The recent string of major, damaging attacks by foreign adversaries against federal government networks and systems has legislators and federal officials searching for more effective defenses and new ways to respond when attacks occur. One of the ideas gaining momentum in Washington involves creating a kind of reserve pool of private-sector cybersecurity talent that could be drawn upon during major incidents.
The idea is a simple one, similar to a military reserve force, but comprising civilians rather than military personnel. It has been floating around Capitol Hill for a few weeks now, and during a hearing of the Senate Committee on Homeland Security and Government Affairs this week, it surfaced again as lawmakers and federal security officials discussed the SolarWinds intrusion, the Colonial Pipeline ransomware attack, and the government’s current capacity to respond to future major incidents. Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency (CISA), said during the hearing that while his agency is holding its own in at the moment, that may not be the case for long.
“While we are effectively responding today, the most recent attack should serve as a warning that federal government incident response must be fortified not to ensure that we will not be overwhelmed in the future,” Wales said.
CISA, and its parent agency, the Department of Homeland Security, are current in the middle of a hiring sprint designed to hire up to 200 new cybersecurity personnel by the end of June, and Wales said that new wave of employees will help expand the agency’s threat hunting and response capacities. But he also said that a reserve or “surge capacity” pool of outside talent could be helpful. The difficulty with this idea is that there is a dearth of quality incident response talent in the private sector, too, and during a major incident such as the Colonial Pipeline attack or SolarWinds breach, the top IR firms are usually fully engaged with their own clients.
“The idea of a private sector, incident response reservist group that can parachute into major incidents, adding capacity, expertise, and perspective on an as needed basis is great in theory, but not the full solution. The goal here shouldn't be to eliminate the federal need for cyber talent through reservists, but augment existing federal capacity through diverse sets of private sector expertise to enable a more effective response,” said Grant Oviatt, director of incident response engagements at Red Canary.
“Opening the aperture to more diverse security talent alleviates constraints on incident response resources."
“Opening the aperture to more diverse security talent alleviates constraints on incident response resources while allowing for a more scalable response to incidents when they occur. However, this won’t meet all the federal staffing requirements to be effective.”
There are bills in both the House of Representatives and the Senate that would create pilot programs to bring in former military personnel and federal employees to help during major incidents, but that's a different initiative and one that could take some time to get going.
Federal agencies employ many of the same top IR firms that private companies use and there are also a number of information and resource-sharing initiatives in place that enable collaboration between the government and the private sector. Some of those are informal, while others are more well-defined, such as the ISACs. But Oviatt sees room for more and better collaboration, especially for major incidents.
“I see promising opportunities to aiding some of the cyber capacity issues through joint collaboration programs like the Ransomware Task Force’s proposed Ransomware Threat Focus Hub. This particular initiative would enable private security practitioners to contribute to federal programs, through coordinated efforts to disrupt attackers, sharing of investigative findings, and built-in feedback loops to improve national defense without requiring that individuals take leave from their day jobs,” he said.
The discussion about creating a cyber reserve arises at a time when the federal government is in the midst of a major effort to improve the security of the country’s networks. This week, President Joe Biden signed an executive order on cybersecurity that included a number of broad mandates for federal agencies, such as the deployment of multi-factor authentication and the creation of guidelines for evaluating software security in the supply chain. There is also a requirement for agencies to deploy endpoint detection and response tools to “support proactive detection of cybersecurity incidents within Federal Government infrastructure, active cyber hunting, containment and remediation, and incident response.”
Another initiative in the works is the development of a hardened private cloud architecture for federal agencies. CISA’s Wales said the idea is to create a reference architecture that can then be provided to any agency to use.
“One of the real lessons out of SolarWinds was the exploitation of cloud environments and the challenges for logging that CISA had in those environments,” he said.
“We know with our adversaries growing more aggressive it’s only a matter of time before a catastrophic cyber incident requires us to expand our capabilities beyond what we currently have.”