SolarWinds Opened the Door for Cybersecurity Culture Overhaul at DHS

The Department of Homeland Security (DHS) and especially the Cybersecurity and Infrastructure Security Agency (CISA) are leading the federal cybersecurity conversation by pushing SecDevOps, information-sharing and zero trust following the SolarWinds hack in December 2020.

During an ATARC webinar last week, SolarWinds Vice President of Security Tim Brown credited CISA for assisting SolarWinds every step of the way when they first learned of the software supply chain breach.

“CISA has been a great partner through this,” Brown said. “They’ve been with us from Dec. 12 and 13 when this occurred. We’ve probably had more information-sharing on this event than I’ve ever seen, and that’s very good. More knowledge, and more ways to defend … I think that will continue.”

One of CISA’s goals is to increase information-sharing among federal agencies around cyberattacks and best cybersecurity practices. Bob Kolasky, assistant director of CISA’s National Risk Management Center, said consistent information-sharing can also help prevent cyberattacks.

For example, he said, communicating about contracting agreements with industry partners that could compromise the ICT supply chain and affect other federal agencies can crush threats before they occur.

“One of the things we’ve learned is, and what the National Risk Management Center focuses on, is better understanding of critical software and what has access [to it], like things that aren’t immediately clear to a CEO that have huge consequences to an organization if something happens,” Kolasky said during the webinar. “We call it software supply chain security, but that also means differentiating between the hardware and software to allow you to do critical processes. … You can manage risk at the front end by design or taking less trust into the system, your acquisition decisions or supply chain decisions, and those are the kinds of things we want to be pushing there, which leads to a less risk space and you can also learn to have quicker recognition of things happening.”

Kenneth Bible, CISO at DHS, believes a combination strategy of SecDevOps and zero trust could dramatically boost the cyber posture of a federal agency because they are not products, but actually cultural approaches to cybersecurity.

“It’s a culture, it’s not about the security teams and the development teams, it’s how you bring them together that adds value,” he said during ACT-IAC’s Federal Insights Exchange webinar on cybersecurity last week week.

Bible said federal agencies exploring an Agile approach to development should “begin with the end goal in mind.”

“If your end is to deliver application functionality quickly, then what are you willing to offload from your rucksack and allow somebody else to go manage so you can move quickly at that point?” he said. “How do you maintain a focus on security while maintaining the connective tissue between a development team and an operations team? This is really a conversation about bringing it to the middle with the goal of functionality, delivering to the mission.”

When Bible took over as DHS CISO earlier this year, he stood up an in-house CISO council of all the DHS components’ CISOs to share information regarding best cybersecurity practices throughout the department.

“I took what I referred to as the CISO council and matured that group to take on some initiatives for the department, most notably around SolarWinds and how to assess what to do in the future with respect to SolarWinds as missions were being impacted,” he said. “How we wanted to take that and look at it, working with corporate and industry and make some decisions and recommendations to the CIO, and we were very successful and resulted in some decisions by the CIOs across the organization.”

Now Bible and the DHS components’ CISOs are working together on a new cybersecurity model for DHS.

“It’s really organizing for the fight, not doing the same things, but recognizing where is this field going, and getting ourselves organized for it,” he said.

In Brown’s view, the SolarWinds hack is an opportunity for the industry and the federal government to ramp up cybersecurity efforts and take a hard look at what’s working and what isn’t.

“I think it’s an inflection point for the industry at large,” he said during the ATARC webinar. “We can do better in many different areas, as software providers, how we develop software, ensure it’s correct, go from source code all the way down. I’m a big fan of zero trust, so we’ll use that  as well. In my model right now, I trust no one and no things. We’ve done a lot in the last four months to get ready and get things done, and now it’s time for us to really help the industry move forward.”

For DHS and CISA, true change and progress means cultural overhaul — and they want to lead by example.

“Cybersecurity is a culture that’s observed over time,” Bible said during the ACT-IAC webinar. “The real opportunity is, what are the key programs and systems we can actually refactor, reimagine in a modern way?”