Last November, the former, somewhat awkwardly named National Protection and Programs Directorate (NPPD) was elevated within the U.S. Department of Homeland Security (DHS) to become the Cybersecurity and Infrastructure Security Agency (CISA) following enactment of the Cybersecurity and Infrastructure Security Agency Act of 2018. CISA is responsible for protecting the country’s critical infrastructure from physical and cyber threats, overseeing a host of cybersecurity-related activities. This includes operating the National Cybersecurity and Communications Integration Center (NCCIC), which provides round-the-clock situational awareness, analysis, incident response and cyber defense capabilities to the federal government, state, local, tribal and territorial governments, the private sector and international partners.
CISA made its first prominent mark as an independent agency during the 35-day government shut-down when, on January 22, it issued an unexpected, and to some a startling, emergency directive ordering admins at most government agencies to protect their domains against a wave of attacks on the domain name system infrastructure (DNS). The directive was prompted by a number of DNS tampering efforts at multiple executive branch agencies. This malicious, complex and widespread campaign, dubbed DNSpionage by Cisco Talos, allowed suspected Iranian hackers to steal massive amounts of email passwords and other sensitive data from government offices and private sector entities.
Christopher Krebs serves as CISA’s first director. Krebs previously headed the NPPD as assistant secretary for infrastructure protection and joined DHS as a senior counselor to the secretary after working in the U.S. Government Affairs team as the director for cybersecurity at Microsoft.
I caught up with Krebs last week ahead of his speech about the nation’s cybersecurity threats at this year’s RSA Conference to check in with him on how CISA is faring, its priorities and some timely cybersecurity supply-chain issues that swirl around the cybersecurity debate at the federal level.
CISA seeks to break down silos, organize regionally
Krebs says that he’s looking at the next year or two “to mature the organization and have it be the CISA we know it can be.” That requires a two-pronged approach to get the agency where it needs to go. The first prong is an organization plan to structure CISA to be its most effective, breaking down silos within the bureaucratic apparatus, flattening the organizational structure and integrating cybersecurity and physical security functions related to critical infrastructure.
Krebs also hopes to improve stakeholder engagement with the agency to deliver better customer service and reorganize the field structure of CISA’s hundreds of employees to look more like FEMA’s regional model with a regional director that can operate around regional priorities. Krebs believes this reorganization will give the agency improved economies of scale.
5 key priorities to protect critical infrastructure
The more substantive part of Krebs’ vision is to executive on a set of mission priorities, “five discrete lines of effort that have mission opportunity but also mission risk.” The most pressing of these priorities right now, according to Krebs is “on China, supply chain and 5G and how are we going to engage managing risk going forward.” These priorities are tightly intertwined.
Keeping China, Russia out of critical networks and data
Krebs is referring to the mounting battle by the U.S. to keep Chinese tech suppliers, most specifically telecom tech giant Huawei, out of critical networks including upcoming 5G mobile communications networks. According to press reports, the Administration was supposed to have issued an executive order banning Chinese telecom equipment from U.S. wireless networks before the end of February, although the order has yet to be issued.
As part of a defense spending authorization bill last year, executive agencies within the government are barred from using technology and equipment made by Huawei and another Chinese tech giant, ZTE. The fear driving the ban of Chinese tech suppliers is that by law they are beholden to the Chinese government and could potentially be required to incorporate spying and other malicious technology into their products as a consequence.
In a parallel set of developments, the DHS issued a binding operational directive against another foreign technology supplier, Russia’s cybersecurity leader Kaspersky Lab. Operational Directive 17-01, issued in September 2017, directed Federal Executive Branch departments and agencies to identify the use of Kaspersky’s security products, solutions and services and remove them from use.
In that directive, DHS says it was “concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”
Krebs says that DHS got positive feedback about the Kaspersky ban from the interagency process and from Congress. “From the Hill it was ‘what took you so long,’” Krebs says. He adds that the agency’s decision regarding the Kaspersky ban broke down to three fundamental questions: What is the thing, what does it do and what does it have access to?
In terms of Kaspersky Lab’s hallmark product, its antivirus software, it has unfettered access throughout the machine and any information it collects would or could go back to Moscow. “What do we know about Russia with respect to intelligence services? They have access…the FSB and other intelligence services can require access to that information,” Krebs says. “That’s not a good posture to be in when you’re thinking of IT security.”
The same principle holds true when it comes to China or any other foreign technology supplier. A central question for Krebs and his agency when it comes to foreign suppliers is “what are the systems of value and rule of law that are in place in those countries? If I have product coming into my network from a nation-state that has contrary values to that of the U.S…it’s not something we can continue to tolerate, particularly in federal networks. The time to act was years ago.”
CISA looking into potential threats from foreign VPNs
Yet another area of possible Chinese supply chain threat was raised in a letter sent to Krebs on February 7 from Senators Ron Wyden (D-OR) and Marco Rubio (R-FL). They asked DHS to “conduct a threat assessment of the national security risks stemming from foreign virtual private network (VPN) apps.” The letter mentions three Chinese company-related VPNs: Dolphin, Yandex and Opera. Citing the same kind of national security concerns that are raised about both Kaspersky Lab and Huawei, Wyden and Rubio have asked Krebs to issue a Binding Operational Directive prohibiting use of the VPNs on federal government smartphones and computers, assuming CISA finds them to be likewise national security risks.
Krebs acknowledges the Wyden-Rubio letter and says that CISA is looking at “any appliance that could pose a risk” and is planning to ”get the right guidance to folks on their personal devices. It’s being actively looked at.”
Securing elections, government networks, ICS and physical assets are key priorities
Aside from these issues, four other mission priorities will keep CISA busy over the next two years. One obvious priority is election security. DHS ramped up efforts to protect the midterm 2018 elections, and Krebs says he is happy with the increased participation by stakeholders. However, he adds, “We recognize we have a significant challenge ahead of us in managing risks to the election system.”
Government network security is yet another mission priority, one that the DNS hijacking campaign directive reflects. “We’ve been able to harden federal networks and introduce more monitoring to look for that activity,” Krebs says. CISA’s efforts aren’t just restricted to just the federal government. “We want to work with state and local partners in improving their cybersecurity” and “help get them where they need to be.”
Beefing up the security of industrial control systems (ICS) is also a CISA priority over the coming years. “The challenge here is that industrial control systems are that area in information security…that is a less mature space than information security. In the ICS space we have a lot of ground to make up,” Krebs says.
Finally, CISA plans to intertwine more physical security issues into its efforts, looking at soft targets such as schools and stadiums to better increase efforts that can be taken to protect facilities. Krebs says that one of CISA’s advisors had worked with the synagogue in Pittsburgh that suffered the deadly shooting attack last summer in a way that ultimately saved lives.