Rep. John Katko (R-NY) is Ranking Member of the House Committee on Homeland Security. He is also a former federal prosecutor.
OPINION — It should not come as a surprise to anyone reading this article that we find ourselves in the wake of two significant cyber incidents. While we are still learning each day about the nature of the respective compromises, their causes, and how to best remediate, we now know enough to have a general idea of how to be more resilient going forward.
Some proposed fixes are readily and easily achievable. For example, while Acting CISA Director Brandon Wales has done a commendable job in difficult circumstances, permanent political leadership is urgently needed at the nation’s lead civilian cybersecurity agency. Other fixes will require more sustained policy engagement and evolution of our overarching cyber defense model. I’ve broken those down into the following five general pillars to help steer the national conversation:
First, we need to seriously rethink our fragmented approach to .gov security by centralizing authority with CISA wherever possible. While CISA’s federal hunt authority from the FY2021 NDAA is a welcomed step in the right direction, CISA still does not have the proper authorities, resources, or holistic visibility into the .gov enterprise to effectively defend, and nimbly respond to, attacks. We’re asking CISA to play at the professional level but we’re only equipping the agency with the resources of a high school team. If we want CISA to hold its own on the field, we must equip it with the tools to not just compete, but to win. I see CISA becoming a $5 billion budget agency in the next five years, and the down payment included in the American Rescue Plan Act is a good first step.
As a starting place, these long overdue federal hunt authorities still need to be fully operationalized. Additionally, we need to rethink our desired .gov security outcomes and align the Federal Information Security Modernization Act (FISMA) with those outcomes. Specifically, we need to ensure that CISA has adequate real-time visibility across the entire .gov enterprise. The EINSTEIN and CDM programs are a generally helpful baseline, but there are still significant blind spots such as cloud services and increasingly encrypted outgoing traffic. Ultimately, we need to empower CISA to become the operational Chief Information Security Officer (CISO) of the federal government. The current confederated authority model across 100+ agencies is too clunky and too opaque. This shift should build off CISA’s designation as the cybersecurity Quality Services Management Office (QSMO) of the federal government. Zero trust solutions should be part of this evolution.
Second, we need to better understand the nature and extent of third-party cyber risks. In this interconnected web of hardware, software, and services that underpin our way of life, where are there concentrated sources of risk that could result in cascading or systemic impact if we assume breach? We must better understand the ubiquity of managed service offerings with pervasive access privileges. This is a relatively simple equation: Highly prevalent + high degree of privilege = a concentrated source of risk. The Biden Administration should leverage CISA’s requirement to carry out the Continuity of Economy provision of the FY21 NDAA to illuminate where there are deployments of hardware, software, and services that present the potential for systemic risk, and CISA should build on its existing Information and Communications Technology (ICT) element taxonomy developed in partnership with industry to specifically tease out more risk fidelity for ‘sensitive system software.’
Third, once we identify these potentially concentrated sources of cyber risk, we need to ensure that we have vendor certification processes that actually lead to risk reduction. Too often, the federal government creates perfunctory compliance exercises in the name of risk management. There are a number of vendor certification or risk judgment regimes in various stages of development across the federal government, with DoD’s CMMC and the Federal Acquisition Security Council (FASC) garnering the most headlines. Let’s work together to ensure these regimes accomplish our common goal of making the connected world more resilient and secure for everyone. Let’s first examine the viability of pushing the existing certification regimes in the most productive directions, and then from there – if there are discrete risk management gaps – find effective ways of closing them.
Fourth, we need to drive better software assurance and development lifecycle practices across the entire ecosystem. Whether software flaws are deliberate or not, the software supply chain represents an attack vector that if exploited, leaves the potential for a “digital pandemic” of sorts – where the impact of one bad line of code can be felt across the entire economy. We should build on our understanding of concentrated sources of cyber risk to identify ways to verify the security of software updates that could have particularly grave consequences if compromised. Great work has already been done by a number of organizations to develop best practices for secure software development – such as NIST, BSA, and SAFECode – and these should be promoted and adopted more broadly.
I have been sounding the alarm on the importance of better software development for some time now and have been encouraged to hear recent comments from CISA leadership about a recently launched interagency effort around security standards for software-heavy IT procured by the federal government. As outlined above, the key will be creating a scheme that actually reduces risk and doesn’t simply burden IT vendors with yet another check-the-box compliance exercise. The ultimate goal should be light-touch, transparent, and effective.
Lastly, we must impose real costs on cyber adversaries like China, Russia, Iran, and North Korea. While there is no silver bullet, deterrence still matters. Naming and shaming, indictments, sanctions, offensive measures where appropriate – these should all be tools in our toolkit. From the sophisticated (nation state) to the more routine (ransomware), the cost/benefit analysis of cyber aggression still favors adversaries too often. Better international norms can be helpful, but they will never alone solve the problem. Our adversaries must understand the consequences that will come from their cyber aggression. The Biden Administration has telegraphed imminent sanctions against Russia in response to SolarWinds. I hope they are severe and adequately proportional.
I have been encouraged to see that CISA is taking the bull by the horns and leading out on many of the issues I have identified. Specifically, I appreciated hearing Acting Director Wales outline the key areas for growth at CISA moving forward. Increasing CISA’s operational visibility, increasing capacity for incident response and persistent threat hunting, encouraging agencies to adopt defensible network architectures, and improving internal analytic capabilities to make the most of cyber risk data are all critical parts of the agency’s evolution.
Cybersecurity is a team sport, and now is the time to double down.
Read more expert-driven national security news, insights and perspective in The Cipher Brief