Operating under the Department of Homeland Security umbrella, the Cybersecurity and Infrastructure Security Agency came into being in November 2018 as an effort to improve cybersecurity across all levels of government. But one month later, the government shut down for 35 days. CISA had to furlough more than 40 percent of its staff during the shutdown while still maintaining critical operations, which it did.
“It has definitely delayed it a lot,” says Nathan Wenzler, senior director of cybersecurity at consulting firm Moss Adams. “They are looking for qualified people to help with this endeavor. Staffing has to be one of their top concerns, and suddenly the agency is in the dark. It becomes ‘out of sight, out of mind’ among security practitioners.”
While the shutdown may have inhibited the push to stand up CISA as an independent entity, the agency considers itself to be on target today.
“When the shutdown ended, our professional workforce moved quickly to get us back into a fully operational posture,” says CISA Press Secretary Scott McConnell. “Currently, CISA is focused on energizing critical partnerships and priorities. Our four cyber-related priorities are election security, federal networks, industrial control systems and supply chain risk management that includes the China threat and coming 5G technology.”
The agency is looking to “reach across traditional boundaries to unify our collective defense and foster a cyber ecosystem, giving the advantage back to the network defenders,” he says.
CISA Faces Operational Hurdles on All Levels
In addition to staffing concerns, CISA faces organizational challenges as it seeks to address cyber issues for both federal agencies and state authorities. On the federal side, CISA needs to create some bona fides as a central repository of cyber know-how and establish itself as a fully functioning federal agency.
It’s made headway in that regard. Even in the midst of the shutdown, CISA was able to issue a warning regarding Domain Name System infrastructure tampering across multiple executive branch agency domains.
So, when it comes to achieving full operational strength, CISA Director Christopher Krebs holds some strong cards.
“On the plus side, they have been put under Homeland Security, and DHS already has a structure that they can fall back on,” Wenzler says. “They are all security folks there, and they understand the hierarchy that you need in a new division. They have a blueprint to work from.”
In implementing that blueprint, though, CISA will likely have to face bureaucratic hurdles. Security information is often siloed within agencies, and it will take a mighty push to break down those silos and centralize that data.
“They still need to overcome that lack of trust,” says Rebecca Herold, CEO of the consulting firm The Privacy Professor. “Government needs effective information-sharing in order to make this work, and for that, the agencies need to know that they can share their data securely with CISA. They need to know CISA’s own systems are secure and that they can use this data in a way that supports and validates the agency’s own cybersecurity needs.”
In the plus column, some cite the apparently strong executive branch backing of the upstart agency. “This organization was created less than six months ago by the president of the United States. He would not have done that if he did not consider it a priority,” says Joseph Steinberg, author of the forthcoming Cybersecurity for Dummies.
If that evaluation holds, the big winners here could be the technology captains of the various federal agencies, who may one day be able to lean on CISA as a powerful ally in the cyber fight.
CISA Looks Ahead to Protecting the 2020 Election
On the state side, the agency needs to carve out a federal role in the 2020 election. Fresh out of the gate, CISA launched #Protect2020, an effort to secure the nation’s election infrastructure. Just a month after the shutdown, in testimony before the House Committee on Homeland Security, Krebs stated that the agency was still up to the task.
Now that work is underway. “We are working with all 50 states and more than 1,400 county and local governments providing support, such as conducting regular vulnerability assessments of election infrastructure,” McConnell says.
That promises to be no small task, however.
“CISA needs to demonstrate that this is something they are going to be proactive on,” says Herold, who adds that the first steps need to come in the near term. “They need to do outreach: ‘Here is a detailed plan for what the states need to start doing now.’ Give them some meaningful steps to take.”
The fledgling agency will have to tread a fine line, however. “The U.S. has a complicating factor, which is that the federal government does not run elections. States run elections,” says Steinberg. A federal effort to secure disparate state voting systems “would be a good thing, but it is a challenge.”
CISA can’t mandate improvements, “but they can set up guidance and they can advise,” he said. “That would at least help to reduce the risk.”
Raise the Bar for Federal Cybersecurity
In addition to securing elections and cyber-hardening critical infrastructure, another CISA goal is to raise the cyber bar across the federal government.
“The hope is that CISA becomes a more public-message-friendly version of NIST,” Wenzler says. The National Institute of Standards and Technology’s technically complex cyber guidelines can be difficult for non-IT specialists to understand.
“If you’re a decision-maker in a federal agency, it could be really helpful to have a go-to agency that can help you understand the requirements and best practices in a way that is actionable and makes sense in the federal space.”
Centralized support could be especially helpful at a time when many agencies are struggling to fill IT positions. “If government is understaffed, maybe CISA can come in and make it somewhat better,” Steinberg says. But, he adds, agencies probably should not expect CISA to do the heavy lifting for them.
“CISA isn’t putting boots on the ground 24/7 as the IT security department for every federal agency,” he says. “It’s up to the agencies to do the actual work.”
How much help will CISA be able to offer? In the near term, that will likely depend on how well the agency can recover from the obstacles placed by the government shutdown.
“Within CISA, we know it slowed the pace of organizational planning activities, personnel actions and background investigations. It also brought procurement activity to a halt,” says Grant Thornton Public Sector Senior Manager Tim Hanes. “It’s hard to quantify those impacts, but they were real and are still being felt. You’re talking about a lost month at a very critical time.”