The Department of Homeland Security plans to spend $650 million included in an economic stimulus package in four main areas to better protect federal civilian agency networks, including for more sensors to gain greater visibility about threats and improve analysis around these threats and the risks they pose, department officials told a House panel on Wednesday.
The new funding for the Cybersecurity and Infrastructure Security Agency (CISA) within DHS was approved by the House on Wednesday afternoon as part of a $1.9 trillion pandemic relief package that is expected to be signed into law by President Biden on Friday.
The funding will go toward deploying new detection sensors within federal civilian agency networks "to increase our visibility into cyber security threats within agency environments and figure out adversary activity much quicker to minimize these kinds of prolonged compromises that we've recently seen," Eric Goldstein, executive assistant director of CISA's Cybersecurity Division, told the House Appropriations Homeland Security Subcommittee.
The incidents Goldstein referred to include a disclosure last week of a hack into Microsoft's [MSFT] Exchange email and calendar server software, and a separate hack disclosed in December related to a software platform supplied by SolarWinds Inc. [SWI] used as part of larger network management systems.
The subcommittee hosted a hearing with Goldstein and his boss, CISA Acting Director Brandon Wales, on "modernizing the federal civilian approach to cybersecurity." Rep. Lucille Roybal-Allard (D-Calif.), chairwoman of the panel, in her opening remarks mentioned the Microsoft and SolarWinds compromises and another, a recent attack on the control systems of a water treatment facility in Florida increased the lye levels and could have had deadly results if it hadn't been recognized quickly.
"It is clear that we need to be investing much more in preventing, mitigating, and responding to cyber intrusions and attacks," she said.
Wales highlighted that the attack vector in the SolarWinds incident was a "trusted" software patch for customers using the company's product. This hack "bypassed traditional perimeter security," he said, and demonstrates the "need for us to have better insights and visibility inside of networks."
Wales added that focusing just on perimeter security will miss "the more sophisticated type of attacks, which are only going to take place on individual workstations on individual servers."
CISA also plans to use some of the new funding to boost its capabilities for responding to cyber incidents and hunting for threats on federal networks, an authority the agency was granted in the defense policy bill for fiscal year 2021. Whereas threat hunting in the past was mostly done in response to a breach, Goldstein said that going forward CISA will adopt a "persistent" and "proactive hunting model."
The threat hunting language in the National Defense Authorization Act gives CISA the authority to access federal civilian agency networks with or without their permission. Rep. Pete Aguilar (D-Calif.) asked whether CISA plans to collect data on agency networks using instruments or rely on the agencies to provide access to their security logs.
Goldstein replied that CISA will take advantage of the flexibility the authority provides to see what model, or combination of models, "make the most sense for federal cyber security. Having the additional endpoint detection sensors and response tools deployed on federal networks will provide more data for CISA to "continuously analyze threat activity," both on-premises and in the cloud, he said.
More sensors will equal the detection of more cyber security incidents, which means CISA needs to bolster its incident response capacity to hunt for threats and assist victims, Goldstein said.
"And so, our goal with this authority is to interpret it in a way that best advances our cyber security goals across the federal civilian enterprise, and as noted by several of the other members, our execution model for this authority will likely change over time as technology changes and risks change, Goldstein said.
The third area of spending for the new funds will be on analytic tools and improving CISA ability to analyze that data it is getting from detection sensors so it can better understand and identify risks and threats across the federal civilian government, Goldstein said.
Finally, Goldstein said a strategic and long-term "imperative" is to help agencies adopt a "more defensive architecture" that in part will be based on CISA offering shared services to increase cyber security and providing guidance on "zero-trust principles where we're assuming that the network is permeable and focusing on protecting assets and accounts therein."
Several members asked the CISA officials for cost estimates to meet its goals but they said this will take time to understand their long-term funding needs.
Goldstein described the $650 million in the American Rescue Plan Act as a "down payment" on CISA's needs, adding that "none of these activities will be fully actualized by the money in the [bill]. So, we are going to need longer-term investment, both by CISA and by individual agencies, across all four of these paths as well as continuously re-evaluating the risk and technology environment to make sure that our onboard resources are commensurate with critical changes."
Asked by Rep. Chuck Fleischmann (R-Tenn.), the ranking member on the subcommittee, whether the new funding for CISA will "have a demonstrable impact or [is] just merely buying down the risk," Goldstein replied, "This investment will absolutely make a demonstrable impact in federal cyber security. At the same time, it is an incremental step. This will be a multi-year process assuredly across the 101 agencies in the federal civilian executive branch to ensure that we are able to provide the level of security that the American people expect."
Goldstein said that CISA and federal agencies will be "moving to a more shared service, even centralized model, where CISA's raising the baseline across the federal civilian executive branch."