In the aftermath of the Solarwinds supply chain attack—which affected a huge swatch of government agencies and private companies—the Biden White House issued an executive order(Opens in a new window) intended to batten down hatches across the government, and encourage industry to beef up security by setting new standards for contractors. Over a year out from its issuing, federal cybersecurity leaders at the RSA Conference say they’re nearly done.
On stage at the conference, National Cyber Director John Chris Inglis gave an overview of the order’s requirements. “The federal government believes it needs to get its own house in order,” he said. This involved rolling out multi-factor authentication across the federal government, and ensuring data is encrypted in transit and at rest, among other requirements.
“The long story made short is that the government is trying to put its money where its mouth is, driving these practices into the supply chain that then feeds the government,” Inglis continued.
“To my way of thinking, I think that we’ve done extremely well in making a demonstrable difference to the inherent resilience and robustness of those architectures,” said Inglis, adding that he felt the federal government is “82% there.”
Part of the challenge the government now faces, Inglis said, is determining exactly what is still not secure enough. In some cases, systems might not be reachable or upgradable. The solution for those situations, Inglis explained, is to “wrap those in a place to reduce the attack surface.”
Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), explained that carrying out the order is a major undertaking for CISA. “It’s incredibly complicated, it’s 101 departments and agencies. Some are huge departments, some are small agencies.”
The challenge becomes how to manage it as a cohesive whole. “That’s not the way it was architected but I think we can get there given the mandates that were in that executive order,” Easterly said. “I do think we’ve made progress. It’s probably not as quickly as I would like but that’s a common theme for me.”
“The executive order really pushed us to do the things we know we should be doing,” agreed Robert Joyce, Senior Advisor for Cyber Security Strategy at the National Security Agency (NSA). “If you don’t know it, if you don’t know how it’s configured, where it is, what it is, there is no chance you’re going to lock it down and defend it.”
A major theme of the trio’s talk at the RSA Conference was collaboration with private industry. “It’s not lost on anyone that Solarwinds was not discovered by the US government,” said Easterly. “It was detected by a private cybersecurity vendor.”
Collaboration in Ukraine
A key example of collaboration the trio shared was the lead up to Russia’s invasion of Ukraine.
“On the eve of the Ukrainian crisis, the US government…was in possession of exquisite, rich, granular, actionable intelligence,” said Inglis. “And it provided that to the various parties that would then be the actors that had to do something about it.”
Inglis explained that this included both nation-state allies but also private industry, since some industries would likely be affected by any kind of large-scale cyberattack associated with an invasion. This was for protection in the face of a potential attack, but also because industry might see an attack before the US government.
Recommended by Our Editors
“No one of us is probably going to see it for what it is,” said Inglis. “There are some things we can only discover together that no one of us could discover alone.”
Easterly explained that since the war in Ukraine began, CISA has been collaborating with more organizations, including 22 major banks and 38 energy companies, because of the potential for Russian retaliation in those industries.
“We’re sharing information in near real time through a very exotic, technical tool called Slack,” quipped Easterly. Despite the humor, the CISA director said they’ve seen real value. “That has enabled us to really share insights, information, and analysis in a way that the government and the private sector has never done before.”
The collaboration has gone beyond simply sharing information. Easterly explained that the federal government is working to provide information that could actually be used without exposing secrets. “The amount of classified intelligence that has been declassified and provided to add to the richness of what our private sector colleagues have […] is a sea-change, certainly from what I saw in government before and certainly from what I saw in the private sector.”
Despite all that work, Joyce said that the picture will always be incomplete. “The assumption was we had the specific threat—this attack at this place on this time— and the government wasn’t being that forward,” said Joyce. “That wasn’t the case. We knew about real intentions and that was the level of intel granularity.”
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.