The Cybersecurity and Infrastructure Security Agency (CISA) and the Biden administration want federal agencies to move to zero trust architectures, prioritize migration to cloud services, and share information regarding threats and cyber incidents promptly to prevent future incidents like the December 2020 SolarWinds software supply chain breach by Russian nation-state actors and the May 2021 Colonial Pipeline ransomware attack by cyber crime group DarkSide.
Jim Jones, director of the Criminal Investigations and Network Analysis Center (CINA), a DHS Science & Technology Directorate-commissioned Center of Excellence, and ICE Cyber Crime Unit Chief Matt Swenson have seen a dramatic increase in cyber crime since the start of the COVID-19 pandemic more than a year ago, according to recent interviews with GovernmentCIO Media & Research.
In a recent CyberCast interview, Jones described the rise of “cyber crime as a service” as the cyber crime “industry” becomes increasingly fragmented.
“It might be true that one entity is building and operating a botnet, not because that entity is going to do anything criminal past what they've already done to build the botnet, but because that botnet has value to other criminals,” Jones said on CyberCast “We're also seeing a lot of shifting in terms of the players, so the primary botnet operator one week might be somebody different a couple of weeks later.”
DarkSide provides “ransomware as a service” to the highest bidder, according to Boston-based cybersecurity firm Cyberreason, a customer of which used DarkSide ransomware in the Colonial Pipeline hack.
In a hearing before the Senate Homeland Security and Governmental Affairs Committee Tuesday, CISA asked Congress for more funding to help federal agencies adopt zero trust and modernize legacy IT systems to prevent future incidents like the SolarWinds and Colonial Pipeline breaches. On Wednesday, President Biden then signed an executive order mandating federal agencies adopt a zero trust approach to cybersecurity and implement a plan to do so within 60 days.
The executive order also calls on the Department of Homeland Security, the FBI, the intelligence community and the Federal Acquisition Regulation Council to develop plans immediately to accelerate cloud migration and information-sharing regarding the federal information and communications technology (ICT) supply chain and cyber incidents to strengthen the federal register’s cyber posture.
Congress and CISA agreed federal agencies need to improve transparency around cyber incidents.
“We're the only federal agency charged with getting information out to support everyone's cybersecurity and resilience,” said CISA Acting Director Brandon Wales at the hearing Tuesday. “To do that, we need to be fed the right information from all our partners. The earlier we have that information, and the more information we're able to bring together, the better picture we're able to provide about what's happening, what techniques they’re using, what new tools we need to deploy. That all requires information to be fed into the right place.”
The committee's ranking member, Sen. Rob Portman, pressed CISA on the agency’s involvement in addressing the Colonial Pipeline ransomware attack.
“Colonial Pipeline did not contact CISA directly” after the incident, Wales said, and CISA only became involved after Colonial Pipeline notified the FBI.
CISA and the Transportation Security Administration, which oversees gas pipeline security, are still responding to the incident.
“We are engaged with the company and our interagency partners regarding the situation,” said CISA’s Executive Assistant Director for Cybersecurity Eric Goldstein. “This underscores the threat that ransomware poses to organizations regardless of size or sector. We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats.”
“TSA and industry representatives worked together to jointly develop Pipeline Security Guidelines and launched successful pipeline security initiatives including voluntary corporate security and critical security reviews," TSA said in an emailed statement to GovernmentCIO Media & Research. "TSA also partners with industry on security architecture and design assessment programs to strengthen the cybersecurity posture. These programs have allowed TSA and pipeline stakeholders to work together to increase security awareness and preparedness across the industry on a voluntary basis.”
CISA encourages federal agencies and private-sector companies to alert the agency immediately in the event of a cyber incident. CISA’s technical expertise can help address incidents, but more importantly, CISA relies on detailed information surrounding cyber incidents to improve cybersecurity as a whole.
“I think there is benefit when CISA is brought in more quickly because the information we glean, we use it in a broader fashion to protect more critical infrastructure,” Wales said at the hearing. “Right now we are waiting for additional technical information to find out what happened at Colonial so we can use that to protect other potential victims down the road.”
Given the criticality of communicating with CISA, Sen. Portman said there should be stronger information-sharing guidance around cyber incidents.
“It seems to me we also have to worry about these attacks being communicated to CISA,” Portman said. “You've got the expertise, we've passed a lot of bipartisan funding to help you all, it seems to me we have to make sure that communication is happening.”
Wales said the federal government must prioritize IT modernization, hiring personnel with cyber expertise and drilling best cyber practices into employees.
“You want to ensure our technology, processes and people are being modernized together because if any one of those lags behind, you're going to introduce weaknesses overall into your information security program,” Wales said at the hearing. “We see this a lot with the move to the cloud, particularly at the state and local level. They'll misconfigure their cloud environment and make it open and accessible to potential malicious actors.”
The federal government must also “transition zero trust from a buzzword to the baseline standard for network design and configuration,” he added. “It will not be easy, simple or cheap, but the cost of not doing so is simply too high.”
The Biden executive order may address some of Wales’ and Congress’ concerns around IT modernization and transparency.
Besides seeking a standardized approach to reporting and responding to cyber incidents, the order wants CISA, the FBI, and the intelligence community to remove “contractual barriers and [increase] the sharing of information about such threats, incidents and risks” to accelerate "incident deterrence.” Within 30 days, the Office of Management and Budget expects the secretary of commerce and director of NIST to “identify existing or develop new standards, tools and best practices” for software supply chain security.
In a statement, Wales called the executive order is “an important step in bolstering our nation’s cybersecurity.”