The federal government needs clear lines of authority and accountability when it comes to which agency is responsible for detecting compromises of government networks, the top Democratic and Republican senators on a Senate committee said on Thursday.
"Obviously we had the most massive attack in the history of our government and it went undetected for over a year and it was detected by the private sector, not by government," Rob Portman (R-Ohio), ranking member on the Senate Homeland Security and Governmental Affairs Committee, said during a hearing focused on the recently disclosed hack of federal and private sector networks using compromised software supplied by a third-party vendor. The attack has led to "tremendous damage, we believe," he said.
The hack was first disclosed last December by the cyber security firm FireEye [FEYE], which discovered a breach and data theft on its own networks. The U.S. government believes the hackers are "likely Russian in origin," and were able to compromise software developed by Texas-based SolarWinds [SWI], which provides network management products.
Portman, at the outset of his questioning, said "accountability" is a concern with this and other cyber breaches, highlighting the growing cyber security threat. Following the SolarWinds disclosure, Portman said he saw "some pointing of fingers, and the fact is the private sector found it, not even government."
As Congress takes up legislation and reforms to legislation related to cyber security, he asked Christopher DeRusha, the Federal Chief Information Security Officer at the White House Office of Management and Budget, "When a cyberattack happens, who do we hold accountable?"
Portman seemed to want to know who ultimately in the government is responsible for detecting and disclosing breaches to federal civilian networks, but DeRusha focused on incident response in his answer, saying that the government has stood up an interagency group to respond to the SolarWinds incident.
"Because everyone's got a key role to play, it's really about ensuring we have the appropriate governance structures in place to manage these events together and that we're keeping clear lines of communication as we work through these things," DeRusha told the committee.
"So, no one is accountable," Portman said. Later, he said, better coordination by the government in response to incidents "is part of the answer…but also accountability."
Gary Peters (D-Mich.), the committee chairman, said he completely agrees with Portman.
"There needs to be lines of authority and lines of accountability," Peters said. "That's something we definitely will be drilling deeper into. I think it's an important topic."
Portman also raised concerns with a key Department of Homeland Security tool designed to detect and prevent known cyber threats from entering federal civilian networks. Brandon Wales, the acting director of the DHS Cybersecurity and Infrastructure Security Agency (CISA), said the perimeter protection system, known as EINSTEIN, wasn't designed to detect unknown threats, which adversaries are increasingly turning to.
Wales also pointed out that no perimeter intrusion detection system would have prevented the SolarWinds-style hack because it was able to bypass the perimeter altogether via updates to existing software deployed on networks. As he testified to a House panel last week, Wales said that CISA needs to gain greater visibility into federal civilian agency networks with sensors and data analytics so that his and other agencies can better detect, thwart and respond to cyberattacks.
EINSTEIN is doing what it was designed to do, Wales said, and that is detect threats on traffic entering federal networks.
Wales said that given the improvements being made by adversaries and the need to better monitor inside federal networks, there does need to be a rebalancing of EINTEIN toward the Continuing Diagnostics and Mitigation (CDM) program, which is providing CISA and federal agencies the tools to inventory their assets and find and prevent threats to networks.
Portman noted that the current authorization for EINSTEIN expires at the end of 2022, adding, "I believe the urgency is clear." With the expiration looming, this "means we need to work together to address the next authorization."
Wales agreed.
"Yes, I think we need to keep the pieces of EINSTEIN that continue to work and provide significant value, and we need to transition those areas that don't to different programs," he said.
Wales said the $650 million that Congress appropriated as part of a pandemic relief bill last week "will provide a down payment to start doing that."
Wales also noted that more than 90 percent of traffic on federal networks is encrypted, which EINSTEIN cannot see into. That's another reason for the need to rebalance the efforts on EINSTEIN and CDM, he said.
The White House has said that nine federal agencies and departments and about 100 companies were compromised by the SolarWinds-related hack.