A major report by the Cyberspace Solarium Commission wants to position the Department of Homeland Security’s cybersecurity agency as the “key” agency in strengthening cybersecurity efforts within the federal government and the private sector as part of a broader overhaul of the U.S. strategy for securing cyberspace.
The recommendations in the report are another signal that Congress views DHS’ Cybersecurity and Infrastructure Security Agency, which is charged with protecting federal networks and critical infrastructure from cyberattacks, as a critical piece of national security moving forward and plans to take action to bolster its authorities. The agency’s critics, however, question whether CISA is toothless, without the authorities it needs to do its job. Outside of federal government, CISA is largely dependent on voluntary cooperation to deal with what is a a vast attack surface.
The report, which makes 75 recommendations as part of a three-pronged “layered deterrence” strategy, emphasizes that it’s imperative that the federal government and private sector strengthen their relationship. Central to that effort is CISA.
“The key is CISA, which we have tried to empower as the lead agency for federal cybersecurity and the private sector’s preferred partner,” commissioners wrote in the executive summary.
The underlying challenge for CISA is that most assets labeled critical infrastructure are operated by the private sector, like the electric grid, or by state and local governments, like election infrastructure — and CISA doesn’t have the authority to direct their actions.
To achieve a better relationship with the private sector, commissioners wrote that Congress needs to designate more funding for CISA’s private-sector initiatives. According to the report, 60 percent of CISA’s budget is for federal cybersecurity, with only 15 percent going toward private-sector initiatives.
“Congress should review CISA’s budget and consider giving proportionally greater resources to projects and programs intended to support private-sector cybersecurity, to promote public-private integration, and to increase situational awareness of threat,” the report says.
CISA also needs to do more to protect federal networks, the commission wrote, recommending that Congress strengthen CISA’s ability to do continuous threat hunting on .gov networks.
“Continuous threat hunting on the .gov domain will enable CISA to quickly detect, identify and mitigate threats to federal networks,” commissioners wrote. “Resulting information on malware, indicators of compromise, and adversary tactics, techniques and procedures can be shared with public and private critical infrastructure, which may be similarly targeted by these actors, to bolster their defenses.”
The commission also suggests raising the agency to an operational agency within DHS and making its director a deputy secretary.
The Cyberspace Solarium Commission was created by the 2019 National Defense Authorization Act and included members from inside and outside of government.
The reality is that CISA will need more funding in order to achieve the overhauls recommended in the report. But not all the recommendations need immediate funding, according to CISA Director Chris Krebs.
“There’s a significant amount of the recommendations that we can implement right now,” said Krebs, testifying in front of the House Homeland Security Committee’s Subcommittee on Cybersecurity, Infrastructure Protection, & Innovation March 11.
A CISA spokesperson didn’t respond to a request seeking clarification of which recommendations CISA could implement right now.
New offices and tasks
The commission report recommends that Congress direct the executive branch to start a one-year, comprehensive systems analysis of federal cyber and cybersecurity centers in order to improve information sharing, in part because of its “unique position” as the middleman between government and critical infrastructure operators.
The review would identify challenges and potential solutions to better integrate federal cyber centers and the private sector with CISA’s efforts.
Another recommendation suggests the creation of a Joint Cyber Planning Cell, housed at CISA, where staff from federal agencies with “operational cyber capabilities” will plan defense cybersecurity operations and will “integrate” planning with the private sector.
“The cell will be charged with coordinating planning for campaigns and operations to respond to and recover from a significant cyber incident or limit, mitigate, or defend against a coordinated, malicious cyber campaign targeting U.S. critical infrastructure,” the commission recommends. “These plans should be developed through a deliberate planning process, accounting for all participating federal agency cyber capabilities and authorities.”
The plans that the cell would create would help inform action by the National Security Council “when an adversary campaign is identified or significant cyber incident occurs.”
The potential for new responsibilities for CISA means the agency will need more skilled employees. At his agency’s budget hearing March 11, Krebs said his agency has more than 650 empty positions, with about 150 cybersecurity-related.
To try to reduce the hiring time, Krebs said that the agency is trying to reduce the amount of time it takes to get a job. Recently, he said, his agency launched a task force tasked with finding options to reduce time to hire. One of the challenges that Krebs wants to solve is the requirement that most cybersecurity jobs require a Top Secret clearance. In the hearing, Krebs said that he doesn’t think that the CISA employees in the field necessarily need a TS clearance, whereas a Secret clearance could do.
Solarium commissioners, meanwhile, want CISA to attract the top talent in the country.
“We want working at CISA to become so appealing to young professionals interested in national service that it competes with the NSA, the FBI, Google, and Facebook for top-level talent (and wins),” the commissioners wrote.
Asked by Rep. Mike Rogers, R-Ala., if his agency’s salary and benefit package is adequate in the hearing, Krebs said he’s confident in the tools his agency has, like tuition reimbursement and a retention bonus.
“I can actually I think generally compete in the market,” Krebs said. “Certainly not on the top, top, top end, but we can provide between mission and pay and just quality of life, we think we can do a pretty good job here.”
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.