The Cybersecurity and Infrastructure Security Agency, an arm of the Department of Homeland Security, should be put in charge of overseeing and defending the computer networks of the entire federal government, former U.S. officials and security experts told lawmakers.
“The majority of the 137 executive agencies lack the personnel, the knowhow, and the resources to execute a comprehensive cybersecurity strategy,” Dmitri Alperovitch, co-founder of cybersecurity company CrowdStrike, told the House Homeland Security Committee at a hearing Wednesday.
Although Congress helped create CISA in 2018, lawmakers should go further, giving the agency greater authority and resources so it can have the “operational responsibility for defending civilian government networks, just as Cyber Command does” for the U.S. military networks, Alperovitch said. He’s now the executive chairman of Silverado Policy Accelerator, a public policy organization focused on cybersecurity and national security.
Christopher Krebs, the former head of CISA who was fired by President Donald Trump for asserting that the 2020 election was one of the most secure in American history, said he agreed with Alperovitch’s proposal, adding that congressional action in 2018 creating CISA was a “half-step, and we need to take that full step” toward giving it greater authority.
“We need a comprehensive, federal civilian agency and cybersecurity strategy,” Krebs said.
The House Homeland Security hearing chaired by Rep. Bennie Thompson, D-Miss., is the first in the 117th Congress focused on cybersecurity and comes as federal agencies and dozens of American companies are reeling from a widespread hack of network monitoring software maker SolarWinds. U.S. intelligence agencies and CISA have said the attack, which went undetected for months, was the work of Russian intelligence agencies.
Unlike Trump, who fired the White House cybersecurity coordinator at the outset of his term and refused to confront Russian President Vladimir Putin about Moscow’s interference in the 2016 election and other attacks, “from day one, President Biden has treated cybersecurity as an urgent national and economic security issue,” Thompson said.
Several House committees were working to figure out how the SolarWinds hack took place and avoided detection for months, Thompson said. While waiting for those probes, “we know enough to begin asking difficult questions and start correcting course,” he said.
Need to go on offense
The other witnesses in the hearing were Sue Gordon, former deputy director in the Office of the Director of National Intelligence, and Michael Daniel, who was cybersecurity adviser to President Barack Obama.
CISA currently operates in an advisory capacity, providing cybersecurity expertise and consultation for federal agencies as well as state and local governments. In the run-up to the 2020 presidential election, the agency worked with all state and local governments to boost their cybersecurity measures.
The United States also should raise the bar and impose costs on criminal groups as well as nation-state hackers breaking into U.S. network, Alperovitch and others said.
The Trump administration, working with Congress, expanded the scope of authority for the U.S. Cyber Command to enable U.S. military hackers to carry out “defend forward” actions by taking down adversarial networks before they can strike American networks.
“We need to go on the offense. … We need to make it harder for the adversaries to conduct these operations, and law enforcement and Cyber Command need to take further actions to disrupt infrastructure of threat actors,” Alperovitch said.
The SolarWinds hack also shows that lax security protocols in private companies affect national security, Gordon said.
SolarWinds is said to have outsourced software development to small companies in Eastern Europe that were in turn penetrated by Russian operatives who may have injected malware into the company’s software. SolarWinds also is said to have used an easy to guess password such as “password123.”
Gordon said such poor security protocols must not become acceptable and called for an approach similar to the Generally Accepted Accounting Principles, or GAAP — a set of standards for accounting and reporting the financial results of publicly traded companies.
Those standards emerged in a series of steps after the stock market crash of 1929 that led Congress to establish the Securities and Exchange Commission and the creation of common accounting standards, Gordon said.
“They did that because they recognized that what was happening in the private companies affected our nation’s security,” Gordon said. “It’s time for us to consider a bipartisan government and private sector approach to looking at generally accepted security principles.”