life in many places will no longer be the same for the foreseeable future as society adjusts to a new reality that transforms everything..."
The House Appropriations homeland security subcommittee is about to start a hearing on "Modernizing the Federal Civilian Approach to Cybersecurity" with acting CISA chief Brandon Wales and new CISA Cyber Division head Eric Goldstein.
Wales and Goldstein will tell Congress that CISA needs better "visibility into agency cloud
environments and end-points," esp. in light of remote work. And they'll announce work with NIST on a "common baseline" of security rules, esp. for logging. docs.house.gov/meetings/AP/AP…
Wales and Goldstein, whose agency is dealing with SolarWinds and Exchange on top of its regular work, will also deliver this warning to appropriators: CISA's "incident response resources must be fortified now to ensure that we will not be overwhelmed in the future."
@Grace_Segers, @byrdinator, and I deliver on our show's name with a truly hoth take: Attack of the Clones gets too much hate and actually has a bunch of fun stuff in it. 😱🔥
One of the three men charged was previously charged in connection with this activity in 2018: justice.gov/opa/pr/north-k…
"The DPRK cyber threat has followed the money and turned its revenue-generation sights on the most cutting-edge aspects of international finance, including through the theft of cryptocurrency from exchanges and other financial institutions," AAG John Demers says on press call.