With shutdown clouds lifting, CISA spins back up

CISA Director Chris Krebs, shown here at a 2018 Senate hearing, convened agency staff on Jan. 25 to set post-shutdown priorities.

The partial government shutdown hit the newly created Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security just as it was spinning up operations.

While CISA's essential operations continued during the 35-day shutdown, much of the organizational and policy work needed to launch a new agency was put on hold.

CISA Director Christopher Krebs convened a Jan. 25 staff meeting to discuss the impact and the steps needed to spin back up, FCW has learned. He said the agency's original contingency plan was only designed to weather a one or two-week funding lapse.

"There is no 35-day shutdown plan, there is no 50-day shutdown plan," Krebs said.

CISA will focus its post-shutdown priorities on processing paychecks and bonuses to employees, spinning back up election security support efforts to states and localities, and surveying the impact to cybersecurity programs and other operations, Krebs told the CISA team.

The White House on Jan. 25 announced an agreement to temporarily reopen parts of the government that have been operating without funding for more than a month.

Many state and local election officials rely on CISA for vulnerability assessments, threat intelligence and technical support. A former DHS official told FCW Jan. 24 that much of that work had ground to a halt during the shutdown.

Krebs told employees that CISA leadership will be developing its own list of priorities but asked for regional offices and program managers for advice on the top three shuttered projects or programs that most impact the agency's risk posture. It will likely take weeks for the agency to return to full operational capacity.

While it was not addressed at the meeting, CISA also will have to focus efforts on getting other departments and agencies to comply with a Jan. 22 emergency directive to mitigate IT vulnerabilities related to a global DNS hijacking campaign.

That activity was first publicly reported by several private threat intelligence firms in November 2018 and January 2019, and DHS and the U.S. Computer Emergency Readiness Team followed up with their own alert and the finally the emergency directive shortly after.

It's still not clear exactly when the attacks took place and how many federal agencies may have been affected. On Jan. 24, CISA released additional technical details and indicators of compromise for the attacks to the public. In a corresponding blog, Krebs said CISA was continuing to assess the impact of the campaign on federal infrastructure, but that the attackers were actively targeting governments and "we know enough to be concerned."

Before the deal to reopen the government, CISA was facing the prospects of implementing the order over 10 days and ensuring compliance from other agencies without its full staff.

The same day the directive was issued, Rep. Jim Langevin (D-R.I.) told FCW that he found the DNS hijacking campaign "disturbing" and questioned whether CISA's order to agencies could be effectively implemented under shutdown conditions.

"It's not clear who will actually be on hand to implement these changes within the next ten days," Langevin said at the time. "Clearly DHS is moving with urgency because of a specific need."