The Biden administration is touting a whole-of-government approach to cybersecurity that leading members of Congress have stressed for years.
The 2021 National Defense Authorization Act lawmakers approved last year includes many of the bipartisan Cyberspace Solarium Commission’s top recommendations, such as elevating the role of CISA and re-establishing a national cyber director in the White House.
Anne Neuberger, the White House’s deputy national cybersecurity adviser for cyber and emerging technology, pointed to the recent cyber breach of a water treatment facility in Florida as evidence that the Biden administration needs to take cybersecurity as a national security priority.
“To improve our defenses in this context, we’ve got to move beyond mere information sharing as a strategy, and we need to work toward measurable outcomes and implementing ways to reduce the risk of something like this happening again,” Neuberger told members of the National Security Telecommunications Advisory Committee.
Several of NSTAC’s recent recommendations to the president — such as accelerating the adoption of cybersecurity guidelines, promoting software and supply chain assurance and a whole of nation approach to ensure leadership in emerging technologies — will find their way into a new national cyber strategy, Neuberger said.
White House Press Secretary Jen Psaki, in a press briefing Thursday, said the Biden administration is taking an across-the-government focus and elevated cyber positions in the White House and elsewhere in the executive branch.
Members of the House Homeland Security Committee expressed bipartisan support for elevating these cyber positions, and said a coordinated cyber defense plan for civilian agencies is overdue.
Committee Chairman Bennie Thompson (D-Miss.) said “naming and shaming,” sanctions and indictments have done little to deter nation-state actors from launching sophisticated cyberattacks, such as the Solarwinds breach.
Ranking member John Katko (R-N.Y.) said agency roles and responsibilities for cybersecurity remain “too clunky and ultimately inadequate.”
A provision in the NDAA gives CISA the authority to proactively hunt for threats across civilian federal networks, but Katko said CISA doesn’t yet have the “centralized visibility or authority” to respond quickly to incidents.
For CISA to make the most of this new threat-hunting authority, Chris Krebs, its former director, told the committee it will need to deploy detection capabilities, hire more analysts and get cooperation from the agencies it’s protecting.
To protect an attack surface as large as the federal government, Krebs recommended the Biden administration create a civilian agency cybersecurity strategy that sets a high bar for agencies to meet.
The security requirements in such a strategy, he said, would likely be too onerous and expensive for most agencies to tackle on their own, but CISA could provide that cyber support as a shared service through its Quality Service Management Office.
“I can think of maybe a handful of agencies that would be able to comply, so give them the opportunity to comply, or give them an option … where they — the CIO and the CISO shop — can just turn the keys over to CISA,” Krebs said.
Through its QSMO, CISA could develop, for example, a secure cloud email service that is more resilient to intrusion attempts than the 100-plus instances of email across civilian federal agencies.
“That’s just not a defensive posture,” Krebs said.
Dmitri Alperovitch, executive chairman of Silverado Policy Accelerator, said CISA should have the capability to defend civilian agency networks, much like how the Defense Department’s Cyber Command protects DoD networks.
“The fact of the matter is, when you look at over 130 different executive branch agencies, the vast majority of them will never have the talent, the expertise, the resources to defend themselves against the most sophisticated nation-states out there, such as Russia and China, that are trying to break into their networks,” Alperovitch said.
CISA has an annual budget of about $2.2 billion, and about half goes into cyber investments, but Krebs said about $800 million of that cyber investment goes toward two programs: The National Cyber Protection system and the Continuous Diagnostics and Mitigation program.
That leaves CISA with several hundred million dollars for incident response and few resources to engage with the critical infrastructure community.
“My biggest regret was that we were not able to plow additional resources into the ability to get out there, into the field, and engage more critical infrastructure and state and local partners,” Krebs said.