One of the top priorities this year of the Cybersecurity and Infrastructure Security Agency (CISA) is standing up a new interagency cell that furthers collaboration across the government and with the private sector f0r incident response planning and defensive cyber operations, the acting head of the agency said on Tuesday.
The Joint Cyber Planning Office within CISA was recommended by the Cyberspace Solarium Commission (CSC) in 2020 and authorized by Congress in the fiscal year 2021 National Defense Authorization Act.
“The Joint Cyber Planning Office will build on the success of our recent operational collaboration, unify public and private sector cyber incident planning, and integrating the execution of the cyber defense operations conducted under CISA’s asset response mission,” Brandon Wales, the acting director of CISA, told the Senate Homeland Security and Governmental Affairs Committee.
In its March 2020 report, the CSC recommended the creation of a Joint Cyber Planning Cell to be more proactive in planning for potential cyber contingencies by cutting across jurisdictional lines between agencies and also include the private sector in these efforts.
“Furthermore, these agencies have not engaged in the collaborative planning necessary to overcome jurisdictional hurdles, identify gaps, align whole-of-government capabilities, build private sector buy-in, or institutionalize learning through combined exercises,” the report said. “As a result, when an adversary cyber campaign is identified or an incident does occur, coordinated and comprehensive operations in defense of critical infrastructure are unlikely to be timely or effective.”
The committee hosted its second hearing to examine the federal response to a Russian hack of the U.S. software company SolarWinds [SWI] that led to the breach of networks in nine federal agencies and about 100 companies, mostly in the technology sector. The breach of the SolarWinds software was first discovered by the cybersecurity firm FireEye [FEYE] after it detected the perpetrators stealing its own tools.
Wales also said that the response to the SolarWinds and other recent breaches have demonstrated progress in “unprecedented and robust collaboration between the public and private sector,” with information shared rapidly and responses scaled beyond what the government could do by itself. He also said that because industry often sees cyber-attacks before the government does, operational collaboration between industry and government needs to continue to “deepen.”
Sen. Rob Portman (R-Ohio), the ranking member on the committee, asked Wales later in the hearing if Colonial Pipeline, a major transporter of oil to markets on the East Coast and Mid-Atlantic regions of the U.S., contacted CISA about a network breach the company detected last Friday. Wales said the company contacted the FBI but not CISA, adding that his agency was brought in by the FBI.
Wales said CISA did “received information fairly quickly in concert with the FBI” and is currently waiting for “technical information” from the company to help provide protection to other entities that may come under a similar attack. It’s still early days in the response, he said, so it’s not unusual to not have the technical information yet.
Asked by Portman if the FBI hadn’t included CISA in responding to the latest attack, Wales said the company wouldn’t have contacted CISA.
“Do you think that’s a problem?” Portman asked.
“I think that there is benefit when CISA is brought in quickly because the information that we glean, we work to share it in a broader fashion to protect other critical infrastructure,” Wales responded.
The FBI on Monday identified the attack against Colonial Pipeline as being the Darkside ransomware variant. The company shutdown operations as a precaution to prevent the spread of malware on its networks. Partial operations have been restored and the company plans to make a decision on Wednesday will make a decision on fully restarting operations.
Portman said the attack was likely “the biggest” on critical infrastructure in the U.S.
Wales also said that lessons being learned by recent cyber threats show the need for sustained investment in cyber security at all levels and for modernized information technology infrastructure.
Wales also plugged the need for a Cyber Response and Recovery Fund (CRF), which the Biden administration plans to seek in its FY ’22 budget request for CISA. On Wednesday, the committee will markup authorizing legislation for the fund, the Cyber Response and Recover Act (S. 1316).
“The establishment of a CRF will ensure that CISA has sufficient resources and capacity to respond rapidly to catastrophic cyber incidents,” he said.
Sen. Gary Peters (D-Mich.), chairman of the Committee and a co-sponsor with Portman of S. 1316, asked Wales how the CRF help in an incident like the Colonial Pipeline cyber-attack?
Wales said the bill is “an absolutely instrumental advancement in the country’s ability to respond to significant and catastrophic cyber incidents.” The CRF will enable the surge of incident response and prevention activities, including for entities that typically lack cybersecurity resources such as state and local governments and small private sector companies.
On Wednesday, the committee will also consider bills to strengthen the federal cyber security workforce and to creat ae a civilian cybersecurity reserve.