The Cybersecurity and Infrastructure Security Agency is facing calls to take a more muscular approach to its role overseeing the cybersecurity of critical infrastructure in the wake of the Colonial Pipeline attack and other ransomware incidents.
The House Homeland Security Committee this week highlighted CISA’s role as an adviser to more powerful regulatory agencies, as lawmakers raised concerns about the cyber agency’s visibility into privately owned critical infrastructure networks.
Ranking Member John Katko (R-N.Y.) is pushing to get CISA to a $5 billion annual budget. The Biden administration is seeking $2.1 billion for CISA in fiscal 2022, an increase of $110 million from last year’s appropriation. The American Rescue Plan Act of 2021 also allocated $650 million in emergency funding for CISA.
During a hearing Thursday, Katko pressed Homeland Security Secretary Alejandro Mayorkas to support increased funding for CISA beyond the budget request. He suggested the agency is “overwhelmed” by its cybersecurity demands.
“Given the gravity of the situation and given my discussion with folks at CISA, it’s clear to me they need more resources,” Katko said. “A 6% increase, given what’s going on with cybersecurity in this country right now, just isn’t cutting the mustard.”
Mayorkas said CISA is focused on expending its already increased budget as wisely as possible
“We are extraordinarily busy,” he said.
Rep. Bonnie Watson Coleman (D-N.J.) asked Mayorkas whether he would consider having CISA work with the Transportation Security Administration to “issue required cybersecurity standards for all modes of transportation, either through security directives or full notice and comment regulations.”
“We are looking at critical infrastructure across the board and how best we can use our administrative tools and our regulatory tools that are resident in different parts of the federal government to bring up a cohesive approach to an increased cyber hygiene,” Mayorkas responded.
Lawmakers investigating the May attack on Colonial were troubled by the pipeline operator’s decision to contact a third-party cybersecurity company, FireEye Mandiant, rather than CISA. Colonial also declined CISA’s follow-up offer for assistance.
“The Colonial hack demonstrates that even when companies are willing to self-report and engage with law enforcement after a ransomware attack they may not report to or engage directly with CISA, and I think that’s one of the issues we need to address here,” Rep. Kathleen Rice (D-N.Y.) said during a Tuesday hearing on the response to the Colonial cyber attack.
Eric Goldstein, executive assistant director for cybersecurity at CISA, said the agency could do more to convince companies to work with it. But after the intrusions into Colonial and JBS Foods, Goldstein said CISA is “seeing a real increase” in companies reporting incidents and viewing its guidance on cybersecurity best practices.
“We are seeing organizations across the country recognize this risk and recognizing that CISA is a source of support and expertise,” he said. “We just need to make sure that that continues and that we reach again into every corner of the country going forward.”
Goldstein also said the confirmations of Jen Easterly as permanent CISA director and Chris Inglis as National Cyber Director would “help the government further mature our processes for simplifying engagement with the private sector.”
The Senate Homeland Security and Government Affairs Committee voted to advance those nominations to the Senate floor Wednesday. However, Sen. Rick Scott (R-Fla.) has put a hold on Easterly and all other Homeland Security nominations until President Joe Biden visits the border.
Meanwhile, Rep. Jake LaTurner (R-Kan.) questioned whether the nominees alone could solve what he sees as broader cyber governance problem.
“At the end of the day, it’s concerning to me we don’t have one point of contact who controls the budgets, who can force these different bureaucracies to come together and ensure our response in the United States is clear and concise and efficient,” LaTurner said.
After the ransomware attack, TSA issued mandatory cybersecurity requirements for pipeline operators for the first time, requiring them to report cyber incidents to CISA.
TSA is now working on a second directive with more detailed mitigation measures to reduce the likelihood and impact of similar cyber attacks, according to Sonya Proctor, assistant administrator for surface operations at TSA. She also mentioned a group of TSA inspectors also recently completed cybersecurity training at Idaho National Lab.
But some lawmakers probed whether CISA is better suited to regulate cybersecurity of critical infrastructure.
“TSA’s focus for the most part, the real focus is airport security, port security and all that physical security and then cyber attacks, yeah okay, but that may not be our core mission, whereas your core mission is cyber attacks,” Carlos Gimenez (R-Fla.), ranking member of the Transportation and Maritime Security Subcommittee, told Goldstein.
“Wouldn’t it be better for the federal government to kind of gel that into your agency and you become the voice on what needs to be done on cybersecurity,” Gimenez continued.
Cyber reviews for pipeline operators beyond a self-assessment remain optional, a point hammered home by lawmakers after Colonial delayed a TSA assessment just prior to the ransomware attack. Rep. Bennie Thompson (D-Miss.), chairman of the Homeland Security Committee, signaled a need to potentially make such reviews mandatory.
“My concern is if there’s no regulatory requirement for companies to allow TSA or whoever to look at their security protocols, they’ll tell you to come back next month,” Thompson said. “They’ll tell you to come back in six months. I’m just concerned given the expansion of ransomware attacks that a voluntary system without some compliance mandated puts us at risk.”
“You can have relationships with companies, but if that company at the end of the day knows they don’t have to comply, then I don’t see us working toward a threshold for security,” he added.
Thompson also pressed Goldstein on the need for mandatory cybersecurity tests for critical infrastructure companies.
“It is certainly the case today that there are many organizations in this country who for a variety of reasons are unable to invest in the security they need and the U.S. government must take urgent steps to incentivize, drive, require those companies to make the investment that they need to make,” Goldstein said.
At a Cyberscoop event Wednesday, acting CISA Director Brandon Wales said the renewed focus on critical infrastructure security in Biden’s recent cyber executive order is “a goal at the very heart of CISA’s mission.”
The 2021 National Defense Authorization Act already bolstered CISA’s powers by giving it administrative subpoena authority to alert industrial control system owners to cyber vulnerabilities on the public Internet. He said CISA has already used it “to close critical industrial vulnerabilities.”
Wales also called on the private sector “to open up” and share information on cyber incidents “so we can use it to protect everyone else.”
“Whether information on cyber incidents and vulnerabilities is provided voluntarily or under some mandated reporting requirement, CISA’s focus remains the same: Use that information in a way that protects the identity of victims while helping to protect future targets from compromise,” Wales said. “That is the essence of collective defense. No attack should be able to happen more than once.”