Q&A: CISA’s Eric Goldstein Outlines New Federal Cybersecurity Measures

FEDTECH: What is the government’s stance on ransomware payments?

Goldstein: Ransomware attacks often pose a very hard choice for victim organizations. However, we strongly discourage organizations from paying ransom, both given that paying ransom is no guarantee that an organization or victim will actually get data back and that paying ransom further fuels the ransomware economy and encourages these criminal groups to execute further attacks.

FEDTECH: How does President Biden’s executive order on improving the nation’s cybersecurity address these issues and help to mitigate potential harm?

Goldstein: The executive order focuses principally upon steps that we can take to help protect the federal government from cyber intrusions. However, our hope is that the best practices, the concepts, the guidance and the principles that are going to be created and then executed under this executive order will also be adopted nationally. This executive order is the U.S. government saying, “Here are the things that we think that all entities should be doing to mature and advance their cybersecurity. We’re going to do it first for our own agencies, but these are the sort of efforts that all organizations should be doing to minimize the likelihood of intrusions impacting their networks.”

FEDTECH: Will zero trust be a requirement for agencies?

Goldstein: Agencies are required to make progress towards adopting zero-trust models. Now, certainly for any organization, public or private, with a significant legacy infrastructure, moving toward zero trust is challenging. It takes time, it takes effort, it takes not just new technology but also rearchitecting of processes and of governance. We understand that for organizations that are operating in a legacy IT environment, this is a process that will take time. There are a lot of agencies that are quite small, that do their best, but frankly just aren’t resourced to build a leading cybersecurity program. For those agencies, CISA now has the authority and resources to provide shared services that are going to raise the baseline for cybersecurity for those agencies that will benefit most from our help.

RELATED: What does it mean to practically deploy zero trust?

FEDTECH: How is CISA making third-party and private sector vendors part of the process to protect the software supply chain?

Goldstein: Third-party and supply chain has always been a challenging area for cybersecurity. Our goals are to make sure that we as a government are rating contracts in a way that will hold our third-party suppliers accountable to the right requirements; that we are understanding cybersecurity incidents that are affecting our significant third-party vendors and could correspondingly affect federal civilian agencies; and that we have the right security controls built into contract language, so we have a reasonable level of assurance in the security being adopted by third parties. The executive order calls out the need to make progress in initiatives like a software bill of materials, which is an essential step forward in understanding the components and the lineage of the critical software utilized across federal networks. None of these solutions is a complete answer in itself, but collectively, they really move us forward in understanding and managing risk posed by third-party vendors.

EXPLORE: How will software supply chain security evolve? 

FEDTECH:  The executive order and the most recent National Defense Authorization Act gave CISA new capabilities. How will that help in attributing and responding to future attacks?

Goldstein: The EO includes a requirement to develop a common governmentwide playbook for cyber incident response, which will really improve our codification and then execution of these joint incident responses. This really builds upon authorities that CISA received last year from the National Defense Authorization Act, where we were directed to stand up a Joint Cyber Planning Office. This JCPO is essential to the maturation of CISA’s incident coordination and planning role. We generally know the types of intrusion campaigns that we’ll be facing as a country — not in detail, because our adversaries are adaptable and ever-changing, but we know generally the types of tactics and targets they’ll pursue.

What we’ll be able to do with the JCPO is develop joint cyber defense plans focused on how we collectively as a country, with our whole-of-government efforts and bringing in the private sector, understand cybersecurity intrusions that may affect different sectors, and how we plan for the actions we’ll take jointly to identify and notify victims. Then we’ll be able to kick off joint incident response threat-hunting engagements to make sure that we’re providing a coordinated and well-executed plan.

We also now have the ability to execute our new authority to issue administrative subpoenas, where CISA is aware of a vulnerability affecting critical infrastructure, but we can’t identify the owners of devices that may be vulnerable, because the IP addresses for those devices resolve back to an internet provider. We now have the ability to subpoena an internet provider, identify the companies that are using a vulnerable device, and then notify them and help them manage that vulnerability.

FEDTECH: Is there any way yet to measure the impact of the SolarWinds and Microsoft Exchange Server attacks?

Goldstein: It is too soon to say. It’s useful to measure impact in two different ways. One way is the cost of response and remediation, which in the case of SolarWinds, may include for some organizations a significant rebuild of their infrastructure and improvements to their cloud environments. Those costs are quantifiable, although they will differ for each organization, depending on the nature of the intrusion and the state of the environment where the intrusion occurred.

The broader impact is whatever the adversary was trying to achieve, and those costs are very hard to estimate, particularly for campaigns — as has been reported with the SolarWinds campaign — that were largely focused on espionage. There are long-term, significant impacts potentially to our national security, but those impacts are hard to estimate and hard to quantify.

MORE FROM FEDTECH: How can agencies defend against insider threats?

FEDTECH:  What cybersecurity plans are in place to protect agencies that will continue substantial telework? 

Goldstein: One thing we have seen across organizations — and this is not at all unique to federal government — is that the transition to broader remote work has led to significant acceleration in the use of cloud computing. The executive order focuses very significantly on the need to, for example, adopt a cloud security strategy, which CISA is working on jointly with OMB on behalf of the federal executive branch. We assume that telework will become increasingly an option for the federal workforce to a greater extent than it was before the pandemic. The EO further accelerates existing work to mature our regime around securing cloud environments and making sure that all federal cloud environments are adopting the right practices and the right security controls to reasonably protect the use of those environments for sensitive federal work.

FEDTECH: Did agencies keep their networks secure during the pandemic year?

Goldstein: This is true for the federal government as well as for the private sector: I think organizations did a remarkable job adapting to an environment of nearly ubiquitous remote work while reasonably assuring that appropriate security controls were in place. Most organizations, and particularly the federal government, did adapt remarkably quickly, since one day the vast majority of workforce was in the office and the next day we were all home for a year. Given that rapid transition, I think that IT and security teams did an amazing job in ensuring quick adoption of appropriate security controls for this new environment.