Why Didn't Government Detect SolarWinds Attack?Senators Want to Know Why DHS' Einstein System Did Not Discover the Incident
Two senators are pressing the Department of Homeland Security to explain why its Einstein system failed to detect the SolarWinds supply chain breach that affected nine federal agencies as well as private corporations.
See Also: The Power and Scale of XDR
Sen. Garry Peters, D-Mich., chairman of the U.S. Senate Homeland Security and Governmental Affairs Committee, and Sen. Rob Portman, R-Ohio, the ranking member of the committee, wrote a letter to DHS and the Office of Management and Budget questioning the limits of the Einstein intrusion detection system and what can be done to improve it.
The authorization to continue using Einstein ends in December 2022.
"Signature-based intrusion detection and intrusion prevention systems are largely limited to detecting previously seen threats - they are ineffective at identifying or blocking sophisticated and novel attacks like the SolarWinds hack," according to the letter addressed to Brandon Wales, the acting director of DHS' Cybersecurity and Infrastructure Security Agency. "As this committee warned nearly five years ago, 'Current reliance on decades old signature-based detection technology limits the effectiveness of Einstein against advanced persistent threats.'"
At a Senate hearing last month, Wales told Peters and Portman that while Einstein analyzes network traffic flowing into and out of federal networks, it would not have been able to detect a Trojanized software update, as was used in the SolarWinds attack. Einstein cannot read encrypted network traffic, so better endpoint detection is needed, he testified (see: The Case for 'Zero Trust' Approach After SolarWinds Attack).
Because the security firm FireEye - and not government officials using Einstein - discovered the SolarWinds attack in December 2020, lawmakers and others are raising significant questions about the reliability of the government's security tools.
"The fact remains that despite significant investments in cyber defenses, the federal government did not initially detect this cyberattack," Peters and Portman note in their letter.
Federal agencies, including the FBI and CISA, continue to investigate the SolarWinds supply chain attack, in which 18,000 of the company's customers downloaded a Trojanized update of the firm's Orion network monitoring platform. Investigators say nine government agencies and about 100 companies were then targeted for follow-on attacks. They say the campaign was likely part of a Russian cyberespionage operation.
The Biden administration is expected to announce executive orders, perhaps including sanctions against the attackers, in the coming days.
In their letter, Peters and Portman ask DHS and OMB to provide more details about the scope of the SolarWinds attack, especially after The Associated Press reported that an email account belonging to former Homeland Security acting Secretary Chad Wolf had been compromised.
"A recent report has raised the troubling possibility that the Department of Homeland Security did not fully report the extent of the SolarWinds breach to Congress," the senators write.
The senators ask DHS and CISA for documents to show which federal systems and networks may have been compromised during the SolarWinds supply chain attack or as a result of exploits of unpatched vulnerabilities in on-premises versions of Microsoft Exchange email servers.
Peters and Portman also ask for additional information about CISA's Continuous Diagnostics and Mitigation Program, which offers a suite of services and tools that provide asset management, hardware and software management capabilities as well as configuration and patch management.
The senators ask CISA to provide "the current plan to ensure that each agency utilizes advanced networks security tools as part of the CDM program."
A spokesperson for CISA says the agency does not comment on specific congressional correspondence, but it will answer the senators' letter.
At the Senate hearing last month, Wales and Christopher DeRusha, the federal CISO whose office is under OMB, testified that in the wake of the SolarWinds and Exchange attacks, the federal government should implement the "zero trust" security model, which assumes networks have been compromised and focuses on authenticating identity when a user attempts to access a device, application or system.
In the letter sent to DeRusha, the two senators note that they agree that the federal government's approach to cyber is ripe for change.
"An effective federal cybersecurity strategy will need to reevaluate core assumptions and consider new solutions and approaches to cybersecurity," according to the letter. "For example, it may be appropriate to assume some level of compromise within networks and implement a zero-trust network architecture, improve protection at endpoints complemented by heuristic and behavior-based detection capabilities and regularly deploy hunt teams to seek out malicious actors."
The two senators also ask OMB to provide documentation about the response to SolarWinds and the Exchange attacks to show who within the government is ultimately responsible for coordinating that response.
"It is important that there be a single point of accountability for leading response efforts to prevent confusion and duplication. We are concerned this level of accountability is currently lacking," the letter notes.