Feds aren’t well prepared to spot SolarWinds-style hacks at agencies, CISA official says

The SolarWinds hack is making CISA reexamine key programs for protecting federal networks.
Sen. Maggie Hassan (D-NH) speaks at a Homeland Security and Governmental Affairs/Rules and Administration Committee hearing. (Photo by Shawn Thew-Pool/Getty Images)

In one of the bluntest assessments of U.S. government security shortcomings around the SolarWinds hack, a top Department of Homeland Security official told senators on Thursday that federal defenses simply aren’t aligned properly to detect advanced attackers.

The testimony before the Senate Homeland Security and Governmental Affairs Committee on federal cybersecurity weaknesses points to a forthcoming reorientation of how DHS’s Cybersecurity and Infrastructure Security Agency protects agencies from threats. It’s a shift resulting from the fallout from the hack at federal contractor SolarWinds that resulted in breaches at numerous federal agencies and major technology companies.

And it’s a shift that Congress is aiding with $650 million that it recently appropriated for CISA.

“Part of the challenge is that you can only secure what you can see,” Brandon Wales, acting director of the agency, told committee Chairman Gary Peters, D-Mich. “Over the past decade our system of protection has largely relied on sensors at the perimeter of networks that are designed to be fed by intelligence, by information from the private sector, [and that has] relied upon detecting known malicious activity. And our adversaries have advanced.”


Hackers no longer use the same infrastructure as they did for past attacks, Wales said, and are hopping from server to server within the U.S. to avoid getting caught. The funding from the so-called America Rescue Plan Act will allow CISA to make a downpayment on targeting that kind of foe, he said.

“One of the main areas we plan on focusing” with those funds, Wales said, “is looking inside of networks.” That means examining what’s happening on specific devices and servers “to ensure we have the right level of insight. There needs to be the right balance” with perimeter detection, he said.

Two of CISA’s signature initiatives are the intrusion detection program known as EINSTEIN and a defense-bolstering program known as Continuous Diagnostics and Mitigation (CDM). Congress has devoted billions in spending to both. But EINSTEIN is designed to monitor traffic, with a focus on known threats. And CDM’s tools need an upgrade, with greater CISA insight into networks, too, Wales said.

Neither tool was designed to stop targeted cyberattacks that rely on previously unknown software vulnerabilities or spies’ use of corrupted software to distribute malware, as investigators say occurred in the SolarWinds incident.

Ohio Sen. Rob Portman, the top Republican on the Senate panel, asked why a private sector company — FireEye — detected the SolarWinds hack before the federal government did.


“EINSTEIN continues to perform as it was designed, and it can protect against the things it was designed to protect against,” said Wales, but all of it “at the perimeter,” he added. Furthermore, he said, “there was no intrusion detection system anywhere that detected this threat. We need to supplement what EINSTEIN does looking at the perimeter of networks with what’s happening inside the network.”

Portman also pointed out that EINSTEIN isn’t capable of providing much insight into the increasing use of the cloud in civilian federal agencies or into encrypted traffic, the latter of which Wales said made up more than 90% of the total traffic.

Congressional authorization of EINSTEIN is set to expire next year. Portman and Wales agreed that could be a good vehicle to reevaluate it.

The CDM program is another avenue for improvement. Since the program began, Wales told Sen. Maggie Hassan, D-N.H., individual agencies have been able to “see into the individual devices on their networks, but CISA was not able to. We are now seeing the limitation that imposes on our ability to have a comprehensive understanding of the cyber risk picture of the dot gov. “

Wales said he hoped Biden administration guidance would change that dynamic.


The recent congressional funding could be used to acquire “better endpoint detection and response tools” under CDM “that would give us the ability to understand what is happening on critical servers and work stations,” he said. “It would give us the ability to detect more malicious capabilities, to respond more quickly and work with agencies to block anomalous behavior before it moves broadly into a network.”

Wales’ testimony expands on DHS Secretary Alejandro Mayorkas’ remarks earlier this week on Capitol Hill, when he told lawmakers in comments about EINSTEIN and CDM that “we are looking intently at those tools and what other tools can complement them to address unknown vulnerabilities, zero-day threats.”

The hearing witnesses — Chris DeRusha, the federal government’s chief information security officer, and Tonya Ugoretz, acting assistant director of the FBI’s Cyber Division served as the other witnesses — didn’t offer entirely grim assessments of the federal response to the SolarWinds breach. Even as some senators challenged them on the federal government lacking of one central federal official or department who could be held accountable, they defended the shared responsibility across federal agencies for cybersecurity, as well as coordination between those agencies.

And while the SolarWinds hack fallout largely centered on the U.S., the U.S. wasn’t alone among victims, Ugoretz said.

“We are aware of instances and information shared with us from foreign partners where some of their networks were affected as well,” she said.


Under questioning from Sen. Jon Ossoff, D-Ga., Ugoretz rejected the notion that SolarWinds represents a counterintelligence failure, as there was no failure of imagination, to share data or to connect disparate pieces — an answer Ossoff considered “troubling.”

Sean Lyngaas contributed reporting to this article.

Latest Podcasts