Experts Tell Lawmakers to Give CISA 'Operational' Federal Information Security Role

The Cybersecurity and Infrastructure Security Agency, which currently describes itself as the nation’s risk adviser, should play a more hands-on role managing the federal government’s information security, a leading cybersecurity thinker told members of the House Homeland Security Committee.

“Congress should take steps to set CISA on a path to becoming the operational CISO, or chief information security officer, of the civilian federal government,” said Dmitri Alperovich, founder of Silverado Policy Accelerator, a new bipartisan public policy organization focused on national security, foreign policy, and cybersecurity.

Alperovich, who also co-founded the cybersecurity firm Crowdstrike and served as chief technology officer there, testified before the committee on the state of cybersecurity Wednesday along with former CISA director Christopher Krebs, former principal deputy director of national intelligence Sue Gordon, and former White House cybersecurity coordinator Michael Daniel. 

The hearing came in the wake of the massive hacking campaign that has compromised several government agencies and top technology companies which federal officials believe is likely an intelligence gathering effort connected to the Russian government. 

The hackers leveraged their unauthorized access into the development environment of SolarWinds, a widely used IT management company, to deliver malware via a seemingly routine software update to about 18,000 organizations, including Microsoft. But they also used other methods of gaining initial access to organizations’ networks, including common tactics like guessing and phishing to obtain or crack weak passwords, CISA said. 

Alperovich said the vast majority of federal agencies will never have the talent, expertise or resources to defend themselves against sophisticated nation states like Russia and China and should be incentivized to adopt more of the shared services, such as secure email, that CISA has already started offering. 

“CISA should have the operational responsibility for defending civilian government networks just as [U.S.]Cyber Command does for [Defense Department] networks,” he said, adding, “Congress could create incentives for federal agencies to outsource their cybersecurity operations to CISA, such as exemptions for agency heads from FISMA compliance, and turning that responsibility over to CISA.”

Asked by Ranking Member John Katko, R-N.Y. whether CISA should play perhaps an even greater role in the space than the Office of Management and Budget—where the federal CISO position is currently housed—Alperovich said “absolutely.”

He said OMB does have a role to play in sharing standards and advocated speed-based metrics so that both CISA and OMB could have better visibility into what agencies are doing to be faster than the adversary and detect and remediate breaches as quickly as possible and learn from those events.  

Krebs expressed support for Alperovich’s idea. He made a distinction between OMB’s policy setting role and CISA’s policy enforcement role.

“I think if we can expand the resources, capabilities and ability to actually, well, frankly, get agencies to improve their security through resources and capabilities, then I think we're going to be at a much better place,” Krebs said. 

Krebs also addressed an issue Microsoft President Brad Smith raised following initial reports of the hack of difficulty vendors were having sharing information with the government due to contractual obligations. 

Responding to a question from Rep. Bonnie Watson Coleman, D-N.J., about agencies not sharing information across government, Krebs said, “There are a couple of issues here. One is that privity of contract between agencies and their vendors, prohibits CISA, for instance, [from] getting information on incidents.”

Krebs described hearing about cases, particularly in connection with the recent hacks, where “CISA tried to ask a vendor for information, [and] the vendor would say, 'I'm sorry, I can't give you that, that is up to the agency to give you that.' Then the agencies don't always turn that over,” he said. “So we need to change that and put CISA as a part of the contractual relationship.”

In general, Krebs reinforced Alperovich’s point and also called for much greater investment in CISA’s Continuous Diagnostics and Mitigation program, which allows agencies to tap shared cybersecurity services and gives CISA visibility into their environments.

“Any way you cut it, when an agency is responsible for their networks, they're always going to have a sense of ownership and proprietary responsibility, we have to change that model, we have to make it easier for them, where they don't have to hire, where they don't have to invest their own, where it's already provided for and it's a turnkey solution,” he said. “As I see it, CDM is the future of federal cybersecurity.”