Senators ask if Einstein, CDM can combat advanced attacks
Congress may take a hard look at the $6 billion Einstein program when it comes up for re-authorization in December 2022.
In an effort to protect the government from incidents like the SolarWinds attack, Sen. Gary Peters (D-Mich.), chairman of the Homeland Security and Government Affairs Committee, suggested the $6 billion Einstein program, should be scrutinized when it comes up for re-authorization in December 2022.
Brandon Wales, acting director of the Cybersecurity and Infrastructure Security agency, defended the program during the March 18 hearing saying that Einstein has successfully protected against the threats it was designed to combat and that stopping the next attack would mean retaining elements of the intrusion detection program that remain valuable and supplementing it with new tools. Previously, Wales publicly acknowledged that Einstein was not designed to combat an incident such as SolarWinds.
"FireEye did not use an intrusion detection system to detect this threat and they could not. It just would not work that way… We need to supplement what Einstein does looking at the perimeter of networks with what's happening inside the network," Wales said.
The acting CISA director recently told a House panel that his agency is actively looking at new tools for end-point detection as a way to stop a future supply chain attack.
Wales acknowledged certain weaknesses to Einstein such as an inability to monitor activity moving to and from the cloud as well as the general proliferation of cloud technology in the federal government.
Sen. Maggie Hassan (D-N.H.) asked Wales about the agency's implementation of the Continuous Diagnostics and Mitigation program, noting that some federal agencies have struggled to utilize the tools it provides.
Wales said most agencies have managed to deploy the tools and that CISA is working with those that still require assistance. He also noted that when CDM was created, agencies had visibility into individual devices in their networks, but CISA did not.
"I think we are now seeing that limitation that that poses on our ability to have a comprehensive understanding of the cyber risk picture of the dot-gov," he said. Wales also said he is hopeful the new administration will issue guidance soon that will help CISA posture itself to have "the right level of visibility" to defend federal networks.
Wales said CISA has provided federal agencies with detailed guidance on how to evict hostile actors from their networks as well as a forensic scanning tool to be deployed on any device that was running a compromised version of SolarWinds Orion.
This article was first posted to FCW, a sibling site to GCN.