New CISA director outlines top 5 priorities for protecting U.S. critical infrastructure

Last November, the former, somewhat awkwardly named National Protection and Programs Directorate (NPPD) was elevated within the U.S. Department of Homeland Security (DHS) to become the Cybersecurity and Infrastructure Security Agency (CISA) following enactment of the Cybersecurity and Infrastructure Security Agency Act of 2018. CISA is responsible for protecting the country’s critical infrastructure from physical and cyber threats, overseeing a host of cybersecurity-related activities. This includes operating the National Cybersecurity and Communications Integration Center (NCCIC), which provides round-the-clock situational awareness, analysis, incident response and cyber defense capabilities to the federal government, state, local, tribal and territorial governments, the private sector and international partners.

18 0302 cipac krebs Department of Homeland Security CISA

Christopher Krebs, CISA director

CISA made its first prominent mark as an independent agency during the 35-day government shut-down when, on January 22, it issued an unexpected, and to some a startling, emergency directive ordering admins at most government agencies to protect their domains against a wave of attacks on the domain name system infrastructure (DNS). The directive was prompted by a number of DNS tampering efforts at multiple executive branch agencies. This malicious, complex and widespread campaign, dubbed DNSpionage by Cisco Talos, allowed suspected Iranian hackers to steal massive amounts of email passwords and other sensitive data from government offices and private sector entities.

Christopher Krebs serves as CISA’s first director. Krebs previously headed the NPPD as assistant secretary for infrastructure protection and joined DHS as a senior counselor to the secretary after working in the U.S. Government Affairs team as the director for cybersecurity at Microsoft.

I caught up with Krebs last week ahead of his speech about the nation’s cybersecurity threats at this year’s RSA Conference to check in with him on how CISA is faring, its priorities and some timely cybersecurity supply-chain issues that swirl around the cybersecurity debate at the federal level.

CISA seeks to break down silos, organize regionally

Krebs says that he’s looking at the next year or two “to mature the organization and have it be the CISA we know it can be.” That requires a two-pronged approach to get the agency where it needs to go. The first prong is an organization plan to structure CISA to be its most effective, breaking down silos within the bureaucratic apparatus, flattening the organizational structure and integrating cybersecurity and physical security functions related to critical infrastructure.

Krebs also hopes to improve stakeholder engagement with the agency to deliver better customer service and reorganize the field structure of CISA’s hundreds of employees to look more like FEMA’s regional model with a regional director that can operate around regional priorities. Krebs believes this reorganization will give the agency improved economies of scale.

5 key priorities to protect critical infrastructure

The more substantive part of Krebs’ vision is to executive on a set of mission priorities, “five discrete lines of effort that have mission opportunity but also mission risk.” The most pressing of these priorities right now, according to Krebs is “on China, supply chain and 5G and how are we going to engage managing risk going forward.” These priorities are tightly intertwined.

Keeping China, Russia out of critical networks and data

Krebs is referring to the mounting battle by the U.S. to keep Chinese tech suppliers, most specifically telecom tech giant Huawei, out of critical networks including upcoming 5G mobile communications networks. According to press reports, the Administration was supposed to have issued an executive order banning Chinese telecom equipment from U.S. wireless networks before the end of February, although the order has yet to be issued.

As part of a defense spending authorization bill last year, executive agencies within the government are barred from using technology and equipment made by Huawei and another Chinese tech giant, ZTE. The fear driving the ban of Chinese tech suppliers is that by law they are beholden to the Chinese government and could potentially be required to incorporate spying and other malicious technology into their products as a consequence.