The United States Congress has for many years tried and failed to make meaningful progress on securing federal government systems.
The US government - to its credit - is wholly transparent about this failure. Numerous public audits - and a 2019 Senate subcommittee investigation - speak of unmet goals and a lack of accountability for managing cyber risks in US government agencies.
Now the Cyberspace Solarium Commission (CSC) - a 12-month, bipartisan study of US cybersecurity policy - asks lawmakers to shore up and expand on the US$17 billion a year spent each year on cybersecurity across the civilian government. Of the CSC’s numerous recommendations, a recurring theme is the need for more funding and authorities for the Critical Infrastructure Security Agency (CISA) to do more of the heavy lifting.
Mark Montgomery, executive director of the Cyberspace Solarium Commission told Risky.Biz that were it not for the opportunity the imminent NDAA bill provides to pursue DoD reforms, strengthening CISA would be the first of the 84 recommendations he’d pursue.
“Job number one for the government should be to secure the .gov space,” agreed Dmitri Alperovitch, co-founder and former CTO of Crowdstrike, after participating in one of the commission’s exercises. “Before you go tell the private sector what to do - before you regulate and wag your finger at them - you need to stop living in a glass house and get your own networks into shape. The reality is that the government’s networks are less secure than just about any Fortune 500 company. Yet the data they hold is of huge advantage to attackers - both from an espionage and a cybercrime perspective.”
Established in 2018, CISA inherited a troubled legacy.
It’s parent agency - the Department of Homeland Security - spent several years and over US$5 billion to build the National Cybersecurity Protection System, a network gateway used to monitor traffic flowing in and out of federal agency networks. The NCPS was cumbersome to implement, and at every stage of its development its capabilities lagged behind changes in network use and attacker behaviour.
CISA also inherited the Continuous Diagnostics and Mitigation (CDM) program. The CDM provides shared access to building-block security capabilities government agencies require to meet minimum compliance standards. Each new service added to the program - hardware and software asset management, identity and access management and vulnerability management, among them - has been delivered late.
In 2018, the CISA Act established CISA as a standalone agency and assigned it a far larger set of responsibilities. CISA now has legal authority (through the Secretary of the DHS) to issue binding operational directives to agencies to take a prescribed action in response to a known threat, vulnerability or incident. CISA even has legal authority to handle incident response at the request of private operators of critical national infrastructure, such as electricity networks.
But in the 18 months since it gained these authorities, CISA has either lacked the clout or the capability to wield them. A February 2020 audit by the Government Accountability Office found that CISA failed to deliver some prescribed services to agencies, and on the rare occasions it made operational directives, agencies “didn’t always complete the directives’ actions on time”.
The Cyberspace Solarium Commission also found that CISA’s authorities were “not widely understood or consistently recognised” in interviews CSC staff conducted with agencies. The establishment of CISA “has not effectively centralised federal civilian responsibilities” as expected. Agencies were “uncertain” and “ambiguous” about where their role ended and CISA’s began.
In response, the CSC’s report asks Congress to ‘codify’ roles and responsibilities between CISA and agencies to bring about greater accountability.
It wants CISA to evolve from being the nation’s ‘risk advisor’ to take accountability for national management of cyber risk across all critical infrastructure - whether public and private.
Set against this legacy and mismatched expectations about its remit, CISA Director Chris Krebs is doing a remarkable job of winning confidence.
CISA has been lauded for its threat-intelligence sharing and outreach programs which have provided the public with timely, contextualized and actionable advice.
“The assessment of the Commission was highly positive of what Chris Krebs has done,” said Mark Montgomery, Executive Director of the Cyberspace Solarium Commission in an interview with Risky.Biz. The CSC report recommends Krebs is offered a new five-year term, a promotion and modest pay rise.
“What [CISA] needs from Congress is the right infrastructure, and the right amount of dollars to be appropriated when the Executive Branch asks for it,” Montgomery said.
The Commission’s legislative commissioners have penned letters to appropriation committees to recommend that the cost of an expanded remit be factored into CISA’s FY21 budget.
Krebs told Risky.Biz he is grateful that the Commission “re-affirmed the decision of Congress to establish CISA as the federal civilian cybersecurity agency” and that it validates CISA is “on the right track.”
