The government’s first cybersecurity agency is about three weeks old, and it’s already learning to walk.
The Cybersecurity and Infrastructure Security Agency’s first steps were toward a rebranding and re-energizing of existing pieces within the Department of Homeland Security. Both emphasize the new kid on the block’s potentially cutting-edge role and its eagerness to play nice with other government agencies and defense-industry bigs.
That work has included pushing ahead on DHS-led, multiagency collaborations with the business community on vulnerabilities in supply chains — long bemoaned as the nation’s cyber Achilles’ heel — as well as on protecting “lifeline” industries like telecommunications, electricity and information technology from cyberattacks.
And it has included emphasizing a growing partnership on cyber with the Pentagon.
Agency head Christopher Krebs has rocketed from event to event talking up partnership and collaboration before industry and government audiences.
Krebs last week headlined an event where an alliance of telecom and technology industry groups unveiled their report on how to fight “botnets”: networks of hijacked computers that can launch both massive and diabolically targeted cyberattacks. Industry sources said the significance of Krebs’ appearance wasn’t lost on the private sector.
Then, there’s the Agency’s National Risk Management Center, recently touted by DHS Secretary Kirstjen Nielsen and led by Bob Kolasky, a familiar face at DHS for industry and other government partners.
Along with managing a “tri-sector” initiative on protecting the so-called lifeline industries, the center has decided to immediately take on improving the cybersecurity of the Global Positioning System, an Air Force-run program where failures could have cascading consequences across the economy.
DHS’s new cyberagency is working closely with Pentagon counterparts on securing other “critical functions” in the economy from advanced attacks, as well.
CISA was the embattled Nielsen’s top legislative priority. Congress quickly moved it to the president’s desk, after months of delay, at a moment when Nielsen’s job seemed to hang by a thread over immigration issues.
“Nielsen has been very supportive of cyber aspects at DHS and it’s not foreseeable whether a successor would want to change things up,” said a private-sector source. “But now this CISA law will solidify that change and implementation will begin immediately.”
Phil Reitinger — a DHS cyber chief during the Obama administration — said several structural changes are needed, including transferring funding and the authority to spend it from DHS headquarters to the new agency. CISA will need its own new authorities in areas like personnel, he said.
Above all, perhaps, Reitinger said the CISA director should have access to the Oval Office in the same way that the Coast Guard or Secret Service heads can seek a meeting with the president, or be summoned directly to brief the president.
Suzanne Spaulding, who like Reitinger served as under secretary leading the old NPPD, noted, “The cyber mission continues to grow and, with it, the size of the workforce carrying out that mission. [Office] space was already an issue and even in my time there, folks recognized the value of consolidating NPPD from the 11 buildings they occupied across the region into a single building or campus.”
Spaulding added: “It would be smart to drive home the importance of standing up the first new operational component since DHS’ establishment by giving them a facility to house the entire mission.”
Reitinger said Congress “needs to step up too” and consolidate committee oversight of CISA so that Krebs isn’t constantly summoned to the Hill to testify before dozens of panels.
At least one House Democratic leader on cyber issues, Rep. James Langevin of Rhode Island, said streamlining oversight would be a top priority for him in the next Congress.
Careful delineation of turf will be crucial. Says Reitinger: “‘Big DHS’ has to keep its hands off the new CISA and let it exercise its new strength, just like the Secret Service does. It needs to build in its own lawyers, human resources — CISA wants to be a foundation of innovation at DHS and it’s very important for the agency to combine its operations into a cohesive structure.”
Like Spaulding, he said this should involve bringing the different CISA elements together into a “single geographic footprint.”
“You know where the Secret Service or the Coast Guard is headquartered,” he said, adding, “Eventually there will be a CISA headquarters, if DHS takes this as seriously as it ought to.”
Kent Landfield of the security firm McAfee observed, “A lot of this is an internal journey for DHS, but we will see things down the road that will be positive for DHS’ industry partners. This is absolutely an evolution [rather than an abrupt change] in getting where we need to be. And it will take awhile for them to organize and centralize.”
But for now, industry partners say they are pleased that DHS has the authority and prestige that go with launching the first cyber agency, and that the department sees its new agency as a partner in this role.
