The Cybersecurity and Infrastructure Security Agency is expanding a “no-notice” penetration testing program across federal agencies, allowing CISA to find critical vulnerabilities in agency networks before hackers.
The effort is the latest in CISA’s push to expand “visibility” across federal agency networks, hailed by agency leaders as critical to defending the government from cyber attacks. But lawmakers on the House Homeland Security Committee’s Cybersecurity and Infrastructure Protection subcommittee are raising questions about whether CISA should expand the shared cyber services it offers to agencies.
CISA has already used its new “Federal Attack Surface Testing” (FAST) program to conduct penetration testing across seven federal agencies this year, CISA Executive Assistant Director for Cybersecurity Eric Goldstein testified before the subcommittee on Wednesday.
The tests identified “critical and high findings” on agency web-facing applications, Goldstein continued, and CISA used the program to conduct follow-up testing and ensure agencies fixed the vulnerabilities.
“The visibility that we gain through this capability has proven invaluable in many of the recent significant vulnerabilities that we’ve seen reported in the cybersecurity space,” Goldstein said. “Already, our ability to understand prevalence and drive reduction has been absolute critical. And so we think this is going to be a tremendous value, both for our federal partners and for partners across the country.”
After conducting several “technology evaluations” over the past 12 months, Goldstein said CISA expects to fully roll out the FAST program by the end of this calendar year.
The Fiscal 2021 National Defense Authorization Act granted CISA the authority to conduct cyber threat hunting on the networks of other agencies without prior approval.
In addition to the FAST program, Goldstein said a separate program called “SILENTSHIELD” also uses the new threat hunting authority.
“The long-term, no-notice approach afforded by these authorities enabled CISA to get an accurate depiction of an agency’s true security posture,” Goldstein states in his written testimony. “Within its first program year, SILENTSHIELD successfully targeted, compromised, escalated, and maintained access to an agency’s (sic) network and is enabling long term [federal civilian executive branch] cybersecurity and architecture investments.”
Meanwhile, CISA also has the power through a binding operational directive issued in late 2021 to direct agencies to fix critical bugs in their networks by adding them to the agency’s “Known Exploited Vulnerabilities” (KEVs) catalog.
Over the past two years, agencies have fixed more than 12 million vulnerabilities in their networks, including 7 million this year alone, according to Goldstein. And crucially, he testified that agencies have demonstrated a 72% decrease in the number of known vulnerabilities that stay unaddressed for more than 45 days.
Over the past year, CISA has seen a 79% reduction in the “attack surface” across federal civilian agencies, Goldstein testified, based on an analysis of internet-accessible known vulnerabilities pulled from the agency’s automated testing capability data.
Goldstein said CISA’s Continuous Diagnostics and Mitigation (CDM) program remains the “core” to the agency’s view of cyber risks across agencies. The CDM program provides agencies with cybersecurity tools and dashboards to help understand risk.
And Goldstein said CISA is updating the program this year to expand visibility across a broader range of agency technologies.
“We know that the traditional model where we focus on securing on-premises infrastructure and assets doesn’t scale to meet how agencies actually use technology today, or how adversaries are targeting us,” he said. “And so even in fiscal year 2024, we are making significant investments in expanding CDM visibility into mobile assets and cloud assets.”
Lawmakers push CISA on shared services model
Members of the Cybersecurity and Infrastructure Protection subcommittee, meanwhile, remain keenly interested in whether CISA could expand further on its shared services model. The agency has been designated as the federal government’s cybersecurity services “Quality Services Management Office” (QSMO) by the White House Office of Management and Budget.
Chairman Andrew Garbarino (R-N.Y.) asked Goldstein whether CDM could benefit from being a “true shared service” like the agency’s Einstein intrusion and detection system. Most agencies have to pay for CDM services after initially joining the program.
“As we evaluate the next generation of technologies that will be delivered through CDM, we are absolutely going to be flexible in the delivery model that will add the most value at the best use of taxpayer dollars,” Goldstein added.
Pressed further on the shared services issue by Rep. Laurel Lee (R-Fl.), Goldstein said CISA takes a “disciplined approach” to determining what security capabilities the agency could provide to the rest of the federal government.
“Do they offer a cost savings? Are they filling a gap that agencies aren’t providing at scale” Is there a benefit in CISA having some centralized visibility into the risks?” he said.
He said CISA would work with Congress on identifying the requirements and resources for additional shared services going forward.
Meanwhile, CISA does offer CDM as a free service to a limited number of small federal agencies. The agencies are the equivalent of a small or medium-sized business when it comes to their IT infrastructure, Goldstein noted. He said CISA is working with OMB and the Office of the National Cyber Director to help identify any further needs of those agencies.
“That certainly is a group that we are really focused on working with OMB and ONCD to understand where can we go next to make sure that as those agencies do provide critical functions, we can support them in their security journey,” Goldstein said.
CISA budget cut
While Republicans on the cyber subcommittee have generally thrown their support behind CISA, the broader GOP majority in the House endorsed a 25% cut to the cyber agency’s budget as part of a fiscal 2024 homeland security spending bill narrowly approved by the House late last month.
Asked to comment on the proposed cut by subcommittee Ranking Member Eric Swalwell (D-Calif.), Goldstein said a “significant cut to our budget would be catastrophic.”
“We would not be able to continue even sustaining some of the core functions across programs, like CDM, like our shared services,” he said. “Right now, we are at the point where we have reasonable confidence in our visibility into risks facing federal agencies. We would not be able to sustain that visibility with that significant of a budget cut, and our adversaries would unequivocally exploit those gaps.”
As fiscal 2024 budget negotiations move forward on Capitol Hill, Garbarino pledged to work with his fellow Republicans to back CISA’s budget request.
“We’re going to make sure our colleagues continue to be educated on what I think, what a great agency CISA is,” Garbarino said.