The Case for 'Zero Trust' Approach After SolarWinds AttackCISA Acting Director and Federal CISO Tell Senate of Need for a New Government Strategy
The SolarWinds supply chain attack should push federal government agencies to adopt the "zero trust" model and deploy better endpoint detection and response tools, according to the new federal CISO and the acting director of the U.S. Cybersecurity and Infrastructure Security Agency.
Their comments came at a Thursday hearing held by the Senate Homeland Security and Government Affairs Committee to investigate the broad SolarWinds attack that led to follow-on attacks against nine federal agencies and about 100 private companies.
The panel heard testimony from Christopher DeRusha, who was recently appointed federal CISO, and Brandon Wales, the acting director of CISA. They're coordinating the federal response to help mitigate the impact of the attack.
During his opening statement, DeRusha noted that the SolarWinds attack should push the federal government away from outmoded approaches to perimeter security and toward use of the zero trust model, which assumes networks have been compromised and focuses on authenticating identity when a user attempts to access a device, application or system.
"In this new model, real-time authentication tests users and looks to block suspicious activity and prevents adversaries from the kind of privilege escalation that was demonstrated in the SolarWinds attack," DeRusha said. "Many of the tools we need to implement this model already exist within industry and agency environments, but successful implementation will require a shift in mindset and focus at all levels within federal agencies."
DeRusha and Wales testified that a portion of the $2 billion for cybersecurity and IT modernization in the recently passed American Rescue Plan will support investment in adopting the zero trust model at federal agencies as well as enhancing endpoint detection and response (see: Relief Package Includes Less for Cybersecurity).
In the meantime, federal agencies, including the FBI and CISA, continue to investigate the SolarWinds supply chain attack, in which 18,000 of the company's customers downloaded a Trojanized update of the firm's Orion network monitoring platform. Investigators have said that the hack was likely part of a Russian cyberespionage operation.
During questioning by Sen. Gary Peters, D-Mich., the committee chairman, Wales said that key elements in battling against attacks such as the SolarWinds incident include improving network visibility and incident response and enhancing the ability to sort through data and intelligence to identify emerging risks.
He also said federal agencies need to shift away from an emphasis on perimeter security to focus more on endpoints.
"Those perimeter security sensors are still valuable, and we use them to both protect as well as to forensically look back and see where activity may have been so we can conduct investigations," Wales said. "In the past, we focused most on [protecting] the network from the outside and not enough about what was going on inside the network, especially what's happening at the [endpoint] hosts."
Wales also called for improvements within CISA's Continuous Diagnostics and Mitigation suite of services and tools that provide asset management, hardware and software management capabilities as well as configuration and patch management. Federal agencies that use the suite have visibility into their endpoints, but CISA does not, he pointed out.
"We are now seeing the limitation that poses on our ability to have a comprehensive understanding of the cyber risk picture of [federal agencies]," Wales testified. "We are hopeful that new guidance will come out of the administration soon that will move us toward having broader and deeper insights into that level of detail, and allow us to have the right level of visibility to provide and execute our role when it comes to securing [government agencies]."
Sen. Rob Portman, R-Ohio, the ranking member of the committee, asked why the SolarWinds attack was initially detected by security firm FireEye and not by Einstein, the intrusion detection system deployed by CISA and the Department of Homeland Security.
The failure of Einstein to detect the SolarWinds supply chain attack had been previously reported by The New York Times.
Wales said that while Einstein analyzes network traffic flowing into and out of federal networks, it would not have been able to detect a Trojanized software update. He noted that Einstein cannot read encrypted network traffic and said that's why better endpoint detection is needed.
Wales and Portman both noted the authorization to continue using Einstein ends in December 2022, so now's the time to suggest improvements in the system.
"Any cybersecurity legislation we consider needs to address the broad set of risks facing our federal networks and needs to ensure there is proper expertise and accountability in the U.S. government," Portman said.