CISA could offer stronger ‘top-down’ support to agencies, cyber officials say

Federal cyber officials say the Cybersecurity and Infrastructure Security Agency could do more to help agencies secure their networks, including through the CISA Joint Cyber Defense Collaborative.

The Department of Veterans Affairs’ relationship with CISA has “blossomed over the past year,” Jeff Spaeth, deputy chief information security officer and executive director of information security operations at the VA, said during an event hosted by the Center for Strategic and International Studies today.

“Having dedicated representatives, interfacing with us on almost a weekly basis, setting some of those focal points that they would like to work on, as well as our input, as the largest federal agency out there, that we would like to work on with them,” Spaeth said.

But Spaeth and others noted CISA could more quickly notify agencies when a new vulnerability arises in a vendor’s widely used technology product.

“One of the things that we would like to see a little bit more of is when they get notified by some of these major vendors — and I’m not saying they don’t pass the information along — but sometimes it takes a while to get down, for some of that really in depth technical pieces, instead of ‘hey, this was a compromise,’” Spaeth said.

Amber Pearson, the deputy CISO at the VA, echoed Spaeth’s comments.

“What I would like to see is more of that expansion from CISA in those key areas that, hey, when a cloud service provider, for example, misses that critical patch, or there’s a threat indicator, provide it to us,” Pearson said. “What are those actions that we as a federal agency need to do next?”

Jeff King, principal deputy chief information officer at the Treasury Department, noted the prevalence of supply chain attacks. He said cyber actors are increasingly targeting major technology vendors and their products. The goal is to infiltrate the networks of multiple customers.

China-backed hackers were able to steal emails from officials at multiple agencies last year after hacking into Microsoft’s Exchange Online environment.

“I look at CISA to really kind of help me balance out the risk landscape, what I should be doing,” King said.

King also suggested CISA take a more aggressive role in setting cybersecurity standards for capabilities like federal security operations centers.

“If they [CISA] are really like the single security service provider for civil the same way that the [Defense Information Systems Agency] is for the Defense Department, we need really common operating standards to which we are aggressively held vise, this sort of voluntary participative notion, get in touch with us when you need it kind of thing,” King said.

“There needs to be I think more formulation of, this is the way we’re going into a top down, enforceable strategy,” he added. “And I recognize that is a very much a divergence, from the way that we’ve thought about cyber and acted on cyber probably over the past decade.”

CISA’s JCDC critiqued

In October, CSIS released a report recommending CISA conduct a study to better identify its role in defending federal networks. It posited that there is a “larger question as to whether CISA should eventually move toward a model where it directly manages the entirety of the .gov landscape.”

The report also highlighted shortcomings with CISA’s “Joint Cyber Defense Collaborative.” The JCDC is a relatively new public-private group. It has also received plaudits for its ability to share information across different organizations.

“Critics of the JCDC point to the office’s lack of a formal charter or clear membership criteria, which could potentially hinder future scalability and transparency,” the report stated. It adds that people interviewed for the report mentioned “information flow, in all directions, is not happening fast enough.”

At the VA, Spaeth said officials “love the integration, we love the coordination” from the JCDC. But he added the VA would also like to see more involvement from federal, state and local agencies as well.

“I know that we have [Information Sharing and Analysis Centers] out there,” Spaeth said. “But I think JCDC has really taken the charge for all federal agencies to share that type of information for the quick reactions and trying to close the holes as quickly as possible.”

King pointed to the critical vulnerability in Citrix servers as one recent example where information could have been shared more quickly.

“We couldn’t get [indicators of compromise] for it for a very long time,” King said. “We need IOCs yesterday, for something that active.”

Critical bugs in CISA’s “known exploited vulnerability” (KEV) catalog should also be patched faster, in some cases, he said.

“We really need to kind of rethink the ‘recover’ and ‘respond’ part of this and less about the ‘protect’ and ‘defend’ part of it,” King said. “And I think that’s where CISA probably needs the opportunity to grow to kind of meet the threat where they are.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.