“[I]t reflects a recognition by this administration of the urgency to improve cybersecurity, “said cyber security chief Eric Goldstein of the Infrastructure Security and Cybersecurity Agency, adding that it will provide resources before the next budget cycle, given the current threats that federal networks face.
Goldstein, a leading political nominee, said the funding stems from the fact that federal agencies are providing services “directly or indirectly related to our country’s ability to recover from the pandemic”. In an interview with CNN, he also pointed out the increase in remote work during the pandemic, which created a dependency on cloud computing and therefore increases the need for security tools.
On Wednesday, about 90% of the federal government’s Microsoft Exchange Server instances were mitigated, according to Goldstein, who pointed out that there is still no confirmation that any agencies have been “compromised”.
The number of impacted entities remains the same, said Goldstein. At least nine federal agencies have been targeted and at least 100 private sector companies have been compromised, the White House confirmed earlier.
CISA’s acting director, Brandon Wales, said on Wednesday that the agency continues to believe that the SolarWinds breach was “largely a spying operation” to collect information, largely based on the email from Microsoft Office 365 for agency employees.
During a hearing by the House Appropriations Committee, he said he was “extremely targeted”. Typically, there were only a few dozen individuals in an agency who were targeted as part of this campaign, according to Wales.
CISA “has no evidence at the moment” that the actor did anything except steal information, Wales said.
“Networks are an emerging battleground for the public and private sectors,” she said.
CISA recently launched pilot programs to improve the visibility of federal civilian networks, which are being used as “proofs of concept” to determine which combination of capabilities will prove most effective. The goal is to be able to continually analyze agency security data to proactively identify opposing activity “much more quickly than we can do today,” said Goldstein.
Part of the pilot is to deploy additional endpoint detection and response tools on government agency networks, which would allow proactive blocking of malicious activities. Another way is for agencies to provide CISA with access to their security data, mainly logs, for analyzing that data.
CISA is working with specific agencies on which tools or combination of tools are most effective and allow “persistent hunting activity”. Goldstein declined to name the agencies involved in the effort.
Currently, CISA primarily conducts hunting for threats and other responses to incidents after an intrusion has been identified.
“Where we want to go is really moving forward much earlier in the process, so that we’re continuously performing this type of threat hunting activity and we can identify the opponent’s activity, ideally, in a very short time after the an initial intrusion, “he said.