As US officials grapple with the aftermath, questions are rising as to whether the agency charged with protecting the nation from cyberattacks is up to the task.
Congressional Democrats and the Biden transition team are calling for more information on the massive hacking campaign and calling on the Trump administration to address concerns about how to deal with the aftermath and the perceived lack of transparency in the weeks since the breach was first discovered.
Trump administration officials say these allegations are exaggerated, but have also acknowledged that they are wary of transition activities that could give the Biden team a head start in lowering the president’s priorities.
To date, the White House has released few public details about what is probably the most significant cyber operation in the US in years. The lack of clarity has only raised further questions.
Private cybersecurity companies have come up with their own independent analysis over the past few weeks, but the results publicly disclosed so far have only scratched the surface of what has happened and how the ongoing threat is addressed.
Microsoft’s announcement Thursday that hackers viewed their source code after gaining access to their systems through SolarWinds software underscores the broad scope of the attack and suggests that corporate espionage may have been a motive as well as seeking government secrets .
The source code represents the basic building blocks of computer programs. These are the instructions from programmers that make up an application or computer program.
The Senate Intelligence Committee expects General Paul Nakasone, chairman of the National Security Agency and US Cyber Command, to receive a briefing of the hack next week. This was announced by CNN.
House Intelligence Committee chairman Adam Schiff received a briefing from Nakasone in late December, but an adviser to the committee says it won’t be updated next week.
Intelligence officials briefed lawmakers on both bodies early last month after the breach was first discovered, but the level of detail was limited as the relevant authorities were largely taken by surprise by the attack.
The lack of information since then has raised concerns about the government’s ability to address the ongoing cyber threat, especially as critics question whether CISA is able to protect the integrity of government systems from adversaries at home and abroad .
Some of the nearly half a dozen government agencies affected by the hack recently reached out to CISA for help addressing the known security vulnerabilities that were exploited in the attack. However, according to a report, the agency did not have sufficient resources to provide direct assistance, source familiar with the requests. The person noted that the slow response only increased the perception that CISA is overstretched.
Several sources told CNN that CISA, which acts as the cyber arm of the Department of Homeland Security, does not have the funds or resources to effectively address an issue of this magnitude.
“It’s a two-year-old agency with about 2,000 employees, so the level of responsibility doesn’t match the resources available,” Kiersten Todt, former Obama cybersecurity officer and executive director of the Cyber Readiness Institute, told CNN recently.
CISA was founded when President Donald Trump signed the Cybersecurity and Infrastructure Security Agency Act of 2018. Congress has gradually increased funding for the agency over the past few years.
In November, the Senate’s GOP-led Budgets Committee recommended that CISA should receive around $ 2 billion in fiscal 2021, $ 270 million more than Trump’s proposed budget proposal.
The spending bill, which went into effect last month, is in line with the Grants Committee’s recommendation of $ 2 billion, which includes $ 1.2 billion in cybersecurity to protect federal civil networks.
However, former officials and experts say more resources are needed to enable CISA to cope with its ever-increasing workload.
“The nation’s risk advisors need more resources if we as a country expect them to help critical infrastructure companies in crisis,” said Brian Harrell, who served as DHS assistant secretary of infrastructure protection prior to his resignation in August.
“The budget is lacking and a better pipeline of expertise needs to be built,” he added.
Trump further hampered CISA last fall after unceremoniously fired Christopher Krebs, the agency’s director, who refused to support Trump’s unsubstantiated claims that the 2020 presidential election was marred by irregularities. Another senior CISA official, Bryan Ware, was also forced to resign.
CISA has not held a press conference on the alleged Russian hack since Cancer was released.
“CISA is not capable,” said James Andrew Lewis, cybersecurity and technology expert at the Center for Strategic and International. He added that the agency’s failure to detect the violation months ago was mainly due to the fact that its attention and resources were drained in efforts to secure the 2020 presidential election.
“CISA has always been affected by statutory responsibilities,” Daniel Dister, New Hampshire’s chief information security officer, told CNN. “They were overwhelmed with work from the start and had a hard time getting the expertise that DoD / CYBERCOM / NSA has.”
