Amid a slew of ransomware attacks, consistent threats from nation-state actors and election security fears with the 2020 election around the corner, the director of the Cybersecurity and Infrastructure Security Agency (CISA) said he envisions his new agency as the United States’ “risk adviser” in cybersecurity and critical infrastructure protection.
“Our job ... is not deploying strike teams, fast roping into sites and locking down networks,”said CISA Director Chris Krebs in an Aug. 22 speech at Auburn University unveiling CISA’s new “strategic intent.” “Our job is much more community building [and] capacity building, bringing everybody together to understand what the risks are [and] what they need to do.”
Krebs laid out his strategic vision for CISA, a DHS agency established in November 2018 to protect the nation’s critical infrastructure, as going forward under two core goals: defend today and secure tomorrow.
“There are active threats, ransomware is all over the place — that’s defending today,” Krebs said. “The secure tomorrow piece is a little bit different. Securing tomorrow is about what’s the next generation of technology going to look like and have we baked in the appropriate security concepts?”
The first of Krebs five strategic principles was leading critical infrastructure protection “in a collaborative way," he said. His job, he said, is to provide information, insight, coordination mechanism to help organizations manage risk, calling CISA “facilitators of better cybersecurity." Collaboration is key part of CISA’s mission because it generally lacks regulatory authority, meaning that its programs largely rely on voluntary participation from state and local officials.
“Whatever we do has to be done together," Krebs said. "And in cybersecurity that’s the only way we’re going to get it done.”
Krebs also said that moving forward his agency will take a results-driven approach, identifying what stakeholders need and designing its answers to those needs.
“We can’t just sit back in a good ideas factory, think up things to do and then roll out a 98 percent solution and offer it out,” Krebs said. “We got to come at it from a different approach. What do our partners, our stakeholders actually need and then architect solution around that."
CISA will also have to pick and choose its battles, Krebs said, given the broad range of security threats facing the nation. There are the four big nation-state actors: Russia, China, Iran and North Korea. But, Krebs said, there’s a fifth threat that CISA has to pay attention to now as well: cybercriminals doing ransomware attacks, like the one in Texas just this week. Ransomware attacks are the most visible cyberattacks Americans see everyday, Krebs said, whereas they don’t see the nation-state activity that’s in classified intelligence reports.
“We’ve got to be able to focus on both on that really exquisite [nation-state] threat and design solutions and engage to manage risk," Krebs said. "But at the same time, making sure that we’re working the broader more general more publicly visible threat as well.”
CISA will also operate in a way that’s “consistent with American values,” Krebs said, not imposing itself on state and local governments. Instead of forcing technology like sensors on different organizations, CISA instead will help “better protect their networks, give them concepts, road maps, strategic frameworks on how they can mange themselves and if they need capabilities, we’ll work on that together.” On Aug. 21, CISA released the first part of its new “CISA Insights” program, which provided guidance for protecting against and handling a ransomware attack.
The defending today doctrine includes emerging threats and supply chain risks, Krebs said, in addition to instant communication between different levels of government.
In order to protect the nation from cyber threats, the government needs to “ensure that when the federal government has information that we’re pushing it out to people who can do something about it.”
A recent report from the Senate Intelligence Committee outlined several shortfalls in the relationship between states and the federal government in the 2016 election, including states complaining that they did not receive proper context regarding cyberthreats that the federal government sent out. In 2018, according to CISA’s strategic intent document, 500 CISA employees had a hand in election security preparedness.
CISA’s securing tomorrow doctrine is taking a holistic approach to security, from IT to industrial control systems to insider threats, Krebs said. Built on top of that, Krebs said that a primary focus for CISA is working within the government to increase a “defensible posture” across the civilian agencies, which all manage their own networks, thereby owning their own risk.
“That is not a particularity defensible posture," Krebs said. “So our job at CISA is to help those 99 agencies defend themselves.”
To mitigate this problem, Krebs said he’s in conversations with lawmakers on Capitol Hill and officials in the Office of Management and Budget about creating a better solution for better network protection at federal civilian agencies. In fiscal year 2018, federal civilian agencies had 31,000 cyber incidents, according to a new OMB report.
“So in five years you may see a completely different architecture across agencies,” Krebs said.
The strategic intent document laid out by CISA received praise from House Homeland Security chairman Bennie Thompson, D-Miss., who said he was “encouraged” by Krebs’ strategy.
“We know that our nation’s banks, hospitals, power plants, election systems, and state and local governments are under constant attack, and CISA must stand ready to help these owners and operators shore up their defenses. This Strategic Intent document sets forth an ambitious agenda, and I hope to hear more from Director Krebs about how he plans to execute the priorities outlined today, and what resources CISA will need in order to do so,” said Thompson.