Lapsed CISA contract impedes national lab’s threat-hunting operations

Fewer experts are analyzing data from a key critical infrastructure cybersecurity program due to contracting issues associated with the Trump administration, an expert told Congress on Tuesday.

Under a contract with the Cybersecurity and Infrastructure Security Agency (CISA), a team from Lawrence Livermore National Laboratory has been reviewing data collected by CISA’s CyberSentry network-monitoring sensors, which are free voluntary tools available to critical infrastructure organizations. But that contract ended on July 20, and until CISA renews it, LLNL’s team can’t review CyberSentry data.

“Our threat hunters stopped monitoring networks on Sunday,” Nate Gleason the head of LLNL’s Cyber and Infrastructure Resilience program, told Rep. Eric Swalwell, D-Calif., during a House Homeland Security cyber subcommittee hearing on Tuesday.

The delay in resolving the lapsed contract means that there is currently reduced scrutiny of CyberSentry data, which includes evidence of attempted and successful attacks on critical infrastructure sites like power plants, hospitals and water treatment facilities.

“One of the most important things is getting visibility into what’s happening on our [operational technology] networks,” Gleason said. “We don’t have enough of that, and so losing this visibility through this program is a significant loss.”

Other teams, including CISA employees and federal contractors, are still reviewing data from CyberSentry. But because of how much information the sensors generate, any reduction in analysis could delay the discovery of important threat indicators.

Waiting for DHS and DOE

The disruption to LLNL’s CyberSentry analysis is a result of new policies from the Trump administration that have slowed down the process of reviewing contracts for approval, in some cases requiring direct signoffs from Cabinet secretaries. Gleason said LLNL is waiting for a contract renewal agreement between the Department of Homeland Security, which oversees CISA, and the Department of Energy, which sponsors the lab.

“It needs to be signed off by both organizations,” he said.

DOE and LLNL did not respond to requests for comment. DHS referred questions to CISA, which downplayed the impact of the contract lapse.

“The CyberSentry program remains fully operational,” Chris Butera, CISA’s acting executive assistant director for cybersecurity, said in a statement. “CISA routinely reviews all agreements and contracts that support its programs in order to ensure mission alignment and responsible investment of taxpayer dollars. CISA’s ongoing review of its agreement with Lawrence Livermore National Laboratory has not impacted day-to-day operations of CyberSentry and we look forward to a continued partnership.”

CyberSentry isn’t the only CISA program that LLNL has had to temporarily stop supporting. In March, the lab had to stop conducting research for CISA’s National Infrastructure Simulation and Analysis Center because its contract expired. That work involved “looking at infrastructure interdependencies and cascading consequences of disruption to infrastructure,” Gleason said, adding that it had been ongoing “for a decade,” including at CISA’s predecessor.

That analytical work is important to CISA’s mission of understanding and mitigating systemic risks to vital systems.

“A lot of times when we’re thinking about cyberattacks on critical infrastructure, the target may not be that infrastructure system itself. It may be what is supported by that infrastructure system,” Gleason said. “When we fail to understand those interdependencies, we are opening up avenues for our adversaries to disrupt key national security capabilities.”