In the weeks since the hack was announced, CISA has taken a lead in advising federal agencies on the steps they should take to secure their networks. As part of its work to protect the 2020 elections, CISA has also built strong relationships with state and local governments, as well as the private sector.
These connections have now made it the unofficial focal point for hundreds, if not thousands, of outside organizations desperate for answers. The demands of that role were never foreseen by Congress in creating CISA, Dister and other experts said.
Since the hack was discovered, CISA has made multiple phone calls a week to inform public and private stakeholders. But, Dister said in a recent interview, little has been shared about the calls that are not yet publicly known.
CISA defended its handling of the aftermath, saying it “was quick to share information and provide technical assistance to our partners as we work to understand the scope of the campaign”.
“Everyone who has asked for assistance from CISA has received it – without delay – and that will not change as we prepare for continued efforts,” Wales, acting director of CISA, said in a statement to CNN, adding added that the agency has “aggressively used” all of the tools at our disposal to counter this campaign. “
“CISA, along with our interagency partners, will continue to lead, share widely, and communicate loudly until our work is done and our networks are secure,” he said.
Amid growing concerns that CISA is overwhelmed, Trump is considering putting more on the plate before leaving office, according to a government official, by issuing three cyber-president regulations in the coming days.
This will include a decree transferring certain authorities from the Department of Defense to CISA.
“We’d all put our eggs in a very small basket,” said the administrative officer, citing CISA’s limited ability to handle such a massive undertaking.
In addition, the number of government agencies affected by the attack continues to grow. This is a steady drop of new revelations that has largely undercut attempts to reassure the public.
CISA has attempted to address some concerns about its ability to provide a coordinated response by issuing recommendations to the agencies affected by the breach.
The statement also suggests that CISA is relying on intelligence in responding to the incident, stating in Wednesday’s statement that the recommended software update has been “reviewed and reviewed” by senior cybersecurity officials at the National Security Agency who are “reviewing this version.” have been cleaned up, the previously identified malicious code has been eliminated. “
For the most part, CISA’s nod to the NSA was viewed by experts as an attempt to reaffirm the importance of a holistic approach to government. A CISA official said CNN was a daily focus of the agency.
Politics as a precedent
The political climate in Trump’s final weeks in office only made the situation more difficult for CISA and its federal partners.
Privately, some Trump officials have made it clear to authorities affected by the violation that the priority is to find out how the incident could politically hurt the president, according to a source familiar with the discussions.
After a brief briefing on the attack, senior Energy Department officials repeatedly urged NSA officials to investigate possible political ramifications for the president, according to a source familiar with the discussion.
“That was their main concern,” the source said, referring to the questioning of senior DOE officials during that briefing earlier this month.
“Part of the problem is that the White House doesn’t really have jurisdiction anymore,” said Lewis of CISA. “You got rid of the cyber coordinator … you lost that central coordination,” he said. “DoJ, DoD are not going to be kind to CISA and tell them what to do. It’s better than it was before, but politically they are in a tough spot.”
CNN also previously reported that the Biden team is becoming increasingly frustrated with the lack of information it has received from the Trump administration, as sources close to the transition process say critical details about the attack are being withheld.
The lack of coordination could pose a challenge to President-elect Joe Biden once he takes office, as he is likely to face significant pressure not only to respond to this recent attack, but also some of the underlying issues related to it address cybersecurity decision-making.
“You have to restore central direction in the White House and put White House authority behind CISA. You have to return to central direction that was Obama in the White House,” said Lewis. “The Minister of Homeland Security has to take this seriously. It has always been a problem.”
In a broader sense, the SolarWinds hack must be a “wake-up call to the US,” said Gilman Louie, CEO of Looking Glass Solutions, a cyber security company.
“We need to keep our agencies and companies working in a collaborative and coordinated manner. We need to use the best talent, regardless of agency, government, industry or academia, to protect the nation from future cyberattacks by state actors,” he said.
This story has been updated with a statement from CISA.
FIX: This story has been updated to correct the month that intelligence officials informed lawmakers after the violation. It was the last month of December.