The Department of Homeland Security’s top cybersecurity agency doesn’t know how many agencies are segmenting their networks from unwanted outside traffic, a basic security practice, according to a letter recently sent to the office of Sen. Ron Wyden (D-Ore.) by the agency.
The agency provided the answers in response to a February inquiry from Wyden’s office following a heated Senate Intelligence Committee hearing about the breach at the federal contractor SolarWinds. The suspected Russian espionage campaign used a vulnerability in SolarWinds and other software to infiltrate the systems of at least nine federal agencies and about 100 private companies.
Wyden questioned why agencies did not have properly configured firewalls defending their servers running the SolarWinds software, Orion. Such a measure would have prevented hackers from implementing the second stage of the SolarWinds attack and using the backdoor they had planted, according to an assessment by SolarWinds.
The agency concurred that a firewall blocking outgoing connections “would have neutralized the [SolarWinds] malware.”
“While CISA did observe victim networks with this configuration that successfully blocked connection attempts and had no follow-on exploitation, the effectiveness of this preventative measure is not applicable to all types of intrusions and may not be feasible given operational requirements for some agencies,” acting CISA director Brandon Wales wrote.
Both the National Security Agency and the National Institute of Standards and Technology advise that traffic not related to operational needs should be blocked off from servers. Wales says CISA agrees with these recommendations.
“CISA has now confirmed that organizations with properly configured firewalls – a 1990s technology – successfully neutralized Russia’s SolarWinds malware,” Wyden wrote in a statement to CyberScoop. “Instead of weakening our privacy laws to enable warrantless surveillance of U.S. networks, the government should be mandating that agencies and companies that hold Americans’ sensitive data adopt basic cyber hygiene, which is far more effective.”
CISA also responded to criticism that its $6 billion dollar cyber defense system, EINSTEIN, was not able to detect the SolarWinds malware. The Government Accountability Office has raised concerns about the system’s failure to detect new forms of malware since 2016.
The agency is using $650 million in funding from the American Recovery Act to improve its detection capabilities to focus on activity inside government networks and make agencies and CISA “better situated to identify threat activity within federal networks in near-real-time,” Wales wrote.
Biden last month released a 2022 budget blueprint that would propose $750 million for the government response to the SolarWinds hack.
The agency does not have any immediate plans to direct individual agencies to use firewalls.
“It would be impractical for CISA to direct individual agencies to adopt specific network and device configurations on a broad scale, particularly given the unique operational requirements of each agency,” the agency wrote.
Wales says the agency is “evaluating opportunities” to use its authorities to drive federal agency security, something that could be speeded along by the requirements in Biden’s May executive order mandating improvements to software used across the federal government.
Updated, 6/22/21: This has been updated to include a quote from Sen. Ron Wyden.