I talked to 15 people familiar with CISA’s work, including 4 current employees and 5 former CISA officials. Some of the problems they described:
* Far too few hunt & incident response teams
* Not enough $ for risk management center
* Not enough data analysis capabilities
Even though many employees are "exhausted," as one put it, they're still optimistic about their agency's future.
They love their mission and hope new Biden admin leadership will get them what they need.
CISA Cyber Division chief Eric Goldstein, one of those new political appointees, told me that CISA isn't yet "having to make triaging decisions" about what cyber aid to offer, and to whom — but he added that regular funding boosts would ensure that that remains the case.
There's bipartisan support for boosting CISA's budget.
One of CISA's biggest problems: its two main programs for monitoring federal networks, CDM and the National Cybersecurity Protection System, are out of date.
They'll need major upgrades to handle novel malware, ubiquitous encryption, cloud services, and identity-based attacks.
CISA is in the process of fixing some of these problems. It's investing in new network sensors and data analysis capabilities so it can spot and understand problems before they blossom into crises.
But it needs more $ & a more mature hiring process to sustain growth & progress.
As @CostelloJK pointed out, CISA has unique advantages. Companies and state/local govts trust it in a way they don't trust NSA/FBI. As a result, it gets unique domestic cyber threat insights.
If it falters, other agencies won't be able to pick up its slack.
CISA is in a difficult spot.
Its reputation suffers with every major breach it misses — even if it's not realistic to expect it to catch everything; certainly its foreign-focused counterparts don't — and every reputational hit jeopardizes its partners' all-important trust.
Great question!
One thing I wasn't able to get into my story is that, in the FY21 NDAA, Congress allowed CISA to proactively hunt for threats on other agencies' networks without being invited in.
This should greatly increase their visibility. It was their big recent ask.
DHS just wrapped up a background briefing with senior officials on the department's cybersecurity agenda.
Nothing earth-shattering, but I'll share a few comments that stood out to me.
We've previously heard from Anne Neuberger that the Biden administration has an EO coming with mitigations related to the SolarWinds/Exchange vulnerabilities. Today, a senior DHS official told us that it will contain "close to a dozen actions."
DHS Sec Mayorkas will be discussing cyber tomorrow during an RSA event.
Per sr official, he will offer a "comprehensive vision" for using DHS/CISA to defend the country, incl through several "cybersecurity sprints" that he previously teased.
HSGAC Chair Gary Peters: “The process and procedures for responding to cyberattacks desperately needs to be modernized,” including by reforming FISMA and streamlining information sharing.
Peters: “It is clear from the gravity of this threat that we need to examine whether CISA, the FBI and other agencies have what they need to protect the American people.”
Interestingly, the National Intelligence Officer for Cyber disagreed with the conclusion that China didn't interfere. They put more stock in evidence showing that "Beijing preferred...Trump's defeat and the election of a more predictable member of the establishment instead."
In a separate document, DHS/CISA and DOJ/FBI say they investigated the right-wing conspiracy theories about foreign voting machine rigging and results tampering, and that they're "not credible." dhs.gov/sites/default/…
At WH briefing, national security adviser Jake Sullivan says the U.S. is "still gathering information" about the "scope and scale" of the Microsoft Exchange hacking campaign.
Sullivan: "The precise number of systems that have been exposed by this vulnerability and have been exploited, either by non-state threat actors or ransomware hackers or others, that is something that we are urgently working with the private sector to determine."
Sullivan: "It is certainly the case that malign actors are still in some of these Microsoft Exchange systems, which is why we have pushed so hard to get those systems patched, to get remediation underway."
One year ago today, the WHO declared the coronavirus a pandemic, Tom Hanks got Covid, schools and sports shut down, and normal life in America evaporated for everyone not already working from home.
NBC just published a great collection of people's last "normal" photos, and they are absolutely haunting. nbcnews.com/specials/the-l…
"The cascade of announcements felt like a turning point in the crisis ... Ordinary life in many places will no longer be the same for the foreseeable future as society adjusts to a new reality that transforms everything..."
The House Appropriations homeland security subcommittee is about to start a hearing on "Modernizing the Federal Civilian Approach to Cybersecurity" with acting CISA chief Brandon Wales and new CISA Cyber Division head Eric Goldstein.
Wales and Goldstein will tell Congress that CISA needs better "visibility into agency cloud
environments and end-points," esp. in light of remote work. And they'll announce work with NIST on a "common baseline" of security rules, esp. for logging. docs.house.gov/meetings/AP/AP…
Wales and Goldstein, whose agency is dealing with SolarWinds and Exchange on top of its regular work, will also deliver this warning to appropriators: CISA's "incident response resources must be fortified now to ensure that we will not be overwhelmed in the future."