“It’s a two-year-old agency with about 2,000 employees, so clearly that level of responsibility is not commensurate with the resources that they have,” Kiersten Todt, a former Obama cybersecurity official and managing director of the Cyber Readiness Institute, recently told CNN….
“CISA is not capable,” according to James Andrew Lewis, cybersecurity and technology expert at the Center for Strategic and International, who added that the agency’s failure to detect the breach months ago was largely due to the fact its attention and resources were consumed by efforts to secure the 2020 presidential election. “CISA has always been and will continue to be slammed by the responsibilities heaped on it by law,” Daniel Dister, New Hampshire’s chief information security officer, told CNN. “They have been overloaded with work from the start and have had a hard time coming up to the level of expertise that DoD/CYBERCOM/NSA has enjoyed.”
Yesterday the New York Times noted the breach wasn’t detected by any U.S. government cyberdefense agency (or the Department of Homeland Security), but by private cybersecurity firm FireEye. “It’s clear the United States government missed it,” the Times was told by Senator Mark Warner, ranking member of the Senate Intelligence Committee. “And if FireEye had not come forward, I’m not sure we would be fully aware of it to this day.” The breach is far broader than first believed. Initial estimates were that Russia sent its probes only into a few dozen of the 18,000 government and private networks they gained access to when they inserted code into network management software made by a Texas company named SolarWinds. But as businesses like Amazon and Microsoft that provide cloud services dig deeper for evidence, it now appears Russia exploited multiple layers of the supply chain to gain access to as many as 250 networks.
The hackers managed their intrusion from servers inside the United States, exploiting legal prohibitions on the National Security Agency from engaging in domestic surveillance and eluding cyberdefenses deployed by the Department of Homeland Security. “Early warning” sensors placed by Cyber Command and the National Security Agency deep inside foreign networks to detect brewing attacks clearly failed. There is also no indication yet that any human intelligence alerted the United States to the hacking.