The Cybersecurity and Infrastructure Security Agency has steadily received more money and authorities in recent years, but the ranking member of the House Homeland Security Committee is looking at how to take the agency to the next level.
During an event hosted by the Silverado Policy Accelerator today, Rep. John Katko (R-Ny.) said his “CISA 2025” initiative will include “oversight letters, briefings, industry perspectives, leading to a legislative proposal that’s ready for next Congress.”
Katko has said CISA should grow to “$5 billion a year agency” by 2025, which would more than double its current annual appropriation. He lauded the agency’s work in leading the federal response to the Log4J vulnerability and said it should serve as a model moving forward.
“I think we’re kind of at a crossroads where, is this going to be strictly a regulatory agency? Or are they going to be a collaborative agency, working with the private sector and developing those relationships that allow trust and better product to prevail?” Katko said. “I think the Log4J incident recently really kind of shows that that collaborative effort is a model that I would like to see more of going forward.”
The CISA 2025 effort will involve studying six distinct issues, he said, including organizational efficiencies, cyber threat information sharing, and “enhancing operational visibility” through mechanisms like cyber incident reporting.
It will also look at how to “centralize federal network security” at CISA. House lawmakers are already considering reforms to federal cybersecurity standards that would put CISA at the center of federal operational cybersecurity efforts.
“We can’t have 130 [chief information security officers] in the federal government,” Katko said. “We need CISA to be that quarterback and that CISO.”
CISA is already moving to centralize its role in federal network security operations, according to Rob Silvers, under secretary for policy at the Department of Homeland Security. He noted the agency is offering endpoint detection and response tools across the federal enterprise, and is also rolling out a cyber threat hunting capability for agency networks.
“I think this year, we’re looking to just absolutely scale up and get more operational,” Silvers said.
The CISA 2025 initiative will also examine “identifying and prioritize the most critical points of failure and layers of systemic importance across the system,” Katko said. Last year, he introduced a bill that would require CISA to identify “systemically important critical infrastructure.”
Finally, Katko’s initiative will also study workforce issues at the cyber agency.
“It’s hard to compete with the private sector, but we have to appeal to people’s better angels, at least to come in and serve for awhile, because we need them,” he said.
Members of Congress are also prioritizing passage of cyber incident reporting legislation after it was left out of last year’s defense authorization bill at the last minute. The bill would have required critical infrastructure companies to report cyber attacks to CISA within 72 hours.
House Homeland Security cybersecurity subcommittee Chairwoman Yvette Clarke (D-Ny.) said lawmakers are looking to include the bill in any vehicle they can find in the near term. She noted lawmakers did reach an agreement on the language last year, just not in time to include it in the defense authorization act.
“I’m confident that we’ll find a vehicle to move this legislation and get it to the president’s desk this year,” Clarke said during the event.
However, the FBI is still looking to be included in the legislation. Bryan Vorndran, assistant director of the FBI’s cyber division, said the bureau doesn’t want to be involved in administering the program with CISA. But the FBI is pushing to ensure the legislation requires CISA to share incident reports with the bureau immediately.
“It’s also important for us to have our authorities accounted for and that additional sentence would go a long way, so that we would have unfiltered real time access to the data so that we could truly leverage our deployed decentralized workforce as quickly as possible, given the countless number of examples we all have, about how important it is for us to engage victims face to face as soon as possible,” Vorndran said.
Silvers said CISA would do that regardless of whether the language is added to the bill.
“However Congress decides to allocate the different roles and responsibilities in the bill, what we are going to do in the implementation is, we’re going to share the reports immediately with the FBI and with other federal agencies that have a need to know,” Silvers said.