Hitesh Sheth is the president and CEO of Vectra. Previously, he was chief operating officer at Aruba Networks and before that, he was EVP/GM at Juniper Networks.
PRIVATE SECTOR — The March 3 notice from the Department of Homeland Security’s cybersecurity command was crisp and urgent. The headline: “Mitigate Microsoft Exchange On-Premises Product Vulnerabilities”. It reported the discovery that Microsoft Exchange software at work on government agency property had been compromised by hackers. The emergency directive ordered all federal agencies to scan metadata for anomalous activity, unplug affected hardware, download patches, and report the job done by March 5.
On one hand, the reaction time mandated by CISA (the Cybersecurity and Infrastructure Security Agency) is admirable and gratifying. Getting anything done across the federal agency landscape in 48 hours is no small feat. On the other hand, an experienced observer’s heart sinks. Here’s yet another case in the cybersecurity world of rearguard action: damage control in the wake of a big breach. Good for CISA for bolting the barn door – but who knows how many horses have already left.
In aviation terms, we want CISA to perform like the FAA, implementing preventive measures that save lives. But too often it’s like the NTSB, sifting accident wreckage, trying to determine what cost lives.
The SolarWinds breach of critical infrastructure at Homeland Security, Defense, State, and Commerce, discovered in 2020, just highlighted our cyber vulnerabilities. Before detection, the malware slumbered within target systems for months – a known attack strategy that again outwitted endpoint defense systems.
Prevention technologies like firewalls aren’t much help when the fire’s smoldering on the inside.
When the scope of the SolarWinds attack came to light, the response options were mostly reactive; it was too late to be preventive. We haven’t yet catalogued all the damage. The after-action cleanup continues today, and probably will for years.
Still, most cybersecurity vendors sell the government prevention and some form of endpoint defense – and keep assuring Washington prevention is the go-to strategy.
The Biden administration’s COVID-19 relief package proposed more than $10 billion in new cybersecurity funding for CISA and the General Services Administration to “to launch the most ambitious effort ever to modernize and secure federal IT and networks.” Good – but the bill is in flux on the Hill.
The Senate has already nixed another proposed $9 billion for federal IT modernization even though “antiquated” is too generous a word for much government cybersecurity tech. “I can only describe it, not to malign intent, but to a lack of understanding of why these investments are so important,” said Rep. Gerry Connolly (D-VA), chair of the House Government Operations Subcommittee.
The real, meaningful edge in cybersecurity today lies with internal system visibility, rapid exposure of intruders, and artificial intelligence that keeps the defense strategy in step with the attackers’ ingenuity. I guarantee our adversaries are using AI against us right now, but our government’s not yet there.
Join The Cipher Brief March 23-25 for a three-day Virtual Cybersecurity Summit featuring Microsoft President Brad Smith, FireEye CEO Kevin Mandia, and a host of other public and private sector experts. The Summit is being co-hosted by Cipher Brief CEO & Publisher Suzanne Kelly and former NSA Deputy Director Rick Ledgett. Attendance is free and registration is required. Sign up today.
To get out of NTSB-style accident analysis and into a more secure posture, we need a tactical transition from less effective perimeter-defense tech to threat-detection solutions that give our critical infrastructure a fighting chance.
And a common security architecture across federal agencies, with a common core security infrastructure, would fortify them better against cyber assault. When agencies function as separate fiefdoms, building duplicative digital systems, it may be lucrative for Beltway contractor-consultants – but that $10 billion, if it’s appropriated, won’t go as far as it should.
Evolving cybersecurity takes more than money. It takes a shift in mindset.
All credit to CISA and federal IT departments for swift action on the Microsoft Exchange compromise – the swiftest possible today, anyway. Yes, take corrupted servers offline and download those patches. But let’s also move the government beyond reactive damage control thanks to obsolete security technology – defenses we know our enemies can outmaneuver. Let’s leverage AI to upgrade our systems, and our odds in this ongoing cyber conflict.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief