WASHINGTON, DC – Today, U.S. Senator Rob Portman (R-OH), Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, pressed federal witnesses from the Department of Homeland Security and the Office of Management and Budget on the need for a single point of accountability for federal cybersecurity. The hearing today examined last year’s SolarWinds hack and subsequent breaches that compromised the information technology systems of critical federal agencies, private companies, and several state and local governments. In June 2019, as then Chairman of the Permanent Subcommittee on Investigations, Portman released a bipartisan report that found that the vast majority of agencies reviewed by the Subcommittee failed to implement effective and comprehensive cybersecurity frameworks as required by the Federal Information Security Modernization Act (FISMA). In December, Senators Portman and Gary Peters (D-MI), Chairman of the Senate Homeland Security and Governmental Affairs Committee, introduced a bipartisan bill that would increase transparency and modernize how the government responds to cybersecurity incidents on federal information systems.
In addition, Portman asked questions that revealed significant limitations in federal cybersecurity defenses, including the Department of Homeland Security’s current intrusion detection and prevention system, EINSTEIN. Portman’s questions emphasized the need to improve the EINSTEIN program, which is set to expire in 2022, and move beyond the current signature-based perimeter security. He noted that these attacks demonstrate the vulnerabilities of our cyber defenses and called for an effective federal cybersecurity strategy to deter, detect, and mitigate future cyberattacks against the United States.
Excerpts of Senator Portman’s questioning can be found below and videos can be found here and here.
Portman: “Thank you, Chairman Peters. Thank you all for your testimony this morning and your hard work on this. One of the concerns that I mentioned in the opening statement is accountability and in particular, we have been more active up here on the legislative side as well as within government to try to figure out how to push back against these attacks and as a result, I’m concerned that there are new entities and there’s the opportunity for duplication, confusion in leadership and just lack of accountability. And I saw this with regard to SolarWinds when it happened there was some pointing of fingers and the fact is the private sector found it, and not even government.
“So the question is as we look at legislation to try to reform some of the existing laws, including FISMA, the Federal Information Security Modernization Act, which is the legislation that requires that the agencies have better cyber defenses and practices – and I mentioned earlier we had an in-depth investigation in that and found that a number of agencies were not keeping up – but as we look at reforming that, the question is, you know, how do we do it?
“Mr. DeRusha, in your role as the Federal Chief Information Security Officer and Mr. Wales, you are head of CISA and Ms. Ugoretz, you are the Assistant Director for FBI Cyber Division and then we have the newly created National Cyber Director Position within the White House, there are a lot of people responsible. So I guess Mr. DeRusha, I would start with you. When a cyberattack happens, who do we hold accountable?”
Office of Management and Budget Federal Chief Information Security Officer Christopher Derusha: “Well, Senator, you know as Brandon described earlier, for significant incident response we leverage currently the UCG, which is led by National Security Council staff – DHS, FBI, and DNI and then others as appropriate. So for this particular incident, some of our other agencies are brought in. And so because everybody has got a key role to play it is really about ensuring we have the appropriate governance structures in place to manage these events together and that we are keeping clear lines of communications as we work through these things.”
Portman: “So no one is accountable?”
Mr. Derusha: “No, Senator..”
Portman: “By the way, you added another wrinkle to this which is there is someone on the National Security Council apparently who has been designated as a coordinator in addition to what CISA is doing, in addition to what OMB is doing, in addition to this new role in the National Defense Authorization bill which is called the National Cyber Director Position. Is that accurate?”
Mr. Derusha: “Senator, I would characterize it slightly differently. I believe that, again as I said, everyone has a key role to play here in their authorities and we work quite well together. I don’t believe that it is an issue because we have these types of processes where we are coordinating and streamlining all of our response efforts.”
Portman: “So if everyone is in charge, no one is in charge, right? So who exactly is accountable?”
Mr. Derusha: “Well, Senator, again, just to say every agency has its own role and responsibility in cyber incident response and…”
Portman: “Okay, well, that was the answer you gave me last time and that is great but let me ask you a direct question about this new National Cyber Director Position. It hasn’t been filled yet by the Biden Administration but it was in the National Defense Authorization Act. Do you think that position is necessary given the fact that you have four or five different entities now you say working altogether?”
Mr. Derusha: “Yes, Senator, we are working carefully on looking at the roles and responsibilities across all of the different agencies’ inequities, and I know the administration is committed to filling that and other critical positions. So that is being worked on. What I’ll say is, absolutely there is a need to continue to improve and enhance our coordination, and you know, this role will help us do that.”
Portman: “Okay. I wonder if any of the other panelists have thoughts on this. I mean, it seems to me somebody needs to be in charge, right? And for over a year this attack went unnoticed, and when it was finally discovered, it was discovered not by government, but by the private sector. And it wasn’t even SolarWinds. It was FireEye, which was another supplier. So, Mr. Wales, you look like you might be interested in saying something.
“Who should be in charge? And again, why don’t you tell me what you think about the National Cyber Director Position? It sounds like what Mr. DeRusha is saying is it’s just another responsibility. He said there are several important responsibilities to be filled. I mean, shouldn’t this be the one that actually coordinates everything and has the ultimate accountability? Mr. Wales.”
Homeland Security Cybersecurity and Information Security Agency Acting Director Brandon Wales: “So I would kind of highlight a couple of areas.”
Portman: “And I know you won’t just protect your own CISA jurisdiction because you’re a broad-minded person.”
