Frustrated by ongoing cyber threats from the United States and abroad, members of the U.S. House Homeland Security Committee said Wednesday they are developing new legislation that would expand the powers of the Cybersecurity and Infrastructure Security Agency, currently an operational component under Department of Homeland Security, that would coordinate online security government-wide as a cybersecurity czar.
The bill would be similar to one introduced in the last Congress by several members of the panel as part of the national cybersecurity improvement package which aimed to enhance national cybersecurity through the creation of a public-private workforce exchange program and empower CISA through increased stability in leadership positions and funding.
“CISA needs more authority, more resources,” said U.S. Rep. John Katko (R-NY), one of the sponsors of last year’s bill, during a committee hearing on assessing cyber threats, who called on colleagues to “give CISA the authority and resources it needs.”
The bipartisan package introduced by committee members last year would:
- Create a five-year term for the CISA director, with a limit of two terms. The term of office for the current director begins on date the director begins to serve;
- Elevate the director to the equivalent of a Deputy Secretary and Military Service Secretaries;
- Require CISA to review how additional appropriations could be used to support programs for national risk management, federal information systems management, and public-private cybersecurity and integration. It also requires a review of workforce structure and current facilities and projected needs;
- Establish a public-private cyber exchange program allowing government and industry professionals to work in one another’s field;
- Expand existing private outreach and partnership efforts.
The lawmakers’ comments came as a panel of four cybersecurity experts unanimously endorsed the expansion of CISA powers, including its recent former director, Christopher Krebs, who headed the agency since its 2018 inception.
“We need a single agency with cross-authority on cyberthreats,” added Susan Gordon, former principal director of National Security who formerly served as head of the CIA’s cybersecurity team.
Krebs called for enhanced governance, increased funding, and centralized services offered by CISA. He told committee members during the online hearing that CISA also should be authorized and funded to provide entry and mid-level information security and operational security education and training programs. “These programs should prioritize remote learning opportunities in order to engage more students,” he said.
Among other things, Krebs said CISA should be able to set standards for cybersecurity and be included in government contracting requirements as an authorized recipient of vulnerability and incident notifications. “As of now,” he said, “privity of contract and the bounds of non-disclosure agreements (NDAs) limit the sharing of information on risks or incidents beyond the vendor and the customer. This puts the vendor in the position of not being able to share information with CISA for broader understanding of an emerging or ongoing incident.”
Krebs, who focused most of his two years at the agency on securing elections from foreign threats, said elections security was just one of as many as 25 functions identified as ripe for CISA assistance.
Dmitri Alperovitch, executive chairman of Silverado Policy Accelerator and former chief technology officer of CrowdStrike, one of the leading cybersecurity firms, said CISA should have the authority to coordinate the efforts of chief internet security officers throughout the federal government, which the experts agreed creates inefficiencies and opportunities for bad actors to probe and attack individual agencies. Krebs said the federal government is plagued by 101 different email systems across civilian agencies. Rep. Katko said such a system is “too uncoordinated, too clunky and ultimately inadequate.”
“The majority of the 137 executive agencies lack the personnel, the know-how, and the resources to execute a comprehensive cybersecurity strategy,” Alperovitch told lawmakers. “Congress took an important step toward centralizing federal cybersecurity strategy by creating CISA in DHS in 2018, but the next step is to give CISA both the authority and the resources that it needs to effectively execute its mission.”
“Ultimately,” he said, “CISA should have the operational responsibility for defending civilian government networks, just as Cyber Command does for DoD networks. The recent NDAA, which vested CISA with the authority to hunt on agencies’ networks without the explicit permission of those agencies, was a critical move in that direction.”
“CISA will now need additional funding to build a 24/7 threat hunting operations center to fulfill the requirements of that mission. Another important step would be to create incentives for federal agencies to outsource their cybersecurity operations to CISA, turning it into a cybersecurity Shared Service Provider. Such incentives may include exceptions for agency heads from FISMA compliance and turning that responsibility over to CISA, if it is actually being given the authority to secure that agency’s network.”
He called on Congress to pass a comprehensive breach notification law. Such a law, he said, would require major private companies, such as those in critical infrastructure, to report technical indicators associated with breach attempts to CISA, including for breaches where no personal information is actually compromised. “If there is a single overriding lesson from the recent supply chain attacks, it is that the information sharing between government and industry remains a serious challenge,” Alperovitch said. “Some victims have shared very little information about what took place inside their networks; others have not even publicly acknowledged that they were targeted.”
“At present, there is no comprehensive federal breach notification law, and state-level laws are too decentralized, too focused on personal information instead of risk to systemically important critical infrastructure, and sometimes create a perverse incentive for companies not to investigate attacks. In the case of complex supply chain attacks like ‘Holiday Bear,’ one company’s failure to publicly report a breach can have wide-reaching implications. For example, if cybersecurity company FireEye had not voluntarily and publicly shared evidence of their own compromise and that SolarWinds was the attack vector, the public and the government may not have known about this highly impactful attack for many months to come. Yet, FireEye had no legal obligation to report this breach under existing law. They should be praised for their courageous decision, but unfortunately, not all other victims have followed their lead in transparency.”
Michael Daniel, president and CEO of Cyber Threat Alliance, called on the U.S. to go on the attack against non-state and state cyber threats. “We need to go on the offensive with all of our capabilities,” said Daniel. Alperovitch agreed, saying the U.S. needs to be able to disrupt the infrastructure of both criminal groups and nation-states, which he cited as Russia, China, Iran and North Korea.
Gordon agreed, saying “you need to increase the cost of attacks by doing the little things that make us more secure.”