Nearly a year in the making and somewhat delayed by the 35-day government shutdown, the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security put down its roots in the form of a strategic plan.
Chris Krebs, the director of CISA, said today he keeping the two core goals of the newest bureau to a simple motto: Defend today, secure tomorrow.
“We are the nation’s risk adviser. I use these words carefully. I say adviser, not manager, because when you think about critical infrastructure or cybrrsecurity in the U.S., I’m not sitting on top of networks pushing buttons. That’s the owner/operator of the system, whether it’s a state government system, whether it’s an election official managing their network, whether it’s Alabama power or Auburn University. They own the risk,” Krebs said at Auburn University on Thursday. “My job is to provide them information, insight, coordinating mechanisms and capacity building tools or capabilities to get power, to get good, to manage their risk. We are enablers or facilitators of better cybersecurity. That is what the strategic intent unpacks.”
The document outlines CISA’s vision and objectives around five principles and eight objectives.
“A secure and resilient infrastructure for the American people — that is where we want to go and that’s what we are working to enable,” Krebs said. “We have to be relentless in driving down risk, pushing awareness of the things that need to be done by the private sector, by the state and local community and by the federal community. That’s our job is to understand what the risks are, bringing people together to manage these issues and then building capacity.”
This is the role CISA has been playing for federal networks for some time.
“The speed of change in the cyber world is outpacing the current federal ‘policy to implementation’ process,” the document states. “CISA’s authorities present the capability and opportunity to create federal cybersecurity approaches that address the speed of change.”
Krebs said the next push for federal network security will be around shared services.
“The 99 federal civilian agencies all manage their own risk and manage their own networks. That is not a particularly defensible posture. Our job at CISA is to help those 99 agencies defend themselves. We take tools out of the Department of Defense and provide them,” he said. “But ultimately at the end of the day, those agencies are responsible for managing their risk. I’m putting them in a position to manage their risk better. My view of these things is that is not a tenable or defensible position in the long term.”
New security architecture coming?
He said CISA is working with lawmakers and the Office of Management and Budget to find a better solution for how to defend federal networks.
“In five years, I think you may see a completely different architecture across those 99 agencies. There may be some of those agencies that say, ‘you know what, I can’t do this anymore. Someone else do it for me.’ Whether it’s CISA as a shared service or a quality service management offering, it’s got to change so we are helping work through those processes.”
OMB hopes updated shared services strategy avoids past mistakes
CISA is developing a QSMO for cyber shared services as part of OMB’s revised strategy. DHS said in April its initial thinking for shared services would follow the models of the continuous diagnostics and mitigation (CDM) program and other similar capabilities like end-point security and privileged access management.
Additionally under the CDM program, CISA is offering continuous monitoring-as-a-service for small and micro agencies. So far, more than 20 agencies are using these services to have sensors analyze their networks and report the data back to DHS’ governmentwide dashboard.
Krebs said the goal of the shared services is to understand the cyber threats and vulnerabilities across the government and help agencies take action.
“If we see something hitting one department, we can look for it at other departments and agencies,” he said. “The way historically it’s been managed, that capability has not been in place.”
5G task force underway
In addition to federal networks, Krebs said CISA continues to work on acquisition supply chain threats, specifically in 5G capabilities.
He said CISA has a task force to look at what supply chain threats are and what are the best partnerships to mitigate those risks.
“We are looking at 5G equipment and doing open-ended vulnerability assessments to look for vulnerabilities,” he said. “At the same time, we are saying ‘what do we know about 5G and what do we know about the market? Are there alternatives to get American innovation back into the stack so we aren’t dependent on potentially untrustworthy companies?’ Why on Earth would we put China in a position to control whether our communications systems are up or down? That is the threshold issue here.”
Reps. Bennie Thompson (D-Miss), chairman of the Committee on Homeland Security, Mike Rogers (R-Ala.), ranking member of the committee, and John Katko (R-N.Y.), ranking member of the Cybersecurity, Infrastructure Protection and Innovation Subcommittee, all praised the new strategic document.
“I am encouraged to see that Director Krebs has a strategy and a vision to guide CISA at this pivotal time. If this newly-rebranded agency is going to be effective in securing U.S. critical infrastructure against physical and cyber threats, it will need steady leadership, a talented workforce and a realistic understanding of its resource needs,” Thompson said in a release. “This strategic intent document sets forth an ambitious agenda, and I hope to hear more from Director Krebs about how he plans to execute the priorities outlined today, and what resources CISA will need in order to do so.”
Rogers and Katko said in a joint statement that, “The priorities and objectives Director Krebs laid out are valuable in signaling the seriousness with which CISA is approaching these challenges. However, it also allows for accountability both from the public and Congress. We look forward to working with CISA as it implements this vision and remain committed to its success.”