Will CISA Emerge as the Government’s Face for Cyber Security?

The Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security (DHS), is probably the most important cyber security agency in the country that’s virtually unknown to the public. But that could be changing.

CISA’s primary function is to ensure that the nation’s critical infrastructure is safe, secure and resilient. And since about 85 percent of that infrastructure is privately owned, a big part of its mission is to share information and coordinate activities with the private sector.

What’s new and raising expectations—both inside and outside of the organization—is the report issued in March by the bipartisan Cyberspace Solarium Commission. The 14 commissioners, including two members of the U.S. Senate and two members of the House, made it clear that they think CISA is the leading civilian agency in the field. The legislative proposals in the commission’s report included many that, if adopted, would give CISA a big boost.

The commission’s splashiest proposal would create a national cyber director who would work within the Executive Office of the President and function as the president’s top adviser on these issues. But the commission hastened to add that its goal “is not to create more bureaucracy with new and duplicative roles and organizations. Rather, we propose giving existing organizations the tools they need to act with speed and agility to defend our networks and impose costs on our adversaries.

“The key is CISA,” the commission emphasized, “which we have tried to empower as the lead agency for federal cyber security and the private sector’s preferred partner. We want working at CISA to become so appealing to young professionals interested in national service that it competes with the NSA, the FBI, Google, and Facebook for top-level talent (and wins).”

Among their specific proposals, the commissioners urged Congress to provide CISA with resources it lacks, starting with a larger budget. It should also consider upgrading the agency’s facilities and creating stable, multi-year funding. The commission also suggested elevating the director’s rank to the equivalent of military service secretaries and expanding the position’s term to five years.

It seems likely that at least some of these recommendations will be included in the National Defense Authorization Act (NDAA), which Congress will have no choice but to pass before the current session expires. So 2020 could be CISA’s year.

I spoke with Daniel Sutherland, CISA’s chief counsel, to get a sense of what insiders expect. The last time we spoke at length was in June 2019. It was clear even then that CISA was making rapid progress. A year earlier it had been elevated to the status of other DHS agencies like FEMA, the Coast Guard and the Secret Service. It now employs around 2,000 people and has a budget in excess of $2 billion. Not bad for an outfit that in 2017, when it was known as the National Protection and Programs Directorate, employed no more than a few hundred, Sutherland said.

When I asked Sutherland about the Solarium Commission’s report, he was clearly enthusiastic, but he was also cautious about what he could say. Understandably so. After all, this is Washington, D.C., in the year 2020. There’s no telling what will happen.

“We were very pleased that the commission recognized the unique role that CISA has—both within the federal domain and in its work with the private sector to protect critical infrastructure,” he said.

“The report included a lot of recommendations that would strengthen our internal structure,” he went on. “It would also provide increased resources for our effort to support federal agencies, to strengthen the private sector, and to provide critical training and support to local government.”

Sutherland declined to comment on any specific legislative proposals, other than to say, “we are very supportive of many of the concepts and proposals in their report.” Both the House and Senate drafts of the NDAA contain language that would be relevant to CISA, if it survives in the bill he expects will be finalized in December. Negotiations are ongoing, he said, “and we respond when there are requests for assistance from the Hill. But that’s the proper role for an agency like ours to play at this time.”

Demonstrating How Countries Can Work Together

While they await word from Washington, Sutherland and his colleagues have been plenty busy. They recently worked with the Election Assistance Commission to produce an election tool designed to help state and local officials assess and manage cyber security risks as they prepare for November.

CISA also announced several initiatives in early September that should be of special interest to corporate lawyers. One involves incident response plans. Companies are more than familiar with the concept, of course, but the one CISA posted was different. It was a detailed joint advisory drafted with CISA’s counterparts in Australia, Canada, New Zealand and the United Kingdom.

The so-called Five Eyes countries had their technical experts compare notes on what works well in uncovering and then mitigating malicious activity. The five cyber security organizations had formally established a relationship in 2018 (the year CISA launched), and the joint statement—officially an “alert”—is their first published collaboration.

“Lawyers who are involved in incident response for their companies would do well to study this,” Sutherland said. It not only suggests specifically where companies should look for evidence of suspicious activities, and what to look for, it also includes a section that describes common mistakes in handling them. These include modifying data that could reveal details about the intrusion, and doing something that tells the threat actor that he’s been discovered. The alert goes on to suggest best practices to follow during the investigation and remediation.

In addition to the information it contains, the advisory demonstrates something important about CISA, Sutherland said. “It reflects the work we do with our international partners,” he noted, “and reflects the fact that CISA works in the private sector, and we do so in collaboration with experts around the world who share our mission.”

Disclosing Vulnerabilities

Government agencies have long been vulnerable to cyber attack, and CISA hopes that another new initiative will help address that. It calls on the public to report any weaknesses they see directly to the agencies. And it requires agencies to develop and publish a vulnerability disclosure policy that not only authorizes people to do that, but provides them with an easy way that safeguards the information and protects them when they provide it.

“Cyber security is a public good that is strongest when the public is given the ability to contribute,” wrote CISA director Christopher Krebs in introducing this binding operational directive. Though it only applies to government agencies, Sutherland said that a number of companies are working on similar policies for their own businesses. “They might want to consult our documents to see how a federal agency handled this issue,” he suggested.

That sounds like exactly the kind of advice the government expects CISA to offer the private sector. If Congress follows through on the advice it received from its bipartisan Solarium Commission, CISA may soon have significantly more resources to devote to that mission.