Mr. Wales: “Absolutely. You know, I’ll say a couple of things. One is Congress has provided us, to the various agencies, responsibilities, authorities, and accountability. So for example, under FISMA, every agency head is responsible for the security, the cybersecurity of the systems that they operate. And I think that is one area that we need to…”
Portman: “And they have failed. Sorry, I just have to throw that out there because those eight agencies that we identified have not met the basic requirements of FISMA, and yet who’s accountable?”
Mr. Wales: “I mean, I think ultimately under FISMA, agency heads are accountable. There is certainly accountability for CISA for the role that we play in helping to protect and secure and support those agencies in the management of the federal civilian executive branch networks. I think the idea that Congress had for the National Cyber Director was a way to drive coordination at the White House, particularly related to coordinating on incident response.
“But the position doesn’t exist yet, and so I think a lot of this will be determined by, once it’s established, you know, the identification of roles and responsibilities for its office. What I will say is that the ability for the government to work together on cybersecurity incidents, I would argue, has never been stronger, in part based upon a lot of work from our career officials at the FBI, CISA, DNI, and NSA, we are working more collaboratively. There is more joint engagement with the private sector, with our federal agency partners, to ensure that there is not duplication of effort, that we’re all bringing our unique expertise, skills, and abilities when we have cybersecurity incidents or we need to help agencies prepare ahead of time. And I think we would hope that any new addition to that is additive and is strengthening that collaboration that currently exists and making it stronger.”
Portman: “Okay, well I’m glad to hear that, and it was a relative description saying it’s never been stronger. You didn’t say it’s as strong as it needs to be. Obviously, we had the most massive attack in the history of our government, and it went undetected for over a year, and it was detected by the private sector, not by government, and has incurred tremendous damage, we believe. So let’s continue the conversation. We’ll come back around the second round, but I do think better coordination is part of the answer, as you say, but also accountability. And since you mentioned FISMA–sorry, but I had to talk about the fact that we know FISMA’s not working. So let’s figure out how we can find the entity or the person, in particular, who is responsible and therefore accountable. Thank you, Mr. Chairman.”
…
Portman: “Thank you, Mr. Chairman. And Senator Romney, I appreciate your line of questioning. I want to talk about EINSTEIN for a moment. The statuary authorization for the EINSTEIN program expires in December of 2022. So it gives us an opportunity to take a look at this.
“Mr. Wales, I think we can all agree that hackers behind the SolarWinds attack were very sophisticated, and hard to detect. But clearly, someone was able to detect them, or we wouldn’t be here today. Unfortunately, it was, again, the private sector, not government. I think it’s important to start by discussing the limitations of the Department of Homeland Security’s Cyber Intrusion Detection Program, EINSTEIN, and asking why it didn’t detect this threat and how we can improve it. So Mr. Wales, could you assess EINSTEIN’s current performance?”
Mr. Wales: “Sure. And I would say, Senator, that EINSTEIN continues to perform, you know, as it was designed, and it can protect against the things that it was designed to protect against. And I will note that EINSTEIN is an intrusion detection system, which means it’s looking at the perimeter of a network and examining traffic that’s going from outside the network to inside the network.”
Portman: “So it was not designed to detect unknown threats like the SolarWinds attack, correct?”
Mr. Wales: “It was not designed to detect unknown threats. That being said, it was also, and again, EINSTEIN is not just one capability. It is a suite of different types of capabilities, but all at the perimeter, all looking at that traffic moving into and out of federal networks.”
Portman: “So it was not the first to detect this threat?”
Mr. Wales: “Well, I would say that there was no intrusion.”
Portman: “No, it was not the first to detect this threat, correct?”
Mr. Wales: “Correct. But I would just point out that there was no intrusion detection or intrusion protection system anywhere that detected this threat. FireEye did not use an intrusion detection system to detect this threat. And they could not. It just would not work that way. Part of what I indicated earlier was that we need to supplement what EINSTEIN does, looking at the perimeter of networks with what’s happening inside the network.”
Portman: “Can EINSTEIN scan for intrusions on cloud environments like Microsoft Office 365, or Amazon Web Services?”
Mr. Wales: “No.”
Portman: “Within a government, are you seeing increased use of cloud environments like Microsoft Office 365, and Amazon Web Services for IT services?”
Mr. Wales: “Yes.”
Portman: “What about other encrypted internet traffic? Can EINSTEIN scan all encrypted internet traffic going to and from government agencies?”
Mr. Wales: “So it can see where that traffic is coming from and going to, but it cannot look inside of that traffic. And that’s one of the key areas why we need to move away from perimeter security for that level of intrusion protection and move on to the host. Because when you’re deploying on the host level on those workstations and servers, there the information is unencrypted. And those systems can detect whether activity is anomalous.”
Portman: “So you would say it cannot scan all that encrypted data going to and fro. Is that correct?”
Mr. Wales: “Correct.”
Portman: “And much of internet traffic these days is encrypted, isn’t it?”
Mr. Wales: “More than 90 percent of traffic in federal government is encrypted.”
Portman: “Yeah. I believe that the urgency here is clear. And I think you’ve stated it, that the statutory authorization for EINSTEIN expiring next year gives us a chance to do this. It seems like the significant limitations you’ve talked about means we need to work together to address the next authorization. Would you agree with that?”
Mr. Wales: “Yes, I think we need to keep the pieces of EINSTEIN that continue to work and provide significant value, and we need to transition those areas that don’t to different programs. The American Rescue Act money will provide a down payment to start doing that.”
Portman: “Great, thank you, Mr. Chairman.”
###