The list of open senior-level cybersecurity positions across government is starting to cause some alarm on Capitol Hill.
Senate Homeland Security and Governmental Affairs Committee members questioned administration cyber officials yesterday about who is the one belly button to push when there is a cyber incident.
“I’m concerned that there are new entities and there is the opportunity for duplication, confusion and leadership and the lack of accountability. I saw this in regard to SolarWinds. When it happened, there was some pointing of fingers,” said Sen. Rob Portman (R-Ohio), ranking member of the committee, during a March 18 hearing on the federal response to the recent cyber attacks. “As we look at legislation to reform some of the existing laws, including the Federal Information Security Management Act (FISMA)…how do we do it? Between the [federal chief information security officer], the head the Cybersecurity Infrastructure Security Agency (CISA) and the FBI cyber division and then we have the newly created national cyber director position within the White House, there are a lot of people responsible. So when a cyber attack happens, who do we hold accountable?”
While the answer to Portman’s seemingly simple question is more complicated than it seems, the lack of politically appointed executives adds another level of complexity to the question.
The Biden administration has named a federal chief information security officer in Chris DeRusha, who testified for the first time on Thursday.
But the administration has yet to name the director of the Cybersecurity and Infrastructure Security Agency, even though there was a rumor from January that the administration would nominate Ron Silvers, a partner in the White Collar Investigations and Privacy and Cybersecurity practices of Paul Hastings, a Washington D.C. law firm. The administration still must name a cyber director in the White House, an assistant secretary in the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) in the Energy Department, the State Department’s Office of the Coordinator for Cyber Issues and four cabinet level chief information officer positions, including the departments of Defense and Veterans Affairs.
A senior administration official said in an email to Federal News Network that the Biden administration is making it a priority to fill these open positions.
“In regards to the cyber director position, as we’ve said before we are in the midst of a 60-day review to study how the National Cyber Director role will be structured. Setting up a new federal entity is complicated — there’s opportunity for overlap in [the] current organization’s roles and we’re taking a look at how we can do this in a way that makes the most sense. Again, this remains a priority,” the official said. “As it has been made clear by our actions, the White House takes cyber threats very seriously. The federal government, coordinated by deputy NSA for Cyber [Anne] Neuberger, is working around the clock to make the investments necessary to effectively defend the nation against malicious cyber activity. The White House is working closely with our public and private partners, keeping Congress updated, actively driving efforts to reduce the impact, and defining the next steps we need to take on Solar Winds and Microsoft. There will be an executive order coming shortly that includes initiatives to actively reduce the risk of compromises like SolarWinds and Exchange.”
Lack of CISA director concerning
Rep. John Katko (R-N.Y.) wrote to the White House on March 12 pressing for the Biden administration to nominate a director of CISA.
“I am, however, very concerned about the delay in nominating a CISA Director. CISA finds itself at the forefront of not just one, but potentially two significant cyber incidents facing federal networks, and the private sector. Now more than ever we need permanent political leadership at the helm of our nation’s lead federal civilian cybersecurity agency,” Katko wrote. “As I stated to you in my Feb. 23 letter, for too long CISA has not been provided the stature, resources and centralized visibility it needs to carry out its mission. While incremental steps have been made, we must do more. This includes nominating an individual to lead the agency through this difficult time.”
All of these positions, whether filled or not, is part of what is frustrating Portman.
“So if everyone is in charge, no one is in charge, right? So exactly who is accountable?” Portman asked the witnesses.
He asked the witnesses if the new White House cyber position was even necessary given there are several agencies working together to address cyber challenges.
“It seems to me someone needs to be in charge,” Portman said. “It sounded like what Mr. DeRusha was saying this is just another responsibility. Shouldn’t’ this be the one that actually coordinates everything and has the ultimate accountability?”
Brandon Wales, the acting director of CISA, said under FISMA each agency is accountable for their own cybersecurity.
“There is certainly accountability for CISA for the role that we play in helping to protect and secure and support those agencies in the management of the federal civilian executive branch networks. I think the idea that Congress had for the National Cyber Director was a way to drive coordination at the White House, particularly related to coordinating on incident response,” he said. “But the position doesn’t exist yet, and so I think a lot of this will be determined by, once it’s established, you know, the identification of roles and responsibilities for its office.”
Accountability in question for five years
This isn’t a new issue about cybersecurity accountability. President Barack Obama signed Presidential Policy Directive-41 in June 2016 to create that governmentwide coordination effort. The PPD also set up the Unified Coordination Group, which the White House activated in December when the SolarWinds attack came to light.
DeRusha said the UCG is leading the overall response to the SolarWinds and the Microsoft Exchange cyber attacks.
As part of PPD-41, the UCG will develop an after-action report once the response to the attacks are completed.
But the UCG doesn’t necessarily answer Portman’s question about who is in charge — a question that has come up many times over the last decade.
Former CISA Director Chris Krebs made the case in 2019 that CISA should be the FEMA of cyber attacks, leading exercises to prepare for cyber attacks and then leading the nationwide response efforts.
Many believe that the National Cyber Incident Response Plan (NCIRP) and PPD-41 failed to impact the cyber response effort as expected, and now is putting the government in a more precarious position today than it was in five years ago.
The Defense Department too struggled with its role in responding to cyber attacks, both internally and as partners with civilian agencies.
DoD and DHS reached an agreement for how to help each other out during and after a cyber attack in 2018.
Collaboration never been stronger
CISA’s Wales said governmentwide collaboration on cybersecurity incidents has never been stronger. He credited the work of career officials at the FBI, CISA, Office of the Director of National Intelligence and the National Security Agency.
“There is more joint engagement with the private sector, with our federal agency partners, to ensure that there is not duplication of effort, that we’re all bringing our unique expertise, skills, and abilities when we have cybersecurity incidents or we need to help agencies prepare ahead of time. And I think we would hope that any new addition to that is additive and is strengthening that collaboration that currently exists and making it stronger,” he said.
Portman said he was pleased that Wales said the governmentwide collaboration has never been stronger, but he still believes there needs to better coordination and accountability. He said an update to FISMA may be the path to addressing those issues.
Sen. Gary Peters (D-Mich.), chairman of the committee, agreed with Portman’s call for lines of authority and accountability. He promised to drill deeper into the issue.