Written by Suzanne Smalley
Chris Krebs, former head of the nation’s cybersecurity agency inside the Department of Homeland Security, caused a stir this week when he suggested the agency break out on its own.
Instead of the Cybersecurity and Infrastructure Security Agency residing in DHS, Krebs told an audience at the Black Hat cybersecurity conference in Las Vegas, a standalone CISA could help streamline how the private sector and other stakeholders work with the government to combat cyberthreats.
“Instead of going to five or six different agencies, make the front door clearly visible — and as I see it that’s CISA,” Krebs said.
But former CISA officials and other cybersecurity experts said that idea is simply unrealistic and impractical. CyberScoop spoke with eight former U.S. cybersecurity officials, executives and experts about Krebs’ comments and a majority said that CISA needs to reside inside DHS in order to accomplish its mission.
“DHS gives CISA size and Cabinet-level seniority in the interagency,” Looking Glass CEO Bryan Ware, who previously served in senior cybersecurity roles at CISA and DHS, told CyberScoop. “I worry that without that top cover [CISA] could be diminished by DOD, FBI and others.”
Megan Stifel, the chief strategy officer at the Institute for Security and Technology and a former National Security Council and Justice Department cyber official, said private sector engagement needs to be made as “seamless as possible, and at the present it is not.”
But she said that unlike the Securities and Exchange Commission or Federal Trade Commission, CISA is unlikely to succeed in its mission if it stands on its own. Stifel said that Krebs’ idea merits consideration but that because of the need for private sector engagement to inform and potentially drive requirements within the executive branch, turning CISA into an agency whose “capability is only advisory” would likely undercut its work.
Being housed inside DHS is not ideal for CISA, said former CISA Director Suzanne Spaulding. But she said it is worth tolerating the headaches DHS oversight brings in exchange for the department’s muscle.
If CISA “becomes this little sub-agency of a few thousand people” it will make it much harder for it “to get in at the table” inside the government, Spaulding told CyberScoop.
She acknowledged that DHS has become more consumed by immigration controversies in recent years — preoccupying department leadership and potentially repelling talented and hard to find cyber talent in disagreement with the department’s immigration stance — but she said those disadvantages are not serious enough to support separating from DHS.
The White House’s National Cyber Director Chris Inglis has only been in power for about a year and still hasn’t received his full budget or finished hiring, Spaulding pointed out. Inglis is charged with coordinating all cybersecurity efforts across the government, she said, and should be given time to do that “before we assume failure and reach for another solution.”
If anything, CISA should be moved to Inglis’ office, said James Lewis of the Technology and Public Policy Program at the Center for Strategic and International Studies. He called DHS a “hodgepodge” that needs to be reorganized but said CISA isn’t big enough to stand alone.
Before floating the notion of CISA splitting off, Krebs told the Black Hat audience that he favors an even more radical solution to the “front door” problem: Creating one Cabinet-level agency devoted to digital policy and “focused on empowering better digital risk management services.”
But since Krebs believes it is unlikely that Congress will create such an agency, he said that instead he recommends pulling CISA out of DHS.
Even having one single agency oversee all things digital is a stretch, said Spaulding. Since cybersecurity is embedded in every issue the government touches it will be impossible to rely on one single Cabinet agency devoted to cyber, she said.
One Cabinet department won’t be able to adequately address specialized cybersecurity issues, Spaulding said. “You need to understand how that sector operates, and what the disruptions will do and what’s the regulatory environment that might frustrate an effective response to that disruption.”
Krebs supported keeping CISA inside DHS when working on the Cyberspace Solarium Commission report, said Mark Montgomery, former director of the Solarium project. At the time, Krebs and others helping to craft the report agreed that CISA, which DHS established in 2018, needed to remain inside DHS until it matures, according to Montgomery, who believes the agency needs another 5 to 10 year of DHS oversight.
“It’s not properly organized yet,” Montgomery said. “It’s not properly resourced yet; it has grown 40% in budgeting just in the last three years, and it’s still got more growth to go.”
The notion that making CISA its own entity separate from DHS will somehow streamline the sprawling cyber apparatus inside the federal government is misguided, Montgomery said. Cybersecurity is a major policy portfolio at the FBI, the Department of Energy, the Environmental Protection Agency and elsewhere, Montgomery said, and none of those entities are about to report to CISA.
The private sector has long struggled to make sense of the government’s cyber apparatus, according to Michael Daniel, a former Obama administration cyber official who is now the president of the Cyber Threat Alliance, a nonprofit cybersecurity membership organization. Daniel said Krebs’ suggestion is worth exploring, but he questioned how much streamlining can really happen.
“A cyber incident could be a critical infrastructure problem, a national security problem and a law enforcement problem all at the same time,” said Daniel. He said the federal government needs to do a better job of communicating between agencies to ensure the private sector gets the help it needs but removing CISA from DHS doesn’t address that problem.
“The agencies don’t want to do that part, but that’s where the emphasis has got to be, in my view, in order to actually deal with the problem,” Daniel said. “The burden should be on the federal government to figure out how to make those connections work and to actually get the reporting to the right entity.”
To Krebs’ point, cybersecurity executives said there is significant confusion inside industry over which of the many agencies working on cybersecurity have jurisdiction over which problems.
Many companies are flummoxed by multiple reporting timelines and obligations coming from an alphabet soup of federal agencies, said Padraic O’Reilly, co-founder of CyberSaint, which works with Fortune 500 and other companies to manage cyber risk.
“If this could all be folded into CISA, that would be embraced by the private sector and it would also likely lead to greater efficiencies with respect to reporting,” O’Reilly said. “The front door issue is one of the most complained about aspects of the private sector interacting with the federal government on issues related to cyber.”
But the problem is not an easy one to fix, said Trey Herr, who is director of the Atlantic Council’s Cyber Statecraft Initiative. Herr said he supports trying to give CISA a shot at independence, but he doesn’t think that will address what industry complains about.
“There’s never going to be one front door,” Herr said.
Krebs did not respond to a request for comment for this article nor did a spokesperson for CISA.