Federal civilian government agencies need new models for securing their networks instead of having the responsibility for their own security as they do now and the Department of Homeland Security is already working with federal and congressional policy makers to begin to consider new security architectures, Chris Krebs, the director of the Cybersecurity and Infrastructure Security Agency (CISA), said on Thursday.
Security across the 99 federal civilian agencies isn't well coordinated and isn't "tenable" in the long-term, Krebs said at a speech at Auburn Univ. where he outlined his vision and operational priorities contained in his first Strategic Intent.
Krebs said "we need to make sure we are understanding what's happening across the entirety of the federal government so that we can manage risk so that if we see something hit one department, we can look for it in other departments and agencies. The way historically it's been managed, that capability is not in place."
DHS is working with the White House Office of Management and Budget and Congress to try and find better solutions to protect federal civilian networks, Krebs said.
Having all or most of these agencies protect themselves "is not a tenable position, that is not a defensible position in the long-term," Krebs said. He added that, "And so in five years, I think, you may see a completely different architecture across those 99 agencies. There may be some of those agencies that just say, ‘You know what, I can't do this anymore, somebody else do it for me.'"
Some of the larger agencies may decide they can take care of their own security but others may want a different approach, he said.
"Whether it's CISA as a shared service, or quality service management offering. Whether we do it or someone else does it, it's gotta change, so we are helping work through those processes," he said.
CISA bills itself as the "Nation's Risk Adviser" and Krebs said his agency helps other federal agencies by "putting them in a position to manage their risk better." CISA also helps the federal civilian government with acquiring and deploying various sensors and tools to strengthen their cyber security posture.
The 16-page Strategic Intent consolidates in one document Krebs' main talking points this year. CISA was the former National Protection and Programs Directorate, but the name change last November combined with some organizational realigning was meant to improve the branding of the agency across the public and private sectors and recognize the operational nature of its work.
CISA's role is to share information and enhance collaboration and cooperation within and between the public and private sectors.
The Strategic Intent briefly outlines Krebs' five operational priorities in order, beginning with risk from China, with a particular focus on mitigating risk to supply chains such as through 5G or other technologies.
Election security is the second priority and is an area where CISA helps state and local government and the companies that support them.
In his speech at Auburn, Krebs said the 2018 congressional elections were the most secure in the nation's history. He said CISA worked with all 50 states and more than 1,400 local jurisdictions to help enhance election security.
This year CISA held a national level tabletop exercise on election security and has published guidance and best practices for localities and political campaigns to use to bolster their security.
"CISA's work on election security is a model for how the agency can rally its resources and bring together a variety of stakeholders to address a common risk," the Strategic Intent says.
The third priority is the security of soft targets such as schools and crowded places. CISA has the lead within DHS for soft target security and works with partners to develop and implement measures to reduce risks.
Federal cyber security is the fourth priority and the document highlights that "The speed of change in the cyber world is outpacing the current federal ‘policy to implementation' process." Included in this priority is the commitment to help state and local governments with their cyber security and also to help defend them against ransomware attacks.
The final priority is industrial control systems, which are a key feature of critical infrastructure. Here, CISA is working to reduce risks to these control systems.
Krebs said he likes to keep things simple and concise and CISA this year has been operating with two goals in mind, Defend Today, Secure Tomorrow. The Strategic Intent outlines objectives and sub-objectives for each goal.
The idea of Defend Today is the immediate actions that can be taken to protect networks and mitigate the consequences of successful attacks. For Secure Tomorrow, CISA, through its collaborative approach, hopes to help set up its public and private sector partners to be successful in managing their future risks, including as Krebs said, "baking" in security upfront.
"For long-term risks, we need to sow the seeds of change today to make a difference in the years to come," the Strategic Intent says. "CISA will make a concerted effort to anticipate and address long-term risks, including building systems secure by design and ensuring a national workforce supply to support critical infrastructure."
Democrats and Republicans on the House Homeland Security applauded the release of the new strategy. Chairman Bennie Thompson (D-Miss.) said in a statement, "If this newly re-branded agency is going to be effective in securing U.S. critical infrastructure against physical and cyber threats, it will need steady leadership, a talented workforce, and a realistic understanding of its resource needs." He added that he wants to hear from Krebs about the resources CISA needs to be successful.
During a question and answer portion of his speech at Auburn, Krebs said he is looking to eventually get more CISA personnel into the field.