When the U.S. Cybersecurity & Infrastructure Security Agency (CISA) published its new Incident and Vulnerability Response Playbooks late last year, it was sending an urgent message: Read these now before another SolarWinds attack occurs.
The playbooks are “intended to improve and standardize the approaches used by [agencies facing] vulnerabilities and incidents,” noted Matt Hartman, deputy executive assistant director for cybersecurity. A direct result of President Biden’s executive order to improve cybersecurity, they are aimed at federal civilian agencies in the executive branch, including those at the Cabinet level.
But it’s not just the feds that need to take notice.
CISA has urged all private enterprises to review these materials, which offer vital information for improving network cybersecurity practices. In the past year, cybercriminals have targeted federal agencies and private companies that work with them, using software supply chain attacks (like SolarWinds and Log4j) to steal data and in some cases shut down critical U.S. infrastructure and services.
Few experts outside government are as familiar with the challenges that both federal agencies and private-sector entities face as Quentin E. Hodgson. A senior international and defense researcher at Rand Corporation, Hodgson focuses on issues that are crucial to CIOs and CISOs. Among them: cybersecurity, critical infrastructure protection, and risk management.
Having also led projects for the office of the Secretary of Defense, the Department of Homeland Security, the Navy, Air Force, and NATO’s Allied Command Transformation, he knows the landscape well. Endpoint recently spoke to Hodgson to unpack the significance and impact of CISA’s new playbooks.
(The following interview has been condensed and edited for clarity.)
Why are CISA’s latest incident response playbooks significant?
I have looked at incident response planning broadly and how the government can try to do that better, both internally, but also in collaboration with private-sector partners. The playbooks are
really important for internal organizational use. But when you’re thinking about cyber incidents that can impact multiple organizations and multiple critical infrastructure sectors, coordinating the response with public and private entities is an order of magnitude more complex.
Are there shortcomings in the CISA playbooks?
The playbooks are focused on taking existing doctrines and standards and trying to simplify them down to a guide. This is primarily aimed at federal civilian executive branch agencies, which include the departments of Energy, Education, Homeland Security, and many others.
Of course, CISA’s playbooks also include a little line that says other organizations can use this, too. But what it’s doing in that playbook is just saying: If you’re an internal security operations team, for example, here are the steps you should take to identify and respond to cyber incidents.
You can overreact and send out all your resources. And then something else happens and you have to re-vector people.
How will the CISA playbooks help federal agencies respond to the types of massive software supply chain attacks we’ve seen over the past 18 months?
Complex attacks like that are defined in the presidential executive order as a “significant cyber incident.” You don’t expect that type of attack to remain contained to one organization. Think of the SolarWinds attack, which affected many organizations. The attackers used SolarWinds, not just to steal data, but also to try to get into more operational technology and make a physical impact.
With that kind of attack, you’re worried about how it might spread to other organizations. What kind of physical effects might it have? Who is going to be responsible for coordinating the response? Who decides when it is labeled a significant incident? What kind of resources do you allocate to address it? That’s what I’m talking about when I’m talking about complexity.
Do the CISA playbooks go far enough, or do we need something more radical?
We’re all concerned about the growth in cyber threats, particularly those threats that can have knock-on effects that are not just contained to one organization or one sector. I think about the panic that ensued after the Colonial Pipeline ransomware attack and where people were lining up to buy gas. And that led to further problems. And so I think we’re still in the nascent era of trying to understand how we would coordinate the response to those types of complex cyber incidents.
For example, if you’re sitting in a security operations center for a large company, what is going to be expected of you from the federal government if something were to happen? What can you expect the federal government to do to help you? We don’t really know that.
It’s complicated. Depending on the incident and the technology it’s impacting, the government coming in might not be much help.
How will the CISA playbooks help federal agencies?
There’s a line in the playbooks that says an agency can request incident response help from a federal threat-hunting team. But then there’s the caveat that that’s based on availability and prioritization, so CISA still has to make a decision about how serious they think some incident is.
You could see where organizations might disagree, particularly in the early stages of an incident. You can overreact and send out all your resources, all your teams to go deal with problems that may not be serious. And then something else happens and you have to re-vector people. Or you could have an organization say, We don’t think this is a big deal, and maybe CISA or the FBI or Homeland Security says, We think it’s a bigger deal than you’re treating it as.
And when it comes to private-sector agencies, CISA and the FBI can’t impose themselves and say, Well, we think you’re not dealing with this fast enough. We’re gonna come and help you.
So, it’s a tricky balance. There are certainly going to be
a lot of different opinions and views and interests. Do
you think the government should be more involved and more aggressive?
Yeah, I do. But it’s complicated. We don’t have state-run industries where the government could exert control. Of course, there are regulated industries where intervention might come up. But the bigger challenge is that, depending on the incident and the technology it’s impacting, the government coming in might not be much help.
They couldn’t assist because they might not know what an organization’s networks look like. Their assistance would be more of an advisory role.
Companies are going to be hesitant to allow the federal government too much hands-on contact with their systems. That’s just a reality.
Maybe they could perform forensics and so forth. But the actual remediation is much more likely to be in the mandate of that company to deal with, particularly if they have a security operations team. It would also become more complex when they’re relying on third-party response teams.
Do private companies want CISA and the federal government to do more?
A lot of companies are going to be reluctant or hesitant to allow the federal government too much direct hands-on contact with their networks and systems. That’s just a reality. Their response may be, Well, we know our systems much better than you do. The concern would be the government coming in and doing something that would have an inadvertent negative impact.
Beyond that, business and tech leaders, especially those who work with federal agencies, are unclear on what exactly CISA is going to do for them. What kinds of capabilities can you request if you need them? When should you report things and how? There’s renewed debate in Congress about incident reporting requirements, how those should be applied to the private sector, and what are the time thresholds for reporting. So, these are the kinds of issues that are coming into play.