Concern mounts over government cyber agency’s struggle to respond to hack fallout
With Microsoft acknowledging for the first time this past week that suspected Russian hackers behind a massive government security breach also gained access to its source code, pressure is mounting on US officials and cybersecurity experts to explain how the attackers infiltrated various US computer networks, what they did once inside and the steps that are being taken to mitigate the damage.
As US officials struggle with the fallout, questions are swirling about whether the agency tasked with protecting the nation from cyberattacks is up to the job.
On Wednesday, the Cybersecurity and Infrastructure Security Agency, (CISA) signaled it’s still working to patch the known vulnerabilities, advising agencies to update their software from SolarWinds, a private contractor attackers exploited to gain access into potentially thousands of public and private sector organizations.
Congressional Democrats and the Biden transition team are demanding more information about the massive hacking campaign, calling on the Trump administration to address concerns about its handling of the fallout and perceived lack of transparency in the weeks since the data breach was first discovered.
The Biden team in particular has stated that it’s been stonewalled by Trump officials in its effort to learn more about key national security issues, including the hack.
Trump administration officials say those accusations are exaggerated but have also acknowledged they are wary of any transition activity that could provide the Biden team a head start in dismantling the President’s priorities.
To date, the White House has offered few public details about what is believed to be the most significant cyber operation targeting the US in years. The lack of clarity has only raised more questions.
Private cybersecurity firms have provided their own independent analysis in recent weeks, but the findings disclosed publicly so far have only scratched the surface of what occurred and how to address the ongoing threat.
Microsoft’s announcement Thursday that hackers viewed its source code after gaining access to its systems through the SolarWinds software further highlights the broad reach of the attack and suggests that corporate espionage may have been as much a motive as a hunt for government secrets.
Source code represents the basic building blocks of computer programs. They are the instructions written by programmers that make up an application or computer program.
The Senate Intelligence Committee expects to receive a briefing on the hack next week from Gen. Paul Nakasone, leader of both the National Security Agency and US Cyber Command, a source familiar with the plans told CNN.
House Intelligence Committee Chairman Adam Schiff received a briefing from Nakasone in late December but is not scheduled for an update next week, according to a committee aide.
Intelligence officials briefed lawmakers on both panels earlier last month after the breach was first discovered but the level of detail provided was limited as relevant agencies were largely caught off guard by the attack.
CISA overwhelmed
The lack of information since then has fueled concerns about the government’s ability to address the ongoing cyber threat, particularly as critics question whether CISA is equipped to protect the integrity of government systems from adversaries, foreign or domestic.
Some of the nearly half-dozen government agencies affected by the hack have recently reached out to CISA for help with addressing the known vulnerabilities that were exploited in the attack but were told the agency did not have enough resources to provide direct support, according to a source familiar with the requests. The person noted the slow response has only increased the perception that CISA is overstretched.
Multiple sources told CNN that CISA, which operates as the Department of Homeland Security’s cyber arm, does not have the appropriate level of funding or necessary resources to effectively handle an issue of this magnitude.
“It’s a two-year-old agency with about 2,000 employees, so clearly that level of responsibility is not commensurate with the resources that they have,” Kiersten Todt, a former Obama cybersecurity official and managing director of the Cyber Readiness Institute, recently told CNN.
CISA was established when President Donald Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018. Congress has incrementally increased the agency’s funding in the years since.
In November, the GOP-led Senate appropriations committee recommended that CISA receive approximately $2 billion in fiscal year 2021 funding, $270 million more than Trump’s budget request sought.
The spending bill signed into law last month is consistent with the appropriation committee’s $2 billion recommendation, which includes $1.2 billion in cybersecurity for the protection of civilian Federal networks.
But former officials and experts say more resources are needed for CISA to handle its ever-increasing workload.
“The ‘Nation’s Risk Advisors’ need more resources if we as a country expect them to help critical infrastructure companies during a crisis,” according to Brian Harrell, who served as Assistant Secretary for Infrastructure Protection at DHS before resigning in August.
“The budget is lacking and a better pipeline of subject matter expertise needs to be built,” he added.
Krebs fired
Trump further hamstrung CISA last fall after he summarily fired Christopher Krebs, the agency’s director, who had refused to support Trump’s baseless claims that the 2020 presidential election was marred by irregularities. Another top CISA official, Bryan Ware, was also forced to resign.
Since Krebs’ firing, CISA has not held a press briefing on the suspected Russian hack.
