Lawmakers Say Overhaul Needed to Protect Fed Agencies from Foreign Hacks

DHS cybersecurity systems insufficient, researchers warn

FILE PHOTO: Man holds laptop computer as cyber code is projected on him in this illustration picture
March 10, 2021

Lawmakers on Capitol Hill are demanding the federal government beef up cybersecurity, pointing to a series of attacks from hostile nations and the Department of Homeland Security’s current inability to detect and deter complex cyberattacks.

The calls for a renewed focus on cybersecurity come as the federal government reels from the "SolarWinds" hack, in which foreign intruders gained access to vast swathes of federal agency communications and records over the course of 2020. Intelligence agencies are still working to identify the scope of the damage but believe Russian intelligence likely accessed emails from the Treasury Department, the State Department, the National Nuclear Security Administration, and even DHS itself.

In its aftermath, researchers and lawmakers worry that foreign adversaries have the upper hand on the federal government, and that programs including DHS’s EINSTEIN, the first line of defense, are unfit for modern cyberwarfare.

Initially developed in 2003, EINSTEIN is an intrusion detection system that monitors the internet traffic of executive branch agencies to spot bad actors. EINSTEIN is operated by the Cybersecurity and Infrastructure Security Agency (CISA), which is housed within Homeland Security. CISA describes EINSTEIN as an "early warning system" that offers "near real-time identification of malicious cyber activity, and prevention of that malicious cyber activity."

In a statement given to the Washington Free Beacon, Rep. John Katko (R., N.Y.), ranking member on the House Homeland Security Committee, said, "It’s no longer just as simple as telling people to ‘patch their stuff,’" and called for a further centralization of cybersecurity work within CISA. Katko has previously endorsed tapping funds for anti-terrorism infrastructure defenses already available to cities and states for cybersecurity purposes.

EINSTEIN has long been criticized for its passive posture. Critics argue that the detection system is fundamentally hamstrung by its design, which allows it to match intrusions against an existing database of known malware and sketchy IP addresses. A 2015 staff report for the late senator Tom Coburn (R., Okla.) warned that EINSTEIN "can only detect known fingerprints—malware that changes its signatures can be effectively impossible to detect by signature-based intrusion detection."

Additionally, the Government Accountability Office has repeatedly lambasted both Homeland Security and participating agencies for a lack of preparedness. Though EINSTEIN has been mandatory for executive branch agencies since 2015, the GAO found almost all agencies involved were not taking adequate steps to secure their systems and communicate information to DHS.

"It's fair to say that EINSTEIN wasn't designed properly," said former Trump cybersecurity official Thomas Bossert after the SolarWinds hack.

Difficulty attracting top talent, insufficient funding, and overstretched personnel contribute to a beleaguered environment at DHS. Mark Montgomery, a senior fellow at the Foundation for Defense of Democracies, said that without matching DHS and other cyber watchers with the proper resources, the United States remains extremely vulnerable to disaster.

"You’re under-resourced, unhappy, and undertrained. That is not the cybersecurity workforce you want to develop," Montgomery said. "We have not done a good job the last 20-plus years defending our critical infrastructure."

Montgomery also serves as an adviser to the Cyberspace Solarium Commission, a Trump administration project designed to take a hard look at the country’s current strength on the digital battlefield. The commission’s extensive report suggested the threat from hackers extends well into the private sphere and across government and that cybersecurity is not just a problem for the Pentagon.

Rep. Andrew Garbarino (R., N.Y.), the ranking member on the House subcommittee for cybersecurity, emphasized that the need for strong cybersecurity now cuts across nearly all sectors of American life and therefore requires a whole-of-government approach.

"In today's hyper-connected world, cybersecurity is national security," Garbarino said. "Cyber threats are now more prolific than at any time in our history, as is the indiscriminate targeting of the federal government, private sector, state and locals, and private citizens."

Foreign adversaries are increasingly targeting major American corporations. On March 2, Microsoft announced that its email service Microsoft Exchange had been compromised, and that Chinese actors were likely behind the hack. The CEO of cybersecurity firm Volexity, which discovered the attack, said it began in January but that the attacks ramped up in late February. DHS urged federal agencies affected to patch their systems and send a full report to CISA.

The Biden administration thus far has talked about the need to put cybersecurity at the tip of the spear for America’s national defense, but little to no action has been taken on this front.

Montgomery said that due to the complex threat environment cyber officials face, it often takes time for new leadership to get up to speed on how to approach their positions. Such a learning curve makes it all the more important for early and speedy nomination processes for Senate-confirmable cyber positions, such as the director of CISA. The administration has not yet put a nomination to lead CISA on the floor, nor have they evinced any timeline for doing so.

The Biden administration did not return a request for comment on its timeline to nominate a CISA director or other key cybersecurity appointments.