Congress should give the Cybersecurity and Infrastructure Security Agency (CISA) more responsibility for protecting information and data networks of federal civilian agencies, many of which don't have the resources to adequately do it themselves, cyber security experts told a House panel on Wednesday.
Christopher Krebs, who was the most recent Senate-confirmed director of CISA until his ouster by then-President Donald Trump in December, said strengthening CISA's role in overseeing federal network security would provide "increased visibility through centrally managed services."
CISA, which is a component of the Department of Homeland Security, in the fiscal year 2021 defense policy bill was given authority to hunt for threats on federal civilian networks, which Krebs said is "key" for gaining visibility into these networks.
However, CISA needs to deploy more detection capabilities, hire personnel to support this mission, and get cooperation from other federal agencies, Krebs told the House Homeland Security Committee. Dmitri Alperovitch, co-founder of the cyber security firm CrowdStrike [CRWD] and now executive chairman of Silverado Policy Accelerator, said that in addition to additional resources for the threat hunting mission, federal agencies should be given incentives to "outsource their cyber security operations to CISA, turning it into a cyber security shared services provider."
Michael Daniel, who served as President Barack Obama's cyber coordinator and now runs the Cyber Threat Alliance, said CISA's new threat hunting mission will help mitigate some weaknesses in cyber security posture at agencies. He also said that the government needs to keep "consolidating cyber security services within a smaller number of agencies" that in turn provide these services to other agencies.
Another key element in reducing cyber security risks across the government is replacing legacy information technology systems, Daniel said.
Alperovitch pulled no punches and said CISA should have the "operational responsibility for defending civilian government networks, just as Cyber Command does for DoD networks." He also said that CISA should essentially become the chief information security officer for the federal civilian government, a role that Krebs said the agency is already performing.
The federal civilian government remains resource-challenged to provide effective cyber security across 100-plus agencies, Krebs said. He said the Continuous Diagnostics and Mitigation (CDM) program, which is overseen by CISA and provides capabilities to agencies to gain visibility into, and defense, their networks, "remains the critical core of federal cyber security" but isn't deployed as widely or as deeply as it should be.
Limitations on deployments of CDM are due to "underestimation of required services and funding constraints," he said. More funding for CDM deployments will aid in hunting down Russian intruders that were able to breach federal and private networks using third party software that is part of larger systems used in networks. Krebs also said CDM will aid in fixing breached networks.
Even with the new threat hunting capability, as federal agencies move toward cloud-based services, CISA is losing visibility "into network traffic," Krebs said. CISA, the White House Office of Management and Budget, and the General Services Administration need to collaborate to harden the cloud-based email environment for agencies, he said.
Following the hearing, Rep. John Katko (R-N.Y.), the ranking member on the committee, issued a statement saying the testimony from the cyber security experts confirms his policy position that CISA "needs more resources, better-defined authorities, and centralized visibility over the dotgov space."