Is the US Government’s Cybersecurity Agency Up to the Job?

CNN reports that some critics are now questioning whether America’s Cybersecurity and Infrastructure Security Agency (CISA) is equipped to protect the integrity of government systems from adversaries: Some of the nearly half-dozen government agencies affected by the hack have recently reached out to CISA for help with addressing the known vulnerabilities that were exploited in the attack but were told the agency did not have enough resources to provide direct support, according to a source familiar with the requests. The person noted the slow response has only increased the perception that CISA is overstretched. Multiple sources told CNN that CISA, which operates as the Department of Homeland Security’s cyber arm, does not have the appropriate level of funding or necessary resources to effectively handle an issue of this magnitude.

“It’s a two-year-old agency with about 2,000 employees, so clearly that level of responsibility is not commensurate with the resources that they have,” Kiersten Todt, a former Obama cybersecurity official and managing director of the Cyber Readiness Institute, recently told CNN….

“CISA is not capable,” according to James Andrew Lewis, cybersecurity and technology expert at the Center for Strategic and International, who added that the agency’s failure to detect the breach months ago was largely due to the fact its attention and resources were consumed by efforts to secure the 2020 presidential election. “CISA has always been and will continue to be slammed by the responsibilities heaped on it by law,” Daniel Dister, New Hampshire’s chief information security officer, told CNN. “They have been overloaded with work from the start and have had a hard time coming up to the level of expertise that DoD/CYBERCOM/NSA has enjoyed.”

Yesterday the New York Times noted the breach wasn’t detected by any U.S. government cyberdefense agency (or the Department of Homeland Security), but by private cybersecurity firm FireEye. “It’s clear the United States government missed it,” the Times was told by Senator Mark Warner, ranking member of the Senate Intelligence Committee. “And if FireEye had not come forward, I’m not sure we would be fully aware of it to this day.” The breach is far broader than first believed. Initial estimates were that Russia sent its probes only into a few dozen of the 18,000 government and private networks they gained access to when they inserted code into network management software made by a Texas company named SolarWinds. But as businesses like Amazon and Microsoft that provide cloud services dig deeper for evidence, it now appears Russia exploited multiple layers of the supply chain to gain access to as many as 250 networks.

The hackers managed their intrusion from servers inside the United States, exploiting legal prohibitions on the National Security Agency from engaging in domestic surveillance and eluding cyberdefenses deployed by the Department of Homeland Security. “Early warning” sensors placed by Cyber Command and the National Security Agency deep inside foreign networks to detect brewing attacks clearly failed. There is also no indication yet that any human intelligence alerted the United States to the hacking.