During his two years as director of the Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs had a budget of more than $2 billion at his disposal. A little less than half of that was allocated for cybersecurity, but with about $800 million of that going to its Continuous Diagnostics and Mitigation program, for Krebs, it never felt like enough to accomplish everything he wanted to do, especially on the state and local levels.
“That leaves very little for broader engagement with the critical infrastructure community. That was my biggest concern and regret, that we were not able to plow more into getting out into the field and engage better with state and local officials,” Krebs said during a hearing of the House Committee on Homeland Security Wednesday.
“We need to allocate more and smarter money in the private sector and increase support for CISA.”
CISA is responsible for protecting critical infrastructure in the U.S., a task that includes partnerships with private sector companies and municipalities that own much of the country’s critical infrastructure. The agency has a broad set of responsibilities, but it does not have much in the way of authority, particularly outside of the federal government. The attack last week on a water treatment facility in Oldsmar, Fla., which involved an adversary using the TeamViewer remote access tool to access the network and raise the levels of sodium hydroxide to lethal levels, highlighted the issue of security weaknesses in the nation’s critical infrastructure. The attacker targeted an application that had not been used for several months but was still active on the city’s network, a situation that is not unusual in such environments, or in enterprise networks, for that matter.
“The cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system. Early information indicates it is possible that a desktop sharing software, such as TeamViewer, may have been used to gain unauthorized access to the system,” CISA said in an advisory on the incident this week.
“Desktop sharing software, which has multiple legitimate uses—such as enabling telework, remote technical support, and file transfers—can also be exploited through malicious actors’ use of social engineering tactics and other illicit measures. Windows 7 will become more susceptible to exploitation due to lack of security updates and the discovery of new vulnerabilities.”
During Wednesday’s hearing, which focused on cybersecurity challenges facing federal agencies and the private sector, several committee members and witnesses cited the Oldsmar intrusion and the recent SolarWinds compromise as evidence that change is needed at the federal level and in the private sector, as well. The SolarWinds incident affected not just the vendor itself, but also several federal agencies and an untold number of private companies that use the company’s Orion platform. That intrusion has been attributed to attackers aligned with the government of Russia, and during Wednesday’s hearing, witnesses pointed to supply chain attacks like this as a serious issue for government agencies and enterprises.
“We need to stop acting like these attacks are special or rare. If you aren’t the target, you may still be targeted. No one, no one gets off free,” said Sue Gordon, the former principal deputy director of national intelligence.
“Since we are all connected, the least of us can affect the most of us. Solutions can not only be for the resource rich.”
“The behavior will continue until the leadership decides that it will not tolerate it."
The Oldsmar intrusion garnered a lot of attention, not just because it involved a potentially deadly outcome had a human operator not noticed and were there not automated backup defenses in place, but because of what it signals about adversaries’ intent.
“What that shows is our adversaries are willing to go beyond stealing information or holding it for ransom, and move to destructive acts,” said Michael Daniel, president and CEO of the Cyber Threat Alliance and former cybersecurity coordinator for the National Security Council.
The threat to government and private networks from foreign state-backed attackers is well established and understood, especially as it pertains to what experts refer to as the big four: China, Iran, North Korea, and Russia. What’s less certain is how to deter or disrupt those adversaries, given their resources, motivation, and level of skill.
“You can’t stop all activity, so you can increase the cost of attack by doing the simple things to make yourself secure. We can understand the impacts to our society that we can’t tolerate and if those lines are crossed we will respond,” Gordon said.
“I don’t think of cyber acts as requiring only cyber response. Cyber might be one of them, but that can’t be the only one.”
Krebs, the former CISA director, said those adversaries just have not come up against obstacles that make the cost of operations too high for them yet.
“The behavior will continue until the leadership decides that it will not tolerate it. I don’t think we’ve hit the upper level of their pain threshold yet,” Krebs said.