Few federal management challenges seem as intractable as the need for better cybersecurity. The Solar Winds incident provided the latest evidence. Pretty much everyone agrees. Now the Biden administration has mostly filled out the top cybersecurity positions. For what should happen next, Federal Drive with Tom Temin turned to a leading voice for cybersecurity, New York congressman John Katko (R-N.Y.).
Insight by Workday: This exclusive e-book highlights how agencies aim to make government a great place to work in 2022.
Tom Temin: Congressman Katko, good to have you back.
Rep. John Katko: Great to be back my friend.
Tom Temin: So there are people in place, we have several people there. Chris Inglis is the now the National Cyber Director and Neuberger is Deputy National Security for Cyber Director and so on. What are you expecting these people to do? What should they be doing together going ahead?
Rep. John Katko: Well, first of all, I’m thrilled that there is a National Cyber Director again, because we hadn’t had one for quite a while, the previous administration did not feel that at our urging, they had that. And I really view it as they’re all a team, you have the DoD component, .mil, you have the intel community with Neuberger, and then you have the CISA role. And I think all three play a critical role. But the person overseeing all three is the cyber director. And so to have the cyber director overseeing the entire playing field is critically important, both offensive, defensive and intel. And so I’m very happy that that Biden administration made these moves. And going forward, I’m very hopeful that the exchange of information between the.gov, the.mil and the intel community is better than ever. And Neuberger has a unique opportunity to find ways to improve that sharing of what intel gets with the others in a proper manner. So I’m excited about the possibilities of what this could bring for us. And I think going forward, it’s can be very important that CISA is treated as an equal and is not the ugly stepchild. It’s a younger agency, but it’s a very important one for the.gov domain. And so I think having all three on an equal footing and working together is gonna be very, very important.
Tom Temin: Yeah. And I think that Chris Inglis as the National Cyber director, he was number two I believe in the intelligence community. And so he’s something of a self effacing kind of guy, is glad to work quietly in the background, which might serve effectiveness rather than trying to get the spotlight all the time.
Rep. John Katko: Yeah, self effacing in senior levels of government in Washington don’t always go together. So I think that’s a wonderful trait for him to have in that position. And that’s exactly what he needs, because he needs to instill the team concept in this. It’s much like what we did after 9/11, had all these disparate agencies were developing information from the intel community on bad guys and law enforcement, and the information was being shared. And we fixed that after 9/11. We know we need to do a better job now of doing that and getting the information to all three of them, that’s gonna be another task. But I’m really excited about the possibilities, and I’m looking forward to working with all of them.
Tom Temin: Now, the Government Accountability Office, the arm of Congress, just once again for the umpteenth time, put cybersecurity on its high risk list. nothing new there. But this is getting to be kind of an old story here. What in your estimation are the agencies just not quite doing that they should be doing to get this thing passed the high risk list and actually getting better cybersecurity?
Rep. John Katko: Yeah, I think one of the key role, again, is CISA, it’s is a recurring theme with me. But CISA is a very important part of that. Because what you have is you have more than 100 different agencies, and some have a higher competency than others with respect to their cyber capabilities. And that’s a problem. And there’s no real central repository or central director for those agencies. And that’s why I think it’s really important that CISA plays a prominent role as a quarterback in the.gov domain, just like DoD is a quarterback for the .mil and Neuberger is gonna be the quarterback for the intel community. CISA needs to elevate its role and CISA needs to be that repository. And that’s why I really advocated it’s got to be a much bigger agency. I’m a Republican, I’m conservative im for fiscal constraint, but it’s clear that this needs to be much better funded. And I think it’s going to be a matter of a few years, and they’ll be a $5 billion dollar agency, and rightfully so, because cybersecurity, as you mentioned, is so important. And we’ve got to make sure it’s properly handled.
Tom Temin: Well, with respect to the bill that you’ve introduced there, the majority is willing to spend trillions on lots of other things, so it seems like there’s probably going to be some money for little old CISA in there too.
Rep. John Katko: Yeah, you would hope so my friend. And one of the things we need to do, and I think we’ve seen some of that in the legislation, and then it’s a promising sign. But these agencies, all of them need to continue to prioritize modernization of their IT infrastructure with security in mind, not just getting the new bells and whistles, but the better product. They’ve got to modernize their infrastructure and understand that security should be at the forefront of what they’re doing. Security should go hand in hand with performance. I think.
