The Cybersecurity and Infrastructure Security Agency’s role in helping to defend federal networks from cyber incidents has grown massively in recent years, but a new report suggests that role could expand even further as Congress considers updates to federal cyber legislation.
A report released today by the Center for Strategic and International Studies (CSIS) considers “CISA’s Expanding .gov Mission.” It suggests money is not the primary challenge in federal cybersecurity.
“The U.S. government needs to do a better job of planning, coordinating, and communicating the risks associated with cyberattacks against federal executive agencies,” the report states. “This will likely require consistent staffing at CISA and exploring new service models such as creating collaborative planning teams that deploy to help agencies develop cyber risk strategies and tailored dashboards to monitor their networks.”
The report specifically considers CISA’s growing role in helping to defend federal cyber networks and providing agencies with cybersecurity services.
CSIS recommends that leading offices, including CISA and the Office of the National Cyber Director, commission an independent report “clearly articulating CISA’s roles and responsibilities as the lead for federal network defense.” It suggests such a study would help “all entities involved” better understand CISA’s role, as well as its limits.
Congress is already considering how to position CISA as the lead federal cyber agency under reform legislation advancing in both the House and Senate.
But the CSIS report brings to the forefront the “larger question” of whether CISA should directly manage “the entirety of the .gov landscape.” That kind of arrangement would come with a host of tradeoffs, the CSIS report acknowledges, and agencies are likely to resist such a dramatic change.
“CISA should provide a report describing the pros and cons of this kind of approach, along with its preferred balance of responsibility and the types of roles it hopes to fulfill in the coming years,” the CSIS study suggests.
During an event to unveil the report today, CISA Executive Assistant Director for Cybersecurity Eric Goldstein acknowledged how quickly the agency’s authorities and capabilities have grown within the last few years.
“We have significant resources, we have significant authorities, but we have been on a very positive trend line where we have not yet reached the end state,” Goldstein said. “And one critical question for us is going to be, can we continue on this trajectory? And can we continue shifting that balance of visibility, of agility, towards giving CISA the ability to help agencies understand their own risk.”
“That’s going to require ongoing sustained investment over multiple future fiscal years for us to actually make sure that we can accomplish our goals,” he added.
The Fiscal 2021 National Defense Authorization Act, for instance, granted CISA the authority to conduct cyber threat hunting on the networks of other federal agencies without prior approval.
Goldstein said CISA has used that authority combined with its visibility into federal systems through the Continuous Diagnostics and Mitigation program to quickly identify cybersecurity risks on federal networks, such as the recent vulnerabilities in Cisco web interfaces.
“It has become the U.S. government’s default model for identifying real time cybersecurity risks across every single federal agency,” Goldstein said.
That visibility, Goldstein said, has changed how CISA uses authorities like the ability to issue Binding Operational Directives (BODs) that agencies must follow.
In addition to considering the risks posed by specific vulnerabilities, he said, CISA also considers whether the BOD is “achievable” by federal agencies, as well as whether it has the data needed to issue such a directive.
“As we think through the next round of directives, working with our partners at [the Office of Management and Budget], I think we will be looking at aspects of the federal technology environment where we think more focus, more prioritization might be needed, and when we have data to support our measurement of progress,” Goldstein said.
The CSIS report also suggests Congress should give agencies more flexibilities in how they fund their participation in the Continuous Diagnostics and Mitigation program. CISA provides CDM as a centralized service for cybersecurity tooling, but most agencies have to pay for what they use under the service.
“A combination of a working capital funds system, or some flexibility for FCEB agencies to carry over unused funds from previous fiscal year appropriations, might ultimately help provide more consistent funding than what is currently afforded,” the report states. “If nothing else, it will help agencies align their budget requests relative to their cybersecurity risk assessments.”
CISA considers Joint Collaborative Environment
The CSIS report further urges Congress to fund and formalize the Joint Collaborative Environment, an idea first proposed by the Cyberspace Solarium Commission. While Congress has not formally authorized the program, CISA is requesting funding to begin building the JCE, including through the development of a new Cyber Analytics and Data System (CADS) program.
CISA’s plans for the environment include decommissioning the Einstein intrusion and detection system, and instead use commercially available tools such as the Protective Domain Name System service. Goldstein said the money saved from decommissioning Einstein can help boost JCE to its full potential.
“Let’s take the savings from that transition, and let’s shift the program into focusing on this analytic infrastructure,” he said.
The CADS environment will help combine all the cybersecurity data CISA has on hand from various federal network defense programs, like endpoint detection and response capabilities. The broader idea for JCE, Goldstein said, is to combine that data with outside cybersecurity data.
“What we are driving towards with the Joint Collaborative Environment is to say, how can we then level up what we’re building with CADS to create an environment where our partners can either benefit from the data we have, can bring their own data to query our data against what they’re seeing, and really create collectively, a place where cyber analysts across trusted partners can work across common data sets to identify previously unseen risks,” Goldstein said.