In an event that brought two Cabinet secretaries and around 50 top federal and state officials together for three days of discussion on cybersecurity and critical infrastructure, one question remained: Who has the lead on information security issues in the United States?
It was an issue pondered aloud by Sen. Ron Johnson, R-Wisc., the chairman of the Senate’s Homeland Security committee. Johnson said Sept. 19 he had recently sat through a classified 5G briefing with cabinet officials and had a similar inquiry then.
“The No. 1 question I [had] is ‘who’s in charge? Who is actually doing the problem definition when it comes to our challenge with 5G?,’” Johnson said at the Cybersecurity and Infrastructure Security Agency’s second annual national cybersecurity summit at National Harbor. “And nobody would really answer the question.”
“This is constant. This is common across the federal government,” Johnson added.
Government officials consistently argue that no single agency could take responsibility for the cybersecurity of the federal government. But, in today’s current arrangement, one challenge is that several organizations work on cybersecurity issues in silos, particularly when it comes to election security or protecting the power grid.
In addition, state and local governments control their elections. Private utilities largely manage the power grid. And with cyberthreats launched remotely and crossing international borders, this means there’s a need for coordination and collaboration between organizations — a task that can be made difficult by jurisdictions.
“International boundaries dissolve away,” said CISA Director Chris Krebs in his opening speech Sept. 18. “Jurisdictions do not, but the boundaries seemingly do.”
The summit brought together top state election and cybersecurity officials; federal officials from agencies such as the Pentagon, the Department of Homeland Security, the National Security Agency and the Department of Commerce; top congressional aides, along with some industry experts. In a rarity, several panels were exclusively government officials, even with a government moderator. At the outset, Krebs said he was ready to move beyond the boilerplate “information sharing” conversation.
“I’m sick of hearing about information sharing and how that’s going to solve the problem. It’s not,” Krebs said. “We have to get beyond information sharing. We have to work together to understand what our respective advantages are.”
Looking at the stature of the officials participating in this year’s summit, it’s clear that CISA is serious about finding the best ways to protect government systems.
Coordinating with big players
Consider the government leadership that sat for the summit’s first panel. It included Anne Neuberger, director of the NSA’s new Cybersecurity Directorate; Suzette Kent, federal chief information officer; Tonya Ugoretz, deputy assistant director of the FBI’s cybersecurity division; Jack Wilmer, deputy CIO and chief information security officer at the Pentagon — all moderated by CISA’s Assistant Director for Cybersecurity Jeanette Manfra. Outside of a congressional hearing, it was an unusual display of top officials.
The significance of the leaders CISA pulled together wasn’t lost on some in industry.
“They’re linking the players together, and so when you start creating that kind of collaboration, information sharing, where we can create an outcome and execute behind — that is where you actually start seeing transformational change,” said Travis Reese, president of FireEye, a threat intelligence company. “And to me, it starts here, it starts with getting people from different backgrounds, different components, different sides of the political world, into a place where they can share ideas, be very transparent [and] have some debates.”
Agency leaders made clear that they were exploring their responsibilities in relation to other entities in the federal government.
“We spend a lot of time at FBI thinking about our role as it relates to others in this constellation of entities that have a piece of this mission — especially CISA and CYBERCOM and other organizations [that] have been developing,” said Ugoretz. “What we keep coming back to … is that it requires such a blend of mission and authorities and capabilities to tackle all the different aspects of what we’re looking at in the cyber mission space. We agree that there really can’t be one entity, realistically, that does it all. But it’s all about, ‘how do we come together?’”
Krebs made increased coordination a point in his opening speech, comparing the role of the Federal Emergency Management Agency as the lead in disaster response to the state of affairs in cybersecurity.
“We don’t have that same doctrine built out for a large-scale cyber event,” Krebs said.
That missing doctrine worried Krebs, who said the government “got pretty close this summer” to a large cybersecurity event, referencing the ransomware attacks against parishes in Louisiana and school districts in Texas. At the summit, Jared Maples, homeland security adviser for the state of New Jersey, said that he guesses he receives as many as 10 ransomware alerts from organizations throughout his state each week.
Maples explained to Fifth Domain how CISA is helping states defend against these ransomware attacks by providing them with threat analysis of ransomware strains.
“We can get it out to the smaller constituencies, which we do have direct access to. [For] the feds, it’s tough to get out to 376 million people, but we can get it out to all 9 million of our people very quickly,” Maples told Fifth Domain.
Mac Warner, the Republican secretary of state in West Virginia, said that DHS and CISA are providing localities in his states with incident response plans to events like natural disasters and providing other training to country clerks.
“There’s a lot of activity going on from the federal government, DHS, CISA, and others to help us get the message across — not only training our own people but then the public part,” Warner said in response to a question from Fifth Domain.
CISA’s not the only group assisting state officials in cyberspace. For ransomware attacks, the Maples said his agency also gets help from the FBI.
“The federal government — CISA, for example, and a lot of our partners, FBI — there’s a lot of capabilities to help overcome those if you are attacked and respond to them,” Maples said.
CISA also manages a handful of cybersecurity programs for federal agencies, such as the trusted internet connection (TIC) program, which provides safe internet connection, and the Continuous Diagnostics and Mitigation (CDM) program, which provides insight into agencies’ cybersecurity posture.
“[This is] really the first time we had an agency really focused on security, with a major focus on cybersecurity,” said Grant Schneider, the federal chief information security officer. “Something that has really galvanized … efforts across the federal government.”
Johnson praised Krebs’ leadership at CISA and said that the overall structure of issue governance made sense, but added that there needed to be identified leadership over the individual issues.
“In some of these subproblems, like 5G … we do need to understand that we need individuals within government to be in charge of all the different operations,” he said.