Tom Temin: And kind of a parallel effort has been brewing at the Defense Department, the CMMC, the Cybersecurity Maturity Model Certification program, the administration is examining it. This was started again under the Trump administration, what’s your sense that that will flower into something really operational and regular on the supply chain front at some point?
Rep. John Katko: Well, there’s a number of vendor certification risk judgment regimes in various stages of development across federal government and DoD CMMC that you just mentioned, and the Federal Acquisition Security Council, garner a lot of the headlines. I think working them together to ensure that these regimes accomplish their goals of actually reducing risk is critically important. The certification of certifications probably isn’t the path forward, but neither is existing patchwork approach. So you may have seen that I conducted oversight over CISA earlier this year demanding to get more clarity from the agency about how it’s going to fold software assurance considerations into its risk management supporting the FAS. So that’s kind of a step but I think in the right direction regarding that.
Tom Temin: So it sounds like you’re saying maybe a little simplified approach to all of this, because in CMMC, there’s quite a panoply of organizations that impinge on it, you almost need a diagram to figure out how that program works.
Rep. John Katko: Right. And that in and of itself is a problem, right. And so that just basically having reciprocity between DoD and DHS is going to be really important. And I think, in simplifying that process and streamlining. And that’s why I like going back to the CISA and their approach over the agencies, that’s why you need to streamline that thing, you need to have that quarterback, people need to have defined roles on the team and that I think is really important.
Tom Temin: And getting back to the agency level, you mentioned IT modernization, and also CISA, it would have some influence over what agencies do. Anything else you can think of? I mean, we’ve got the CIOs, we’ve got the CISOs, we’ve got Chief Technology Officers, lots of C officers now in agencies’ data, you name it, but it seems like that’s not quite in gear on this whole front.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Rep. John Katko: Right. Again, it’s really just having more centralized approach to it, number one. And then defining the lines of how that centralized approach works is going to be critically important. And I think you just mentioned that there’s a bunch of these different cyber aspects of every agency. And I think with guidance, we can get them to a point where the roles are better defined, and the chain of command is better defined. And that’s going to be very important.
Tom Temin: And you mentioned also the modernization, that now there is a billion dollars in that TMF, which sounds like a lot of money, but it’s really 1% of the 100 billion dollars the government spends now on IT, and that includes cybersecurity. And there’s another $500 million proposed anyway, in the so called skinny budget that we have from the administration. Do you believe those funding levels are correct? And how would you hold agencies accountable for spending it in a way that furthers the objective of better cybersecurity?
Rep. John Katko: Well, is it adequate now? Is it enough now? But it’s a step in the right direction, absolutely. There’s no question about that. But then it goes back to what I was saying before, when you’re doing your acquisition, you can’t just think about modernizing your IT infrastructure, you got to think about the security components, and that security component is going to cost a lot of money. And it’s going to cost changing the way you’re thinking about running your IT systems. And so, again, it comes to having a game plan that people understand and that people can execute. And right now, sometimes I think that game plan is very patchwork at best and we need to streamline that. That’s one of the things we’re doing. And I keep talking about my five pillars, and I talk about everybody’s five pillars of cybersecurity, all we’re talking about in this interview is consistent with that. We need to rethink the fragmented approach. And obviously, we need to understand the nature and extent a third party risks. We need to actually reduce the risk through certification regimes that are just trying perfunctory compliance exercises. Gone are the days where we’re just working to get patches, that’s not what we need to do. Now, software assurance and developments can be critically important. And then the last thing we haven’t really talked about today is whacking the bad guys when they have these cyber intrusions, especially China and Russia. And I’m glad to see what the administration did with that recently. So against that overlay, the five pillars I just articulated is what we’re talking about today. And all those things need to be implemented, and it’s going to cost money.
Tom Temin: Yeah. And the payback mechanism from the TMF. Would you be willing to say, well, maybe we don’t really need that? If something costs more to do correctly, like cybersecurity, maybe the payback mechanism for the TMF is not the way to go.
Rep. John Katko: Well, that remains to be seen. And right now, I just think getting the proper funding to start and seeing how much that can get us is going to be very important.
Tom Temin: Republican John Katko is ranking member of the House Subcommittee on Cybersecurity, Infrastructure Protection and Innovation. Thanks so much for joining me.
Rep. John Katko: Glad to be here. I’ve enjoyed it very much.