“CISA is not capable,” according to James Andrew Lewis, cybersecurity and technology expert at the Center for Strategic and International, who added that the agency’s failure to detect the breach months ago was largely due to the fact its attention and resources were consumed by efforts to secure the 2020 presidential election.
“CISA has always been and will continue to be slammed by the responsibilities heaped on it by law,” Daniel Dister, New Hampshire’s chief information security officer, told CNN. “They have been overloaded with work from the start and have had a hard time coming up to the level of expertise that DoD/CYBERCOM/NSA has enjoyed.”
In the weeks since the hack was disclosed, CISA has taken a lead role advising federal agencies on the steps they should take to secure their networks. As part of its work to protect the 2020 elections, CISA also has developed strong relationships with state and local governments, as well as the private sector.
Those ties have now made it the unofficial point agency for hundreds if not thousands of outside organizations desperate for answers. The demands of that role were never foreseen by Congress when it created CISA, Dister and other experts said.
Since the hack was discovered, CISA has held multiple phone calls a week to brief public and private stakeholders. But, Dister said in a recent interview, little has been shared on the calls that isn’t already publicly known.
CISA defended its handling of the fallout, saying that it has been “rapidly sharing information and providing technical support to our partners as we work to understand the scope of the campaign.”
“Everyone who has requested CISA support has received it – without delay – and that will not change as we are prepared for a sustained effort,” Wales, CISA’s acting director, said in a statement to CNN, adding that the agency has “aggressively used all of the tools at our disposal to counter this campaign.”
“CISA, alongside our interagency partners, will continue to lead decisively, share broadly and communicate loudly until our job is done and our networks are secure,” he said.
As concerns mount that CISA is overwhelmed, Trump is considering putting more on its plate before he leaves office by issuing three cyber presidential determinations in the coming days, according to an administration official.
Among them will be a decree transferring certain authorities from the Department of Defense, to CISA.
“We’d be putting all of our eggs in a very small basket,” the administration official said, referring to CISA’s limited ability to handle such a massive undertaking.
This is all compounded by the fact that the number of government agencies affected by the attack continues to increase, a steady drip of new revelations that has largely undercut attempts to reassure the public.
CISA has attempted to allay some concerns about its ability to facilitate a coordinated response by releasing advisories for those agencies affected by the breach.
The statement also suggests CISA is leaning on the expertise of the intelligence community as it responds to the incident, noting in Wednesday’s statement that the recommended software update was scrubbed by top cybersecurity officials at the National Security Agency who “examined this version and verified that it eliminates the previously identified malicious code.”
CISA’s nod to NSA was largely viewed by experts as an attempt to reinforce the importance of a whole of government approach, something one CISA official told CNN is a daily focus for the agency.
Politics taking precedent
The political climate during Trump’s final weeks in office has only made the situation more challenging for CISA and its federal partners.
Privately, some Trump appointees at agencies affected by the breach have made clear their priority is identifying ways the incident could hurt the President politically, according to a source familiar with the discussions.
After one briefing about the attack, top officials at the Department of Energy repeatedly pressed representatives from the NSA to identify potential political ramifications for the President, according to a source familiar with the discussion.
“That was their key concern,” the source said, referring to the line of questioning from top DOE officials during that briefing earlier this month.
“Part of the problem is the White House isn’t really in charge anymore,” said Lewis of CISA. “They got rid of cyber coordinator … They lost that central coordination,” he said. “DoJ, DoD won’t look kindly on CISA telling them what to do. It’s better than it used to be but they’re in a hard spot politically.”
CNN has also previously reported that the Biden team is becoming increasingly frustrated with the lack of information it has received from the Trump administration, as sources close to the transition process say critical details about the attack are being withheld.
The lack of coordination could present a challenge for President-elect Joe Biden once he is sworn into office as he will likely face significant pressure to not only respond to this latest attack but address some of the underlying issues related to how cybersecurity decisions are made.
“They need to restore central direction in the White House and put White House authority behind CISA. They need to go back to central direction that was in the Obama White House,” according to Lewis. “Secretary of Homeland Security has to take this seriously. That’s always been a problem.”
More broadly, the SolarWinds hack must be a “wake-up call for the United States,” said Gilman Louie, CEO of Looking Glass Solutions, a cyber security firm.
“We must have our agencies and companies operate in a cooperative and coordinated fashion. We must bring the best talent to bear, regardless of agency, whether from government, industry, or academia, to defend the nation from future cyber-attacks from state actors,” he said.
This story has been updated with a statement from CISA.
CORRECTION: This story has been updated to correct the month intelligence officials briefed lawmakers after the breach. It was last month in December.