Lawmakers on Capitol Hill are reexamining a pair of cybersecurity programs managed by the Cybersecurity and Infrastructure Security Agency in the wake of multiple hacks hitting the federal government over the past year, while outside experts warned that a possible government shutdown could harm the government’s ability to protect itself from malicious hackers.
Both issues were front and center during a Tuesday hearing of the House Homeland Security’s cyber subcommittee. In opening remarks, Rep. Andrew Garbarino, chair of the subcommittee, said that while agency leaders are still ultimately responsibility for individual agency security, CISA and the tools it offers have “the potential to make a real impact on federal network security.”
“Whether CISA acts as a service provider or an advisor towards other agencies is a fundamental question, and Congress and CISA must both be consistent in how they approach it across CISA’s many missions and programs,” he said.
The hearing focused on two longstanding CISA programs: Continuous Diagnostics and Mitigation, which centralizes the way civilian federal agencies monitor and track devices connecting to federal networks, and EINSTEN, an automated system meant to monitor federal network traffic for malicious activity.
In the early years of CISA and under its predecessor agency, the National Protection and Programs Directorate, CDM and EINSTEIN often played central roles in the agency’s cybersecurity mission and messaging. They were touted by top officials as advanced systems that would help the federal government secure its networks and systems and beat back malicious hackers from China, Russia and other foreign adversaries seeking to steal government secrets.
However, the image of both programs may have taken a hit over the years as they seemingly failed to detect or prevent numerous breaches from nation-state hacking groups.
A breach of Microsoft’s cloud email system discovered in July was first identified by the State Department, according to POLITICO. That breach wound up giving hackers affiliated with the Chinese government access to the emails of high-level federal officials at State, as well as Secretary of Commerce Gina Raimondo, among others.
One month earlier, numerous federal agencies, including the Department of Energy, that relied on the MOVEit file transfer service were breached using the same software supply chain vulnerability that the Cl0p extortion group used to swipe the data of hundreds (and perhaps more) of private businesses.
CISA officials have publicly downplayed the impact of that breach. The discovery that federal agencies were impacted occurred after the MOVEit vulnerability and its impacts were widely reported by private threat intelligence providers. Michael Duffy, associate director for capacity building at CISA, has said the agency used CDM to analyze "near real-time agency dashboard reports to coordinate targeted notifications for the MOVEit Transfer vulnerability and understand prevalence within minutes."
“While this perimeter security function is important, it is not sufficient for a cybersecurity program given the current threat landscape and the ability of bad actors to evade many perimeter security mitigations,” Garbarino said in his opening statement. “What’s more, EINSTEIN has faced longstanding downsides, including limitations in detecting and preventing encrypted traffic, and focusing on what we already know is malicious traffic.”
Private sector witnesses had a number of suggestions for Congress, from expanding programs like CDM to encompass Internet of Things devices and operational technology leveraged by critical infrastructure to relying more on endpoint detection and response technologies to spot malicious activity not captured by existing programs.
The Biden administration has also requested $425 million in its latest proposed budget for another system, the Cyber Analytics and Data System (CADS), that would eventually absorb EINSTEIN, but committee leaders said they have received few details or specifics on how the new system would operate, other than that it would use automation to analyze classified and unclassified data — including new mandatory incident reporting data from critical infrastructure — to discover more novel threats.
Shutdowns can impact federal cybersecurity
While the focus of the hearing was on CISA’s cybersecurity programs, many of the expert witnesses testifying to the subcommittee were also government contractors, and they took the opportunity to preemptively plead with Congress to avoid a government shutdown that could impact the government’s work on cybersecurity.
The last government shutdown in 2019 occurred just months after Congress had codified the creation of CISA, and the agency was still working to staff and reorganize when funding ran out and half their workforce was sent home for 35 days. Then-director Chris Krebs told staff in a meeting that the agency did not have an established plan in place to weather a prolonged shutdown.
Witnesses at the Tuesday's hearing warned that another shutdown could slow down the government’s ability to evolve and match the threat landscape in cyberspace and delay newer projects or initiatives.
“I think the shutdown will obviously cause some delays and some cyber projects will come to a halt. The longer we delay, the longer the adversaries will have the chance to get in front of us,” said Brian Gumbell, president of contractor Armis.
Funding lapses or “limitations stemming from uncertainties surrounding shutdowns and continuing resolutions” could impact the continuity of programs like CDM and CISA’s ability to stand up new initiatives, said Stephen Zakowitz, vice president of CGI Federal, which operates as a system integrator and security provider for dozens of federal agencies.
Joe Head, chief technology officer for Intrusion, a cybersecurity contractor run by former Federal CIO Tony Scott, said that Congress has made it possible for static cybersecurity programs like CDM and EINSTEIN to continue functioning under a shutdown, but other aspects like breach and incident response tend to languish when funding streams aren’t predictable.
“We’ve got one critical breach we’ve been waiting [to work on] for four years against the U.S. military. They were first under a [continuing resolution], and when they weren’t under a CR they didn’t have a budget, and when they had a budget they were back under a CR again and we haven’t spent dime one on anything yet,” Head told the committee. “So, when you start looking at major programs…they will continue somehow, but when you have a reaction to a breach, God help you, there’s nobody coming.”
Separately, Garbarino said CISA in particular has come “under attack” from some of his Republican colleagues over the past year, with some GOP members alleging the agency was working with social media companies to “censor” posts, violating the First Amendment. CISA officials have said their coordination with social media companies to combat mis- and disinformation is voluntary, but the work has been challenged in the courts and some members of Garbarino’s party have called for freezing salaries or imposing large cuts on the agency in retaliation.
“That’s something that I think, after today’s testimony from our witnesses, people will understand how important CISA is and that the focus needs to be on defense, especially when it comes to cybersecurity,” Garbarino said.
Correction: A previous version of this story stated it was not clear whether CDM or EINSTEIN were used to mitigate the MOVEit breach affecting federal agencies. CISA official Michael Duffy has stated the CDM program was used to coordinate targeted notifications to affected federal agencies. The story has been corrected.