Brandon Wales, the now former executive director of CISA, said in an “exit” interview agencies have more resilient federal cybersecurity architecture today.
Brandon Wales is aggressively optimistic about the state of and future of federal cybersecurity.
When asked what one thing he would change about federal cybersecurity, Wales, who served as the executive director of the Cybersecurity and Infrastructure Security Agency for almost five years before leaving federal service on yesterday, said “nothing.”
And before you call him naïve or foolish, Wales has good reason for that positivity.
“I think the work that I’m probably most proud of both because of how this agency, given the fact that the Director [Chris] Krebs had only been fired a few weeks before that [SolarWinds] compromise became known, that the agency was able to rally around the mission, that we were able to work across government and industry to understand some of the unique things that the Russian SVR was doing, that we were working with federal agencies to evict SVR actors from their networks, but more importantly, that we were at even from the very beginning, thinking about how we would use what we were learning there to make real fundamental changes in the nature of federal cybersecurity,” Wales said during an “exit” interview on Ask the CIO. “When I look back three-and-a-half years later from that, the state of federal cyber security is so much stronger today because of the things that we started putting in place right in the aftermath of those compromises. The fact that we were able to address near term, exigent issues at the same time that we were building a more resilient federal cybersecurity architecture is, I think, a real model for how to use even really bad days to ensure that we learn from them and build back stronger.”
CISA named Bridget Bean, the assistant director for integrated operations, to replace Wales.
Wales, who spent almost 20 years at the Homeland Security Department working in cybersecurity, has seen the evolution of federal efforts.
He said from the early days of the continuous diagnostics and mitigation (CDM) program to the recent decision to wind down parts of the National Cyber Protection System, known as Einstein, the push to learn from past cyber attacks and both good and bad initiatives have driven CISA and agencies forward.
“Every new incident, we have learned something to make our systems more secure. And more importantly, I think we have created today a security focused culture in federal it in ways that did not exist,” said Wales, who declined to say where he was going next beyond on vacation, but promised not to stray too far from federal cybersecurity.
One example of the progress agencies have made over the last seven years is the implementation of Domain-based Message Authentication, Reporting and Conformance (DMARC). CISA issued a binding operational directive in October 2017 requiring agencies to implement the security tools.
Wales said at the time, agencies were among the slowest adopters of DMARC tools.
“We made a decision that we were going to require it and use a binding operational directive to put that requirement on all federal civilian executive branch agencies,” he said. “And 18 months later, the federal government had the broadest adoption of the mark of any sector of the economy. We have been able to drive change today because of the culture that has been created over the past decade, because of the programs that have been implemented and because of the flexibility that we have shown on how to use our capabilities and authorities to meet the new threats and challenges that we face.”
Wales said the use of binding operational directives and emergency directives, both tools Congress gave to CISA as part of the Federal Information Security Modernization Act of 2014, have helped play a big role in creating that cyber culture change.
Not only did BOD/EODs focus on cyber threats where CISA could measure the impact of the changes, but Wales said they gave chief information security officers and others a better way to focus their resources.
“Now they can use the BOD as a forcing function to get it fully implemented. For example, when we issue an emergency directive to close some vulnerability that may be being weaponized by a malicious cyber actor, particularly targeting federal networks, it is always the case that closing those vulnerabilities were going to be on the agenda for those CISOs. But by highlighting it through the emergency directive, we’re saying, given what we know, given what we are seeing, you need to move this to the top of the queue,” he said. “Even for things like our binding operational directives, I think every federal system defender will tell you that, yeah, it’s always a good idea to have a vulnerability disclosure program in place so that we are understanding the vulnerabilities on our systems and being able to take action on them, but by us putting it into the BOD, now they can go work within their agency to make sure that they have the resources and support to actually get it over the finish line.”
Wales added that every BOD/EOD CISA issued over the last several years – 13 EODs since 2019 and 14 BODs since 2015 — has had a measurable effect on federal cybersecurity posture and agencies are stronger today because of them.
While BOD/EODs maybe the stick, CISA also dangles the carrot in front of agencies as an incentive to improve cybersecurity.
Wales said the CDM program has been among CISA’s best carrot.
“I don’t think you can understate the impact of CDM because of the agility built into that. [CISA] got $650 million through the American Rescue Plan Act, a significant portion of which was designed to get better host level visibility across the federal government. The reason we were able to move that money so quickly and begin to get that level of visibility online was because CDM provided the vehicle to do that,” he said. “If CDM was not in place, we probably would still be struggling to get that capability out to federal agencies.”
Wales said CDM has helped CISA better realize the need to be flexible to address current and emerging cyber threats. He said one example is the decision to move resources from the NCPS to expand their ability to conduct persistent hunting on agency networks using new tools and gain better visibility CISA and their agency partners can get ahead of potential or real problems.
Going forward, he said CISA’s top priorities include finalizing the cyber incident reporting for critical infrastructure rule by October 2025. He also said the continued governmentwide focus on protecting public and private sector systems from nation state attacks, specifically those from China, will remain as another key priority.
He said the threat China “poses to critical infrastructure to pre-positioning on that critical infrastructure for disruptive or destructive attacks in the future is such a significant issue, probably the most important one that we face over the long term. It is going to require consistent work by the by CISA to help continue to drive improvements in our security and to counter what China is trying to achieve.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Jason Miller is executive editor of Federal News Network and directs news coverage on the people, policy and programs of the federal government.
Follow @jmillerWFED