“The SolarWinds incident … underscores that supply chain security is a topic that needs to be front and center,” Langevin said.
He said Congress needs to “incentivize” the companies to make their software more secure, which could require expensive changes.
Some others are calling for regulation.
“Absolutely there needs to be more oversight of these kinds of companies,” said Emile Monette, the former chief of CISA’s supply chain risk management program. He said the government should require contractors to certify their software is free of even “moderate-impact bugs.” Typically, vendors assure only that their software is free of particularly dangerous vulnerabilities, labeled as “critical” or “high impact.”
Private companies regularly deploy software with undiscovered bugs because developers lack the time, skill or incentive to fully inspect them.
Monette said agencies must “be prepared to pay for increased security” in their purchases and encouraged the government to “double down on investments” in areas such as software security.
It can be hard, however, for federal agencies and Fortune 500 companies to identify weaknesses when they don’t understand the complexity of what they’re buying or the ways in which it could be defective.
“Security is not a significant consideration or even well understood,” said Bryan Ware, CISA’s former assistant director for cybersecurity. “Plenty of sophisticated [chief information officers] bought and deployed [SolarWinds’ software], so it’s not just the vendor I’m questioning.”
There is no central inventory of which government agencies use which software in which offices, which is part of why it has taken agencies so long to determine if they have been hacked.
“The first-order problem is still trying to get our arms around all of the applications and software that reside on the 101 civilian executive branch networks,” said former CISA Deputy Director Matthew Travis.
Travis bemoaned the decentralized approach and encouraged Congress to authorize CISA and OMB “to re-architect the archaic federal enterprise” and push more applications to the cloud.
The automated gatekeepers that do exist — two CISA-run network security programs — also weren’t equipped to identify the SolarWinds intrusion, much less stop it.
One program, dubbed “Einstein,” is supposed to stop threats from crossing the threshold into federal civilian agencies’ networks, but can only spot malicious activity that it has seen before, a shortcoming that the hackers carefully exploited by using servers not previously flagged as malicious.
The other, Continuous Diagnostics and Mitigation, brings together scanning and monitoring services that are supposed to spot and block suspicious behavior on those networks. But CDM’s understanding of what should generate a red flag is limited to clearly suspicious activity, such as offsite transfers of massive encrypted files — which didn’t occur with the infected SolarWinds updates.
Calls for action on the Hill
Some in Congress are ready to act. In a statement, Rep. Ted Lieu (D-Calif.) said he was “working on legislation to ensure that vendors doing business with the United States government maintain a vulnerability disclosure policy.”
But new regulations might not solve the problem, technical specialists said.
“Government-mandated security requirements are probably more likely to HARM security than to HELP it,” Andy Keiser, a former top House Intelligence Committee aide and Trump transition national security adviser, wrote in an email. “The standards would be slow, outdated, cumbersome [and] pick incorrect winners and losers.”