He plans to broaden the scope of the 11-year old CDM program - initially designed for tracking compliance to security baselines - to include operational capabilities that deliver agencies some tangible security outcomes.
“CDM is not quite where we want it to be yet,” he told Risky.Biz. “Ultimately we want to understand the health posture of each agency down to the individual host level. We want to be able to take direct action if needed against any activity we see, whether that’s a compromised host or a breach of data compliance policy.
“You can deploy a lot of stuff in the network, but what we really have to get down to is Endpoint Detection and Response (EDR). That’s going to be an area of focus for the next couple of years. When you look at the MITRE ATT&CK framework, a lot of the things we’re doing right now gives us a lot of yellow across the framework. We start deploying EDR and that’ll light up green.”
The Commission recommends CISA is granted the authority to perform threat-hunting across civilian government networks, to help agencies eject any adversaries they find, and to stand up a threat ‘fusion center’ to share results across agencies and (where appropriate) with the private sector.
That’s music to the ears of Alperovitch.
Alperovitch said that most government agencies - whether in the US or elsewhere - are unable to attract the talent or develop the capability to adequately defend against motivated state-backed adversaries.
“Today the US Government has no clue about which criminal groups and nation-states are on these networks,” he said. “Discovery of compromises is taking way too long and visibility is very limited. So let’s find out who is on those networks, let’s kick them out and think about how difficult we can make it for them to get back in.”
Alperovitch is impressed by Krebs’ work to date and thinks the agency deserves time and a clear mandate to build the skills and capabilities required to deliver these new services across the federal government.
There is a tremendous amount of great security talent in the US government, he said, but there’s also a tendency for the best technical talent to choose roles in defence and intelligence. CISA presents a ‘focal point’ for attracting security talent into government in civilian roles.
“We need to make sure that civilian agencies are not seen as the bastard child that no one ever wants to go work for,” Alperovitch said. “Unless you give them some sexy missions like threat hunting, you are never going to get there.”
If anything, Alperovitch doesn’t think the Commission recommendations on .gov security go far enough. He believes that longer-term, CISA should effectively become the “CISO function” of the entire civilian federal government.
The ‘CISO’ title, it should be noted, means something different in the US Government to what it means in the private sector. Today, the federal government CISO - a position currently held by Grant Schneider - sits within the Office of Management and Budget (OMB) and is responsible for setting US cybersecurity policy. Schneider’s OMB works closely with CISA to implement and manage compliance with policy.
At the agency level, it’s a stated policy that accountability for security risks should ideally sit with the CIO. Most agency CISOs report into the CIO - which arguably inhibits their ability to perform governance over the IT function.
In 2019, OMB and CISA - in response to a Senate subcommittee recommendation - asked that agencies consolidate or outsource their security operations centres (SOCs) unless they met a prescribed standard. It’s perhaps telling that several agency CISOs have since departed for roles in the private sector. Some haven’t been replaced.
By contrast, CISA had a FY20 budget of US$2 billion and today has hiring actions against close to 800 open roles. Krebs told Risky.Biz that he plans on CISA providing ‘SOC-as-a-service’ to agencies in the near future. And while 2000 of CISA’s 2600 staff are today clustered within close proximity to the US capital, Krebs is actively seeking to hire top talent from across the country.
“For me to be effective at working with the private sector and state and local government, I need more boots on the ground [as] advisors in the state capitals and the broader community,” he said.
CISA now has the remit, authorities and hiring plans that can readily be likened to the CISO of a large, multi-brand conglomerate - only with the biggest outreach program in history lumped on top. This momentum leaves the impression that - whether or not it is part of Krebs’ grand design - his empire is going to get very big. But Krebs says that “even if [CISA] moves closer to the role of a CISO,” you’ll never hear him call it that.
“There’s a lot of things we do from an enforcement and governance perspective that look like a CISO role,” he said. “The things we are doing now - and what we will be doing over the next couple of years - will transform us into more of a centralised [managed security] service provider for the rest of the Federal Government.
“Now you could interpret that as a CISO function, but we’ll probably not move into that full-blown risk management role. Agencies need to own their risk - we’re just helping them manage it.”
This story is Pt II of a series on the Cyberspace Solarium Commission. You can read Part I here or subscribe to the Seriously Risky Business newsletter to read more.