The Cybersecurity and Infrastructure Agency has leaned into its role as industry’s risk advisor and partner in response to the SolarWinds hack, and industry sources say they are anxious to see this collaborative model preserved and extended under a Biden administration that might be inclined to more regulatory approaches to cybersecurity.
Megan Brown, a partner at the Wiley law firm and a former Justice Department official, said she expects a “regulatory push” from congressional Democrats and some agencies in the aftermath of SolarWinds, but warned, “They may get it wrong and apply existing ideas to this situation that are inappropriate.”
She said asking what could’ve prevented SolarWinds is the wrong question. “That sends policymakers down the wrong path. We need more focus on detection, recovery and mitigation. … Don’t run to mandating the newest shiny thing.”
CISA, on the other hand, has emphasized partnership as it works with industry on the SolarWinds response, said Sam Kaplan, special counsel at Wiley and former DHS assistant secretary for cyber, infrastructure, risk and resilience policy.
“Industry for the most part seems to be cooperating with CISA. The agency is truly taking on its role as the main point of contact with industry. There seems to be a level of collaboration that shows CISA is stepping up to the plate,” Kaplan said.
“CISA has focused on cross-cutting issues and using tools like operational directives. They have recognized that partnerships and collaborations to get information are vitally important. But a lot of policymakers will approach SolarWinds from a ‘what could’ve prevented this’ perspective, and given the nature of this attack, that may be the wrong question to ask as we develop policy responses to the incident,” he said.
“CISA as the nation’s risk advisor is a different role than regulator or forensic analyst,” Kaplan said. “There is a trust factor.”
A common theme of the past four years has been the cyber agency’s ability to function – and even flourish – amid chaos at the top levels of DHS and constant turbulence from the White House that culminated with the firing of CISA Director Christopher Krebs. The latest example is the sudden resignation Monday of Acting Secretary Chad Wolf.
Incoming Senate Homeland Security Chairman Gary Peters (D-MI) said in a statement Monday: “Acting Secretary Wolf's departure at this critical time will create even more chaos at a vital national security agency that has already been damaged by mismanagement and instability in its leadership. Leaving now, when there are very real threats of further violence across the country, will only make it harder for the dedicated employees at the Department of Homeland Security to do the hard work of securing our nation from a number of serious threats, including events around the upcoming inauguration. I’m extremely concerned about the security threats we could face leading up to and on January 20th, and as the incoming Chairman of the Homeland Security Committee, I will be keeping a close eye on the Department’s response to those threats.”
But throughout the Trump administration, CISA and its predecessor offices have navigated instability in the secretary’s office – Peter Gaynor is the sixth occupant of the DHS secretary’s desk under President Trump -- government shutdowns, extreme ill-will between the White House and DHS’ congressional overseers, and other issues that put enormous stresses on a cyber agency that only recently celebrated its second birthday.
The political climate promises to be calmer for CISA in 2021 but the agency may face a different type of challenge: ensuring that the benefits of an increasingly trust-based relationship with industry partners are preserved and developed as a new administration possibly moves in a more regulatory direction.
It’s not clear at all that regulation will undergird the Biden approach to cybersecurity, though many observers say they expect such moves at agencies like the FCC with direct authority over critical infrastructure sectors.
Will CISA also be expected to alter its approach to industry partners? Stakeholders await signals from the incoming administration.
Larry Clinton, head of the Internet Security Alliance, posted a blog today warning that “traditional regulation doesn’t work in cyberspace.” He wrote:
Much of our traditional regulatory processes and judicial enforcement are designed to address malfeasance. However, the core problem with cybersecurity is not that the technology or the users are incompetent, uncaring or evil. The core problem is technology is under attack not because the system is inherently vulnerable – although it is—but because there are overwhelming economic incentives to attack it. Certainly, technical modifications and operational enhancements which are the focus of cyber regulations may improve things on the margins, but after three decades focused on these aspects of the issue it is clear that the method regulatory models are not up to the task and only pile on more requirements to over-tasked security teams without corresponding effectiveness gains.
In the meantime, Acting CISA Director Brandon Wales in an interview with CyberScoop cited the need for more resources and authority.
He said: “The most important thing that the new administration could do is take a careful look at what we are learning from this SolarWinds compromise and helping us work with both the White House, [the Office of Management and Budget] and Congress to ensure that CISA and others have the right resources and authorities to prevent this from happening again.”
Kaplan, in his conversation with Inside Cybersecurity, noted that, “For CISA, resources have always been an acute issue. Having specialists in the field with direct access to industry and the private sector is very important.”
Kaplan also suggested the congressional homeland security panels will be a “key point of contact” for the new administration and bring “educated eyes” to policy development. He highlighted the hiring of former CISA official Daniel Kroese by House Homeland Security Republicans as a noteworthy development.
“Dan spent a lot of time on National Critical Functions and he will bring that mindset,” Kaplan said. Kroese “gets the importance of protecting partnerships,” Brown added.
CISA is starting the process to fill Kroese’s former job as associate director for planning and coordination at the agency’s National Risk Management Center.
In a Monday post on USAJobs, CISA says it’s looking for an individual who will work “with public-private cyber and physical security partners” to identify ways “to mitigate risk to National Critical Functions,” which CISA considers “functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
In looking at SolarWinds, Kaplan said “There will be a really long tail to this. The tentacles of the malware go across platforms, there’s a really long forensic tail.” The forensic work “will run concurrently with the policy proposals.”
But he added, “I think we need to take a hard look at whether these proposals would address what happened in SolarWinds.” – Charlie Mitchell (firstname.lastname@example.org)