The rash of cyber attacks in the last six months is forcing the Cybersecurity and Infrastructure Security Agency to come up with a new way to secure agency cloud instances.
CISA will use some of the $650 million it received through the American Rescue Plan to test out these concepts.
“One of the real lessons out of Solarwinds was the exploitation of cloud environments, particularly Microsoft Office 365 cloud environments for federal agencies, and the challenges with visibility and logging that federal agencies and CISA had for what was happening inside these cloud environments,” said Brandon Wales, the acting director of CISA during a Senate Homeland Security and Governmental Affairs hearing on Tuesday. “So part of our additional resources under the American Rescue Plan Act is standing up a secure, threat hardened cloud environment. We will pilot that out and then promulgate the reference architecture across the federal government to help improve the security of cloud environments for all of our federal partners.”
He said the focus would be the cloud instances used by agency business systems.
“Right now, there is a variety of different cloud security environments that agencies have adopted. We want more consistency,” Wales said.
Wales didn’t say how much money would go toward this pilot or when it would begin or how long it would last.
Jim Reavis, the CEO of the Cloud Security Alliance, said securing the cloud instance is both protecting the outside in and the inside out.
“The big threat vectors for cloud tend to be on the user side. With so many configuration options and issues for things like encryption options, key management and multi-factor authentication. There are different levels for how secure you may want to do all of those things,” Reavis said. “The policies for the cloud instance are related to the type of information that you have blockers for, and how it reacts if someone is emailing sensitive documents or if the system is compromised. You have to have the right technology policies to do right blocking, black listing and black holing.”
Logging capabilities missing so far
The idea of moving agencies to a secure cloud instance came up more than a month ago during a House Appropriations Committee hearing.
Rep. Lucille Roybal-Allard (D-Calif.), chairwoman of the Appropriations Subcommittee on Homeland Security, asked Wales and Eric Goldstein, the executive assistant director for cybersecurity at CISA, whether the agency was considering mandating a more secure O365 instance.
“Many federal O365 email accounts have only the most rudimentary security logging capabilities, which is necessary for cyber defenders to track malicious activity. It’s also concerning that a significant portion of CISA’s American Rescue Act funding is slated to go to upgrading these licenses,” Roybal-Allard said at the March hearing. “Why isn’t advanced security logging enabled by default on many of these federal cloud accounts that the government procures? And how much of this $650 million supplemental funding is currently planned for license upgrades to support logging? Will CISA be issuing a directive to require agencies to procure licenses that require advanced security logging on cloud contracts, and if not, how do we fix this problem?”
At the time, Goldstein didn’t commit to mandating the upgraded licenses, but did say they intend to develop a process to improve the level of cloud security across the government.
“One option that could be considered is the improvement of licenses with existing vendors. There are other options that could achieve a similar goal,” he said. “Our goal is strategically to ensure federal agency data is secured wherever it sits, on premise or in the cloud.”
Nearly two months later, it seems CISA has a plan.
Reavis said no matter the approach CISA is taking, the pilot can’t last long and agencies need to be able to implement the reference architecture in short time.
“Hardening guidelines for different cloud services should be months to create. It’s a list of what you lock down and what you turn on,” he said. “It would be impossible to do a multi-year pilot because things change to rapidly. I would imagine CISA very rapidly creating the best practices and then iterating them. It’s not something you just do once. There is entropy with cloud security. What is secure today may not be secure in a few months because of the dynamics of the code and the vulnerabilities. If it’s not iterative, it will not have value for agencies.”
Expand their cyber defensive teams to spend more time doing persistent hunt activities inside agencies.
Deploy new technologies and sensors in federal networks, specifically for end point detection and response. Wales said this will give CISA better visibility into what’s happening on networks across the government.
Accelerate the move toward secure and defensive architectures like zero trust and build more defensible and secure network configurations and architecture.
“The Joint Cyber Planning Office will build on the success of our recent operational collaboration, unifying public and private sector cyber incident planning and integrating the execution of the cyber defense operations conducted under CISA’s asset response mission,” he said.
CISA also plans to continue its hiring spree. Wales said the agency has hired more people in the first six months of 2021 than it did in the last two years combined.
“We have a lot of vacancies to fill,” he said.
He also said when DHS gets its Cyber Talent Management System up and running this fall, CISA will be among the first in line to use it.
“We are working to identify the types of positions that will be best filled by using the Cyber Talent Management System approach,” he said. “We’ve worked hard with the department to build out the testing around specific positions we need to fill.”