The agency branding itself as the nation’s “risk adviser” now has a strategic plan. But to fulfill that role, an organization with minimal power now has to prove its value to its target customers.
In a speech at Auburn University Aug. 22, Chris Krebs, the director of the Cybersecurity and Infrastructure Security Agency, laid out his vision for the next few years, with responsibilities ranging from election security to supply chain security, as well as physical security.
But there are significant challenges in achieving its missions, which Krebs summed up in an appeal to federal, state, local and academics to cooperate with his agency.
“I don’t have mandatory or compulsory or regulatory authorities, generally speaking, to make anyone do things,” Krebs said. “Whatever we do has to be done together, and in cybersecurity that is the only way we’re going to get it done. It has to be a collective defense approach.”
Now, CISA, which was established as its own agency late last year and is responsible for protecting critical infrastructure form cyberattacks, has to figure out how to operate effectively in a broad docket of spaces where the federal government has minimal authority — particularly in election security, where revelations from 2016 have shown the state and local governments have a pained relationship working with the federal government.
“Firstly, they need to genuinely be good partners with state, local and others and deliver what they promise,” Frank Cilluffo, director of the McCrary Institute for Cybersecurity and Critical Infrastructure Protection at Auburn University, told Fifth Domain. “While the flip side is obviously, the stakeholders need to be open to assistance, so that’s something that obviously is going to take some time.”
To be successful, CISA must build trust with state and local governments, several cybersecurity experts told Fifth Domain. CISA has been working toward strengthening its partnerships, with field staff in all 50 states.
“They need to lead through ideas and influence,” said Brad Medairy, executive vice president and cyber and engineering lead at Booz Allen Hamilton. “And so, because it’s not a mandate, I think that they can still be successful, but they’ve got to produce hard, crisp, meaningful and valuable recommendations that can be adopted.”
A common complaint from states in a Senate report on the 2016 election was that the warnings they received from the federal government did not provide the proper context about the threats they faced. Medairy said CISA needs to produce “meaningful and actionable information," which will result in a “groundswell of credibility.”
“The more that you do that, then the more folks will be [willing] to accept it and adopt it,” Medairy said.
CISA’s strategic intent document laid out a doctrine of “defend today; secure tomorrow” and identified five of the most pressing issues in the countryfor the next few years: China, supply chain and 5G; election security; soft target security; federal cybersecurity; and industrial control systems.
“They cannot do it alone; there’s never enough funding available for any one organization to tackle these kind of problems,” said Brett Scarborough, director of business strategy for cyber services at Raytheon Intelligence, Information and Services. “So they’ve got to leverage partnerships … they have to grow and with trust, those partnerships will grow.”
CISA leadership chooses their words with caution, carefully considering the semantics of each word it puts in documents or what officials say publicly. Ultimately, they settled on their role as “risk adviser,” not risk manager.
“They were wise to go with adviser over manager,” Cilluffo said. “Because when you’re the manager, that assumes you have control. … The truth is they don’t. But they do have some capabilities that others desperately need.”
For federal cybersecurity, the challenge for CISA, much like the challenge it faces with states, is that each agency is in charge of its cybersecurity. In order to achieve its goals, CISA has to ensure that stakeholders know that CISA is there to help.
CISA re-branded itself last year, changing its name from the National Protection and Programs Directorate to its current name. Several people interviewed for this story said that the change is an important step for raising its profile. But a former senior federal cybersecurity official with knowledge of CISA’s operation said that CISA now has to make sure that stakeholders outside of DHS know that it’s the agency to come to for cybersecurity needs.
For example, the federal government needs to figure out what role CISA plays with sector-specific agencies that have critical infrastructure jurisdiction, like the Department of Energy, the official said. In areas where users have to voluntarily use CISA, the agency has to demonstrate the value of participating. The former official said that CISA hasn’t laid out in the strategic intent document how it plans to do that.
Krebs said in his speech that, down the road, he’s looking at CISA potentially being used “as a service.”
“We need to make sure that we are understanding what’s happening across the entirety of the federal government so that we can manage risk,” Krebs said. “So if we see something hitting one department, we can look for it in other departments and agencies. The way historically it’s been managed, that capability is not been in place.”
CISA currently manages two cybersecurity programs for agencies. The first, known as the Continuous Diagnostics and Mitigation (CDM) program, helps agencies with the management of data protection, asset management, identity and access management and network security. CISA also runs EINSTEIN, a program that detects and blocks cyberattacks on federal civilian agencies and gives DHS the ability to use attack information to help protect other agencies.
To reinforce its programs and agency support, however, CISA faces the same problem that challenge private industry and federal departments: finding people to work there.
CISA, of course, also has to directly compete for cyber talent with other agencies and private industry, which makes it harder for them to recruit talent. Several experts pointed to this problem as a hindrance for CISA in its mission. But some also pointed to the “CISA-as-a-service” model as one that could solve ease this hardship.
“There’s not enough technical cyber talent to go around, so if everyone is trying to replicate the same capabilities it not only costs more, but you’re not going to be able to get the same talent because everyone is in this competition for top talent,” Medairy said. “So I think if you could have this one elite cell that’s providing that capability as a service, you’re just going to get a lot better results.”
Taking on such a large swath of threats, from cybersecurity to physical security, is a broad range of oversight. But it’s one that some experts told Fifth Domain makes sense.
“I don’t think any event is going to be exclusively physical or cyber,” said Cilluffo. “Many events will not be one domain or the other. Technology enables and enhances physical attacks from the perpetrator … and from the defender [perspective] you’ve got to be able to integrate both of those siloes that have historically been treated separately.”