Millions in Covid relief funding to be used for federal cybersecurity efforts

Millions of dollars in funding from the Covid-19 relief bill passed Wednesday will be used to help the federal government improve its cybersecurity efforts in the wake of high-profile breaches that have caused alarm for officials and lawmakers.

“[I]t reflects a recognition by this administration of the urgency of improving cybersecurity,” said cyber chief Eric Goldstein of the Cybersecurity and Infrastructure Security Agency, adding that it will provide funding ahead of the next budget cycle, given the current threats facing federal networks.

The funding comes as CISA, a Department of Homeland Security agency that was founded during the Trump administration, is dealing with the fallout from two recent cyber breaches. Congress, Goldstein said, included $650 million in the $1.9 trillion Covid relief bill for CISA’s cybersecurity risk management programs.

Goldstein, a top political appointee, said the funding stems from the fact that federal agencies are providing services either “directly or indirectly related to our country’s ability to recover from the pandemic.” In an interview with CNN, he also pointed to increased remote work during the pandemic, which has created a reliance on cloud computing and therefore increases the need for security tools.

Last week, Microsoft reported that a sophisticated group of hackers linked to China exploited its popular email service that allowed them to gain access to computers.

On Wednesday, CISA and the FBI issued an alert saying there are potentially “tens of thousands” of systems in the United States vulnerable to the breach. The alert was intended to “further amplify” the need for organizations to implement the directions in CISA’s recent emergency directive, as well as the guidance from Microsoft, said Goldstein.

As of Wednesday, about 90% of federal government Microsoft Exchange Server instances have been mitigated, according to Goldstein, who pointed out that there is no confirmation yet that any agency has been “compromised.”

The agency is also continuing to help agencies deal with the devastating SolarWinds supply chain breach linked to a suspected Russian spying campaign.

The number of impacted entities remains the same, Goldstein said. At least nine federal agencies were targeted and at least 100 private-sector businesses were compromised, the White House previously confirmed.

CISA acting Director Brandon Wales said earlier Wednesday that the agency continues to believe the SolarWinds breach was “largely an espionage operation” to collect information, largely based on Microsoft Office 365 email for agency personnel.

During a House Appropriations Committee hearing, he said that it was “extremely targeted.” There was usually only a couple of dozen individuals at an agency that were targeted as part of this campaign, according to Wales.

CISA has “no evidence at this time” that the actor did anything except steal information, Wales said.

Rep. Lucille Roybal-Allard, chairwoman of the House Appropriations Subcommittee on Homeland Security, said Wednesday that the SolarWinds incident, the compromise of Microsoft Exchange servers and the recent water treatment facility attack in Florida demonstrate that cybersecurity breaches are no longer isolated incidents.

“Networks are an emerging battlefield for both the public and private sectors,” she said.

CISA recently launched pilot programs to improve visibility into federal civilian networks, which are being used as “proofs of concept” to determine which combination of capabilities will prove most effective. The goal is to be able to continuously analyze security data from agencies to proactively identify adversary activity “far more quickly than we can do today,” Goldstein said.

Part of the pilot is to deploy additional endpoint detection and response tools on government agency networks, which would allow for proactive blocking of malicious activity. Another way is for agencies to provide CISA with access to their security data, primarily logs, for analysis on that data.

CISA is working with specific agencies on what tools or combination of tools are most effective and allow for “persistent hunt activity.” Goldstein declined to name the agencies involved in the effort.

Currently, CISA principally conducts threat hunting and other incident response after an intrusion has been identified.

“Where we want to go, is really move that far earlier in the process, so that we are continuously executing this sort of threat hunting activity, and can identify adversary activity, ideally, within a very short time period after an initial intrusion occurs,” he said.