No invite needed: CISA threat hunting authority spans government networks

Dive Brief:

The SolarWinds and Microsoft Exchange hacks reinforced the U.S. government's need to have a holistic view of the threat landscape, which gave the Cybersecurity and Infrastructure Security Agency (CISA) threat hunting power and more authority. The National Defense Authorization Act (NDAA) granted CISA the authority to perform active threat hunting on other government networks, said Rep. Jim Langevin, D-R.I., and member of the Cyberspace Solarium Commission (CSC), during the RSA Conference Wednesday.
Previously, CISA was only allowed to threat hunt in other agencies if they were invited, said Langevin. "Departments and agencies don't want to look bad, and if they invite CISA and they find something, it doesn't make them look good."
The rule limited CISA's exposure to the threats facing other agencies, "CISA was never invited in," according to Langevin. The cybersecurity agency was also given subpoena power under the NDAA, which it used for the first time earlier this month for an internet service provider with vulnerable software.

Dive Insight:

Members of congress are concerned that FireEye was the first entity to detect an intrusion, which then unraveled into the cross-sector SolarWinds compromise.

"I think that is a reminder of the need to relentlessly push on public-private collaboration and for the federal government to have the humility to recognize that it means the cooperation of the private sector," Rep. Mike Gallagher, R-Wis., and co-chair of the CSC, said during the conference.

In a March Senate hearing, Sen. Ron Portman, R-Ohio, said the government's inability to first detect the threat was a failure of Einstein, a threat detection and prevention system that sits across federal agencies.

Einstein, however, is limited by design and outdated. It's intended to detect intrusions based on network perimeters, and the SolarWinds attack did not involve intrusion protection.

Critics of the "defending forward" concept used the SolarWinds hack as an example as to why the concept doesn't work, Gallagher said. Defending forward gives security professionals the leeway to utilize the "red and gray" space of cybersecurity under an adversary's control. However, SolarWinds was executed in the "blue space" of cyber, where the military "appropriately" does not operate, said Gallagher.

A hack like SolarWinds might have been avoidable if there was oversight into how the executive branch uses the resources provided by Congress, according to Gallagher. The commission should have an interactive relationship with the executive branch, he said.

The connection between the executive branch and the commission will likely be through the national cyber director, which Langevin called the most significant accomplishment of the CSC. "The one thing that has been missing in all of our strategy and in all of our efforts was a quarterback on the field."

The government needed a single bridge that could reach across policy and budgetary authorities, which is what the director will do, said Langevin. President Joe Biden nominated Chris Inglis for the role, which is currently awaiting congressional confirmation.