America's digital defender is underfunded, outmatched and ‘exhausted’

3

As the Biden administration hustles to contain the fallout from two massive cyberattacks that hit in the span of four months, the fledgling agency created to fend off such assaults is so overwhelmed by the deluge that many insiders doubt its ability to counter another major breach.

Staffers are worn out, money is tight and the Cybersecurity and Infrastructure Security Agency is struggling to keep up with multiple competing crises, including the recently uncovered intrusions blamed on Russia and China, according to interviews with 15 people familiar with CISA’s work. Among them are four current employees and five former agency officials.

“CISA is overworked, understaffed and in one sense fighting half-blindfolded,” said Andy Keiser, a former House Intelligence Committee staffer who is in touch with current and former CISA officials.

Many of those who track the nation’s cyber defenses say they’re worried that CISA — with roughly 2,000 employees — is so consumed with recovering from the existing breaches that it’s too stretched to prepare for the next attack, potentially making future breaches more widespread or more damaging to U.S. economic and national security.

It’s a situation that Congress hoped to avoid when it created CISA two years ago, in the wake of Russia’s interference in the 2016 presidential election. The idea then was to reorganize the DHS teams who battled cyber threats and protected U.S. infrastructure into a robust agency solely dedicated to the defensive side of digital security — a mission that sets it apart from the offensive cyber operations waged by the NSA or the military. Now it appears that Congress may have moved on too quickly, slapping a new name on the agency without giving it the resources needed to do its job.

The struggle at CISA highlights a central problem facing the federal government as it works to protect the country from foreign hackers: a distracted and gridlocked Congress, focused on the crises and theatrics of Donald Trump’s presidency, failed to prepare for the growing digital threats that experts warned were coming. Now it may take years for U.S. cyber defenses to catch up to increasingly sophisticated cyber assaults.

CISA “just can’t do the job that they need to do,” Rep. Dutch Ruppersberger (D-Md.) argued at a House Appropriations Homeland Security Subcommittee hearing earlier this month.

It’s been a tough 12 months at CISA. The agency already had its hands full confronting a surge of digital intrusions that accompanied the coronavirus pandemic. It also went into overdrive to help state and local election officials protect their systems during the heated 2020 campaign — and served as a key check on false claims of widespread fraud, placing its leadership in Trump’s crosshairs. Then in December, the government learned from a security firm that suspected Russian hackers had exploited SolarWinds’ widely used software to tunnel into federal and corporate networks and rummage through the files of nine agencies and roughly 100 companies. As CISA was responding to those breaches, Microsoft disclosed that Chinese hackers had exploited a vulnerability in its email software, setting off a blizzard of attacks as criminals rushed to breach hundreds of thousands of affected servers.

CISA was already struggling last year to assist state officials with election security, and now “there are hundreds of times more incidents,” said Bryan Ware, who led the agency’s cybersecurity division in 2020.

Employees were more direct. “People are somewhat exhausted,” said one.

Staffers said the agency doesn’t have enough people to fill out its threat-hunting and incident-response teams, which deploy to agencies and help them investigate and recover from breaches such as the hack of SolarWinds’ IT monitoring software.

“It’s obvious that, to meet the demand, our supply of threat hunting is pretty low,” said a second CISA employee. Both employees spoke on the condition of anonymity to offer candid thoughts.

Mark Montgomery, the executive director of a congressionally chartered panel whose report has served as a blueprint for reforming CISA, said he’d be surprised if the agency had even 10 percent of the incident-response capacity it needed.

While CISA has been able to meet other federal agencies’ needs, it’s struggling to provide promised support to private sector critical infrastructure companies such as hospitals and power plants, which are facing increased attacks in part because of the pandemic, and to aid small businesses crippled by ransomware attacks, the second employee said.

And key parts of the effort to restructure the new agency have stalled, according to a March report by the Government Accountability Office, which said CISA hasn’t fully defined its different teams’ responsibilities and identified its workforce’s “capability gaps.”

Even so, the employees said staff are generally optimistic, expecting that Homeland Security Secretary Alejandro Mayorkas — who prioritized cyber issues as deputy secretary during the Obama administration — and new senior CISA leaders will listen to staff, advocate for their needs and keep cybersecurity on the front burner with the White House.

“Morale is generally really high,” the second employee said, because even though many people feel overworked, they still love CISA’s mission and “are super jazzed about the political appointees.”

And Eric Goldstein, who leads the agency’s cybersecurity division, said in an interview that while “the resource need for CISA is urgent” it hasn’t yet had to sideline projects.

“We are not, at this point, having to make triaging decisions,” Goldstein said.

Still, the agency remains without a permanent director or even a nominee for the position, and significant improvements may require a cash infusion well above what Congress has considered so far.

House Homeland Security ranking member John Katko (R-N.Y.) said CISA, which received $2 billion from Congress in each of the past two years, needs to become “a $5 billion agency in the next decade.”

Democrats have argued for a funding boost as well, including Homeland Security Chair Bennie Thompson (Miss.). “If Congress wants the private sector to take security seriously — and that means putting money where your mouth is — it has to lead by example,” Thompson said.

That bipartisan push has had some effect. In March, Congress approved an emergency $650 million for CISA as part of President Joe Biden’s coronavirus relief bill.

But the additional money comes as Congress is loading more responsibilities onto the agency.

In the fiscal 2021 defense policy bill, lawmakers directed the agency to take over supervision of .gov websites, and at recent hearings, some lawmakers have suggested having CISA directly manage other agencies’ cyber defenses.

“If you don’t fund the agency, but you do build up the expectations, you’re positioning it to fail,” said Matt Masterson, who served as a senior cybersecurity adviser at CISA from 2018 to 2020.

CISA’s overstretched status is undermining the U.S.’ cybersecurity defenses in multiple ways.

The agency’s two marquee federal network monitoring programs — a collection of perimeter-defense sensors placed on agency networks and a suite of tools to help agencies understand their IT settings — haven’t been updated to account for attackers’ use of never-before-seen malware, rented U.S. servers and clever identity-forging techniques. The SolarWinds hackers exploited these gaps, and fixing them could take years.

The agency also lacks the capabilities to analyze vast quantities of data about hackers’ activities on victim networks, which prevents it from identifying problems before they become crises. And the budget for its division that predicts risks to vital infrastructure systems such as electrical grids and waterworks is tiny compared with the sheer scale of this analysis work.

And other government agencies, such as the NSA and the FBI, don’t have the relationships with the private sector or the insights into its digital challenges to pick up the slack, said John Costello, a former senior adviser at CISA.

Both other federal agencies and private companies rely on CISA to be a central hub for security advice and aid, meaning shortcomings there will ripple outward through the government and the private sector.

“Failing to provide CISA the resources it needs will mean more of the same,” said Thompson — “one shocking compromise after another that costs the economy millions.”

View original post