CISA cyber leader says agencies have addressed SolarWinds gaps

CISA has worked with agencies in recent years to expand data captured by the CDM program, improve log retention, and boost network threat hunting operations.

Four years after the SolarWinds cyber attack, the Cybersecurity and Infrastructure Security Agency and federal agencies have closed many of the gaps that made the incident possible.

That’s according to Jeff Greene, executive assistance director for cybersecurity at CISA. During an event hosted by the Cybersecurity Coalition on Thursday, Greene described the impact of the 2020 software supply chain incident. The Russia-linked hackers used the widely used SolarWinds software as a vector to infiltrate the networks of nine federal agencies. The hackers likely had access to victim networks for months before the campaign was detected in November 2020.

“What we saw during the after action [reviews] was agencies were seeing events that were part of the campaign, but the government didn’t have enough data, and they didn’t have the visibility across agencies to correlate, to put it together and see that this was happening,” Greene said.

The SolarWinds attack became a galvanizing incident for cyber policy in the early days of the Biden administration. In May 2021, President Joe Biden signed out a sweeping cybersecurity executive order that direct agencies to carry out a series of cybersecurity improvements.

Those steps included CISA working with agencies to expand cross-government visibility into potential cyber incidents by expanding the data tracked under CISA’s Continuous Diagnostics and Mitigation program. Biden also directed agencies to expand their logging data and move toward a centralized Endpoint Detection and Response capability.

Greene said CISA can now “see” more than 5 million devices across 94 agencies through the CDM dashboard. The data includes processor models, firmware and software versions.

That data has allowed CISA to automatically track whether agencies are applying critical software patches mandated under the Known Exploited Vulnerability (KEV) list.

And CISA also has access to more than 400,000 logs across agencies, Greene said, along with a “persistent access capability” into agency networks enabled under CISA’s expanded Endpoint Detect and Response program. CISA expects to finish the rollout of EDR this year.

“We do incident response now with federal agencies in a matter of minutes or hours, not days or weeks,” Greene said. “We’re not shipping people across the country. We’re not waiting for logs to come back. We are supplementing what the agencies can detect on their own networks, bringing our own expertise and knowledge from that visibility across agencies, and then what we have learned sitting in that place where we can see the breadth of it.”

He noted that CISA can now analyze threats “in real time” with agency security operations centers.

“This has allowed us to address literally the exact gap that the Russians exploited in SolarWinds and other actors have exploited for years,” Greene said. “Agencies would see activity that was actually part of a campaign, but not the full picture. They either didn’t have the EDR or no one was looking at it more holistically. No one could see the gaps and seams across the agencies, or had the mandate or the technical ability to correlate the events at agency a with what was going on at agency B, C and D. Today, on an increasing basis, we can do that.”

Greene said CISA has been able to detect “nation state activity” at unnamed cabinet departments “because of what we’re seeing on the back end.”

Cyber ‘Typhoons’ await Trump admin

While the SolarWinds incident became an early test for the Biden administration, the incoming Trump administration will need to grapple with the recent targeting of U.S. critical infrastructure by alleged Peoples Republic of China hackers.

While the SolarWinds attackers targeted government agencies and a limited number of companies for intelligence gathering purposes, U.S. officials say the PRC-connected hacks are much broader in nature.

Earlier this year, the Biden administration warned a China-linked group called “Volt Typhoon” had been burrowing into the networks of power grids, water utilities and other critical infrastructure to “pre-position” for potential disruptions.

In September, the Justice Department announced it had shutdown a botnet set up the PRC-connected “Flax Typhoon.” DoJ said the group has been known to target government agencies, critical manufacturing, and IT organizations.

And in recent weeks, federal officials have uncovered a major infiltration of global telecommunications providers by the China-linked “Salt Typhoon” group. Sen. Ben Ray Lujan (D-N.M.) said the attack “likely represents the largest telecommunications hack in our nation’s history” during a Wednesday hearing.

Kiersten Todt, former CISA chief of staff and president of Wondros, said the unfurling Typhoon hacks will be a major transition priority.

“The success of the Biden administration will be in some part how it transitions into this next administration,” Todt said during a Monday event hosted by the Center for Strategic and International Studies. “I think one of the things that Obama to Trump did was, you saw individuals seeing cyber not as a political issue, and taking the time to invest in that transition, and hopefully we [continue] that evolution, because I think Salt Typhoon, Volt, Typhoon, the typhoon portfolio, is going to be the most significant priority from a cyber perspective moving into the next administration.”

The Department of Homeland Security’s Cyber Safety Review Board is also expected to investigate the Salt Typhoon hacks to offer findings and recommendations for policymakers. But Greene said CISA and other federal agencies are still actively investigating the Salt Typhoon intrusions, emphasizing the ongoing nature of the incident.

“We have asked for and received assurances that the whatever review the CSRB does is not going to impact our ability to conduct the ongoing and really important incident response work,” Greene said. “I think it’s likely at some point the CSRB is going to want to talk to the agencies. But we all have commitments, legal, policy, other commitments with victims, with the entities we’re working with, so we are very mindful of our confidentiality, and we expect and hope that the CSRB will understand and respect our need to continue to work with victims and partners generally.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories