The U.S. government and industry response to the ever-growing SolarWinds intrusion needs to be transformational – the cyber equivalent to the 9/11 terrorist attacks. Recognizing the magnitude of this incident, one of President Biden’s earliest proposals, the American Rescue Plan, calls for $10.2 billion in investments designed to “modernize federal information technology to protect against future cyber-attacks.” If approved by the U.S. Congress – and well-managed within the executive branch – this would be one of the largest single efforts the U.S. government has ever undertaken to fix long-running problems with legacy IT and cyber vulnerabilities, and a significant first step in realigning U.S. cyber defenses while building Americans’ trust in their government’s ability to deliver reliable and secure services.
But this significant investment will only be successful if some of the funding ensures that U.S. cybersecurity infrastructure is realigned to become risk-based and intelligence-driven, with coordinated and consistent policy and standards for how that information is used across government in all procurement and risk acceptance decisions.
To make that transition, this investment must not repeat the sins of the past. Officials should not waste any American Rescue Plan dollars on insecure legacy products and technologies, rebuilding one-to-one existing networks and systems possibly compromised by SolarWinds, shifting legacy workloads into new computing environments without integrating security and modernizing their design, or automating complex and customized processes when equivalent commercial applications are available. Nor should this investment further the insufficient, box-checking approaches of the current Federal IT security programs built around the Federal Information Security Modernization Act (FISMA) of 2014.
Instead, government and industry should direct this investment to implement best-in-class government and commercial shared services that enable efficient sharing of information, while expanding actual monitoring and response capabilities. Specifically, agencies should: 1) develop contemporary architectures and implement modern networks, identity, and data management infrastructure; 2) enable, to the greatest extent possible, citizen services on that infrastructure; 3) automate security processes and information sharing whenever possible; and 4) employ proactive and risk-based security approaches. Above all, government and industry must ensure that these elements all work together to enable a new level of threat and intelligence driven cybersecurity.
Smart investments built on a trusted supply chain and based on the U.S. Cyber and Infrastructure Security Agency (CISA) guidance and standards can raise the barriers to intruders and better protect federal systems. Among those that deserve the attention of federal IT leaders are modern network and identity technologies, including zero trust, next generation identity management, and secure workstations for those users that have administrator level access. Used correctly, these technologies mean that even if an intruder has gained access to a system, lateral movement and privilege escalation within it are much harder to accomplish, and easier to observe.
Services built on top of such an architecture can be designed and managed with security, information sharing, and user experience in mind – in ways that the thousands of standalone government systems and services cannot be. Security operations built in a similar way can enable automated cyber threat reporting and analysis at a scale not possible today, where even the most skilled security analysts spend far too much time manually integrating and reviewing data and tediously filling out compliance paperwork. Shifting security resources in this way can enable private sector best practices such as bug bounties and penetration testing that are slowly appearing in agencies today but would be a significant aid in identifying threat vectors like SolarWinds if more widespread.
Furthermore, much like the National Counterterrorism Center (NCTC) was created and has evolved to serve as a hub for terrorism intelligence and analysis following 9/11, and functions as a fusion center of specialists from across the government, CISA needs to perform a broadly similar role in the cyber threat space. Some of the $10.2 billion must transform CISA into a “Cyber NCTC” interagency hub that facilitates sharing of threats and analysis, leads incident response, provides accurate threat information, policy guidance and standards to agencies as they make procurement determinations and informs risk decisions.
The attacks on 9/11 created the sense of urgency that motivated wholesale generational change across the U.S. law enforcement and intelligence communities. Most significant was the recognition that understanding and responding to complex threats required strategic intelligence and program management at a new scale. The sheer extent of the SolarWinds intrusion should create a similar platform across federal, state, and local governments, as well as critical industries, cybersecurity professionals, and others. While more large-scale intrusions are guaranteed, if the government makes the right investments with the $10.2 billion outlined in the American Rescue Plan and works with industry to respond with a comparable sense of urgency, we can collectively reduce the impact and cost of future attacks and intrusions.