Senate Homeland Security Leaders Eye FISMA Revamp, Cyber Accountability After SolarWinds Hack

The federal government’s “haphazard approach” to responding to SolarWinds “made it extremely clear our ability to respond did not match the severity of the crisis,” Peters said. “The process and procedures for responding to cyberattacks desperately needs to be modernized, including improving the Federal Information Security Modernization Act, which has not been updated since the creation of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.”

“In order to adapt to the evolving cybersecurity threat, both the public and private sector need a centralized, transparent, and streamlined process for sharing information,” Peters said. “In the event of a future attack, this will be critical to mitigating the damage.” He also plans to refile the Supply Chain Counterintelligence Training Act, which aims to ensure federal officials that manage supply chain risks are trained to recognize and mitigate foreign actors’ counterintelligence threats. Senate Intelligence Committee members are, meanwhile, drafting a mandatory cyber breach reporting measure in response to the hack (see 2103040066).

“We have to take a hard look at federal cybersecurity strategy,” Portman said. Any cybersecurity legislation “we consider needs to address the broad set of risks facing our federal networks and needs to ensure there is proper expertise and accountability in the U.S. government,” including whether the newly-established role of national cyber director should be the person ultimately responsible when cyberattacks affect federal networks. “When these networks are breached, as in the case of SolarWinds, there also have to be consequences,” he said.

There should be “lines of authority” and “accountability” within the federal cybersecurity apparatus, Peters said. Portman said he’s concerned the presence of multiple cybersecurity officials across federal agencies, including CISA director, federal chief information security officer within OMB and FBI Cyber Division head, led to duplicative roles and a “lack of accountability.” He questioned the efficacy of a Senate-confirmed national cyber director role if that person isn’t ultimately the one who’s responsible for breaches.

Federal CISO Chris DeRusha, FBI Cyber acting Assistant Director Tonya Ugoretz and acting CISA Director Brandon Wales didn’t directly say who should be the person ultimately responsible. They instead pointed to their agencies’ own roles.

Portman took aim at “the failures of the federal government’s front-line” Einstein defense program as one culprit for the SolarWinds intrusion. CISA’s Einstein “has cost approximately $6 billion and is supposed to detect and prevent cyber intrusions at federal agencies. Clearly, it was not effective in stopping the SolarWinds breach, or even recognizing that it occurred,” since cybersecurity firm FireEye was the first to report it. It’s “a good time to consider” Einstein’s “utility” because Congress must consider whether to reauthorize it once its current authorization sunsets and the end of 2022, Portman said.

Wales urged Portman to not dismantle Einstein entirely, saying it “continues to perform as it was designed” and protects “against the things it was designed to” guard against. Einstein was “not designed to detect unknown threats” and instead monitors the network perimeter, he said. “There was no intrusion detection system that detected” the SolarWinds hack. FireEye “did not use an intrusion detection system to detect this threat and they could not,” Wales said. “It just would not work that way.”

“We need to keep the pieces of Einstein that provide significant value” but should also examine how to “supplement” and improve the program, Wales said. Additional tools might be able to “look inside the network for threats” in a way that Einstein can’t as currently constituted. The $650 million CISA received as part of the recently-enacted American Rescue Plan Act is a “down-payment” to that work, he said.