The discovery in late 2020 of a software supply chain vulnerability that may have compromised thousands of private and public information technology networks, including the Department of Homeland Security and other federal agencies, showed that the Cybersecurity and Infrastructure Security Agency (CISA) lacked resources to best respond to the breach, a DHS audit agency reported on Monday.
The shortcomings included no secure communications system, insufficient secure space, limited access to intelligence for some staff, and understaffing, says the Office of Inspector General (IG) in its report, CISA Made Progress but Resources, Staffing, and Technology Challenges Hinder Cyber Threat Detection and Mitigation (OIG-23-19).
The SolarWinds breach is named after the software company of the same name whose product in question is used to monitor network activity. SolarWinds’ [SWI] software was breached and infected with malware by a Russian intelligence agency. The software was downloaded by customers for routine upgrades to their networks and was detected in December 2020 by the cybersecurity firm FireEye.
CISA, which works with the private sector to reduce risks to networks and provides tools and capabilities to federal agencies to secure their networks, used an unclassified network for day-to-day operations, the report says. However, this network was compromised by the SolarWinds breach, “creating a risk that CISA’s actions on the network could be monitored in real time, hindering response efforts,” the IG says.
As a result, agency staff used workarounds that delayed operations and resulted in lost communications, confusion, and impaired management’s ability to oversee the response.
“In an after-action report, CISA identified its inability to effectively communicate during the SolarWinds response as an area for improvement,” the IG says.
The report also says CISA’s staff didn’t have sufficient classified workspace, and some staff who needed it didn’t have access to intelligence, making it impossible for agency executives to share information with them.
“As a result of the facility configuration and intelligence access issues, CISA sometimes could not effectively use intelligence from its partners in a timely manner,” the IG says. CISA reported to the IG that it has resolved some of the intelligence access issues.
CISA also faces staffing shortages that hinder its operations, the IG says.
As of August 2022, the agency’s division that deals with cybersecurity had a 38 percent vacancy rate, up from 33 percent at the end of October 2021. An employee survey conducted by CISA in the fall of 2021 showed that 61 percent of respondents said their division or office didn’t have enough people to get work done, the report says.
CISA agreed with all of the IG’s recommendations, including updating a continuity of operations plan to have redundant networks, assess facility needs for intelligence information, document the necessary staffing needs, and have a plan for owning, operating and maintaining data analytics provided by an intrusion detection system known as EINSTEIN.