The great Solar Winds breach back in 2020 prompted many agencies to improve their cybersecurity. Even the Cybersecurity and Infrastructure Security Agency (CISA) found it had to improve its own ability to detect threats. Since then, CISA has steadily added to its capabilities for keeping an eye on networks across the government. For more, the Federal Drive with Tom Temin with Kristen Bernard, the Homeland Security Department’s assistant inspector general for audits.
Kristen Bernard Before I get into the scope of our review, I’d like to point out this was really an important area for my office to jump into as quickly as possible. We’ve certainly audited CISA a number of times on a variety of topics, but timeliness for this review was really important, because this was our opportunity to do a direct assessment of how CISA is fulfilling its cybersecurity role during a time of crisis. You mentioned SolarWinds, the SolarWinds breach really highlighted the importance for CISA to effectively execute its mission for defending federal agencies against these cyber attacks. So we began this review around January 2022 to determine whether CISA was better positioned following SolarWinds to detect and respond to cyber events. And to answer your question, specifically regarding what operations we looked at, that would be CISA’s cyber threat detection and mitigation. So threat detection is analyzing the security environment to identify any malicious activity. And mitigation is, obviously meant to control sure threat and minimize the impact.
Tom Temin So was this basically the Einstein program or measures beyond that?
Kristen Bernard No, this would not pertain to Einstein. So Einstein is a separate system that’s overseen by a separate office. This is specifically looking at CISA’s cybersecurity division, and that’s one of the three divisions in CISA that focuses on collaboration with public and private entities. So it’s all about visibility into the federal government’s network and identifying any cyber threats and mitigating those threats.
Tom Temin Ok. And what were your main findings?
Kristen Bernard Our main findings were that CISA had really made some progress. They really jumped in when SolarWinds was discovered. But this was an unprecedented challenge for [Department of Homeland Security (DHS)]. Here we have CISA, the lead government agency responsible for understanding and managing cyber risks. But the SolarWinds breach revealed that CISA was just not well equipped. So our findings were that they did not have adequate secure facilities for their personnel to exchange information. They didn’t have adequate staffing, they did not have adequate backup, communication means for when networks are down. And they had a number of very important automated technologies that were still in the development pre implementation phase that could have really helped.
Tom Temin It sounds like you caught an agency that had been moving from a policy, the old directorate, whatever its title was, to something much more operational. And back at that time when the SolarWinds came out, they weren’t quite metamorphisized, if that’s the right word, yet, into the CISA. Perhaps they are much closer to being today.
Kristen Bernard That’s a great way to put it, yes. And it has been a struggle, I think, since I guess five years ago when [National Protection and Programs Directorate (NPPD)] changed over to CISA. Their responsibilities have steadily increased. And I think, as any federal government agency, they’ve struggled to keep pace with staffing technological capabilities. So, yeah, SolarWinds really caught them at a time of still being largely in transition. So there’s a lot of things that they can do to continue improving.
Tom Temin Right. If anything, maybe the audit and the SolarWinds showed that was the right course for them to be on, if they would only continue on it toward fulfillment.
Kristen Bernard Correct.
Tom Temin We’re speaking with Kristen Bernard. She’s assistant inspector general for audits at the Homeland Security Department. And you found that they have taken specific and concrete steps and made progress since that status at the SolarWinds time.
Kristen Bernard Correct. And I think it’s really all about staffing. I think the three primary things they need to focus on are continuing to fill their vacancies at the time of our review. They were roughly a third understaffed. So that is very, very significant. And then also, just continuing those technology capabilities so that they have better visibility on what’s on federal government networks. They do that through their continuous diagnostics and mitigation program. And then they also have a number of tools, one being the malware Next-Gen analysis tool. Both of those efforts were still in development, so it’s really about staying the course. They’ve received a lot of funding, a lot of additional authority to fulfill these roles. But these technologies will help, maybe, fill some of those gaps.
Tom Temin And you mentioned secure facilities in which to exchange information. Have they beefed up that since then, also?
Kristen Bernard I believe so. We did make a recommendation for them to conduct an assessment for the care facilities to make sure that they are appropriately sized and configured to meet their operational needs. And I know that’s something that they were already working on.
Tom Temin Yeah. Let’s get to the recommendations you had for and they’re fairly broad. And I’ll start with say that fourth one, we recommend that CISA director create and implement a long-term plan for the cybersecurity division, the one we’re talking about, to include provisions for ownership operations and maintenance of the National Cybersecurity Protection systems data analytics capabilities. That’s really a management more than a technology decision or recommendation, correct?
Kristen Bernard Correct. That’s specifically focused on the data analytics capability that they were working on. And that’s going to go a long way to help them identify trends and critical vulnerabilities in a more timely manner.
Tom Temin And your top recommendation, or number one, looked like something having to do with continuity of operations to make sure that they’re there, should something else happen like a SolarWinds.
Kristen Bernard Correct. And also making sure that they have the means for communicating when their networks are down or when their networks are compromised.
Tom Temin And then there’s the recommendation that they require an assessment to document levels of staffing, resources, intelligence access needed for operational divisions. That’s the people question and that’s one that’s probably never ending, fair to say.
Kristen Bernard It is fair to say. Like I mentioned, they just really haven’t been able to keep pace. They haven’t been able to hire enough staff to execute their mission. And I think certainly that’s partly due to the skills and expertise. It’s hard for all federal agencies looking for cybersecurity professionals. But it’s also, I think, just the rapid increase in their scope and their mission. It’s just really continued to expand faster than hiring can take place.
Tom Temin Right. And in their hiring in a very competitive area, maybe the most competitive area is cybersecurity. And this strikes me as a report where the agency probably knew this already. What reaction did you get to the recommendations?
Kristen Bernard Well, for staffing, I think their response to the staffing shortfalls, it’s really no different than what we hear from other oddities. And it’s going back to the lengthy recruiting process and the lengthy federal hiring process that generally can take anywhere from 6 to 12 months to hire employees and contractors, especially with hard to find cyber specific skill sets. So it’s all about working in the federal space and federal hiring space. But I know that they are also taking advantage of a lot of the cybersecurity direct hire programs as well.
Tom Temin Yeah, that’s something that a lot of agencies overlook is the hiring authorities they have already existing in the general personnel apparatus of the federal government.
Kristen Bernard Right.
Tom Temin This report is out then. And otherwise, they’re kind of with you. What comes next?
Kristen Bernard Well, what comes next is actually we are doing a similar look at CISA in conjunction with [National Security Agency (NSA)]. We’re doing a joint audit to look at how the National Security Agency worked closely with CISA during SolarWinds. And we expect that report to be released sometime next winter. But as far as CISA, like we said, it’s really staying the course, continuing working on staffing and completing these capabilities.