As the White House plans to add another cybersecurity official to its ranks, security experts and legislators are concerned about another point of contact for the private sector and if it could overshadow the Cybersecurity and Infrastructure Security Agency (CISA).
Jen Easterly, nominee to serve as CISA director, said the role should be considered the quarterback of the federal cyber ecosystem, during her nomination hearing before the Senate Homeland Security & Government Affairs Committee last week. She spoke alongside Chris Inglis, nominee for national cyber director (NCD), and Robin Carnahan, nominee for administrator of the General Services Administration (GSA). On Wednesday, the committee voted to advance the nominations to a full Senate vote.
If Easterly is the quarterback, it would make the NCD the coach. Sen. Rob Portman, R-Ohio, acknowledged the importance of having cyber specialists dispersed throughout the government but expressed concern about the possibility of duplicating efforts.
Because CISA is a relatively new agency, the private sector is still learning how to engage with it as its primary point of contact. With the addition of the NCD, confusion could arise as to who or what branch will provide guidance for private sector partners.
"I don't see them as competing power centers," Sen. Angus King, I-Maine, and co-chairman of the Cyberspace Solarium Commission, told reporters last week. "I realize that in any large organization, that's possible, perhaps even likely, but I think it's helpful that these three people in these three important jobs have all worked together and know each other."
The NCD will have a closer relationship with the deputy national security advisor and the White House. Unlike CISA, the private sector is only expected to contact the NCD when it's regarding policy issues that rise to the level of White House attention, Suzanne Spaulding, advisor to Nozomi Networks, member of the CSC, and former under secretary for the Department of Homeland Security, told Cybersecurity Dive in an email.
CISA's primary mission is to mitigate cyber risk posed against physical and digital critical infrastructure. But bridging the relationship for real-time information sharing or incident notification is still a challenge for the agency.
Colonial Pipeline did not directly reach out to the agency, instead the FBI looped CISA into the investigation. "They didn't even manage to work with you guys," said Portman, noting the FBI was the first line of contact. Though CISA wants to be the first agency organizations contact during an incident, "it doesn't seem to be working very well," Portman said.
The role of the FBI is to initiate investigations while CISA is more responsible for sharing information with partners to prevent similar incidents. Most of the time, Easterly said, it comes back to basic cyber hygiene. If Easterly is confirmed, how and when organizations engage CISA becomes her responsibility. Easterly proposed three actions to improve CISA's capacity for executing its mission:
- Ensuring the agency has the resources it needs, including personnel and budget
- Ensuring the agency has appropriate operational and technical visibility for defending federal government networks
- Ensuring partnerships are there across state and local governments, federal government and private sector
Easterly focused on the need for cyber talent viewed as a pathway for career development instead of a one-off position. To cultivate a diverse talent pipeline, there is a need for expanding internships, apprenticeships, reserve programs and "then creating corridors with the private sector to enable easier passage" so the government can "strengthen that connective tissue between the private sector and the government," Easterly said.
"The approach that I would take is very similar to what I've been doing over the past 4 ½ years, building a team virtually from scratch to help defend Morgan Stanley," she said. Easterly is a managing director at Morgan Stanley and leads the resilience and fusion resilience center. She served as the global head of its cybersecurity fusion center.
CISA likely will have a role in making future industry-specific standards, including notification mandates, according to Easterly. "It seems to me that voluntary standards are probably not getting the job done," Easterly said.
CISA, in particular, needs alerts of incidents so the agency can warn other potential victims, she said.