Federal Government, Industry Making Progress on Network Security: CISA
The federal government is progressing in its understanding of the extent of threats to federal technology systems, Eric Goldstein, executive assistant director-cybersecurity at the Cybersecurity and Infrastructure Security Agency, said at a Center for Strategic and International Studies event late Wednesday. Other speakers noted private companies have slowly become more willing to share information when they experience a cyberattack.
Following the 2020 SolarWinds attack (see 2101190067), there was a realization within the administration that “we really had inadequate visibility into all layers of the federal technology environment, and we really weren’t managing the federal ecosystem as an enterprise,” Goldstein said. “We had to do things differently,” he said.
The government was managing its "ecosystem" as 102 separate agencies. No single organization was charged with understanding the “breadth” of vulnerabilities the government faced and the level of activity, Goldstein said. Congress passed the American Rescue Plan Act of 2021, which provided additional funding for CISA, he said. Executive order 14028, also in 2021, aimed at improving the nation’s cybersecurity gave CISA authority to compel federal agencies to provide information and participate in CISA programs, he said. Congress also passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires that covered entities report incidents to CISA within 72 hours of when they occur, he said (see 2101190067).
CISA’s visibility into the risks federal agencies face “has extraordinarily progressed” since SolarWinds, Goldstein said. “We are able to see the vulnerability and configuration state of any federal endpoint across any federal civilian agency,” he said: “We are able to conduct proactive and persistent hunting missions across any federal civilian agency from CISA headquarters.” CISA can now issue directives and assess whether agencies are complying, he said.
Moreover, CISA can respond more quickly when it detects problems, Goldstein said. The agency can “share information quickly” across the government “in an automated way,” he said. “It allows us to raise the bar further for federal agencies and drive investment in the right place,” all of which was lacking before, he said.
CISA must deal with more data than ever, Goldstein said, but it’s not an “insurmountable dataset” compared with what the industry sees on a daily basis. “It is a challenge for a newer agency like CISA” but one “that has been met elsewhere.”
The work of CISA is “ambitious” and involves “a lot more than collecting data,” said Wilkinson Barker’s Clete Johnson, CSIS senior fellow and former cybersecurity adviser to the FCC. “It’s collecting data for an applied purpose -- trying to outwit and outmaneuver the bad guys,” he said.
Verizon's annual Data Breach Investigations Report released Wednesday found 68% of breaches involve a non-malicious human action, which is "a person making an error or falling prey to a social engineering attack.” The 68% figure is roughly on par with last year. It found nearly a third of breaches involved ransomware or another form of extortion. The report noted “a substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach,” which was up 180% from the 2023 report.
The goal is getting the data needed to make everyone more secure, Chris Novak, global director-Verizon's Threat Research Advisory Center, said during the CSIS event. Verizon's report examined about a million incidents, he said. Various players are starting to understand the importance of reporting attacks, he said: “We are getting” where we need to be “but not nearly fast enough.”
The most important information is how an intrusion happened and how it could be prevented, Goldstein said. Some companies “lean forward” and collaborate with industry and government when they are attacked, he said. There’s still “a perception of corporate risk from that level of collaboration that we do see quelling a lot of the cooperation that we would want to see,” he said. “There is still too much of a victim-blaming culture” that limits collaboration, he said.
“The fact that organizations are starting to share anything … is a positive from where we’ve come,” Novak said. In the early days, it was “like pulling teeth” to get companies to acknowledge an attack, he said. The “stigma” of being attacked has started “to reduce a little bit,” he said. Some victims of SolarWinds “transparently came out and shared a lot of information about what happened,” he said. Not all victims did, however, he said.
The U.S. government is saying “in the best way” it can to everyone, “gird your loins -- there are problems ahead,” said Kathryn Condello, Lumen senior director-national security and emergency preparedness and vice chair of the Communications Sector Coordinating Council. ISPs must educate their customers about ways of reducing risks, she said. “That is an operational collaboration based on threat, based on an environment that we’re in,” she said. The average person doesn’t think about the threat of bad actors like China on a daily basis, she said.