The Cybersecurity and Infrastructure Security Agency has proven to be a critical partner and resource over the past five years for federal cybersecurity. But as CISA enters the second half of its first decade, the cyber agency and its Joint Cyber Defense Collaborative should focus on better governmentwide coordination and tougher security standards, a panel of federal IT officials said this week.
During a Center for Strategic & International Studies panel discussion, tech leaders from the Treasury Department and the Department of Veterans Affairs detailed the ways in which they’re pleased with and frustrated by CISA, expressing an overarching sentiment that while the agency has been helpful, there’s room for improvement as it matures.
“We need really common operating standards to which we are aggressively held, versus this sort of voluntary, participative notion — ‘get in touch with us when you need it’ kind of thing,” said Jeff King, Treasury’s principal deputy chief information officer.
Amber Pearson, deputy chief information security officer at the Department of Veterans Affairs, largely agreed, noting that she’d like to see “more expansion from CISA” when it comes to “those key areas.”
“When a cloud service provider, for example, misses that critical patch or there’s a threat indicator, you know, provide it to us,” she said. “What are those actions that we as a federal agency need to do next? And I think there’s a big gap there.”
Jeff Spaeth, the VA’s deputy CISO and executive director of information security operations, said the agency’s relationship with CISA has “really blossomed this year,” pointing to check-ins on a nearly weekly basis and the assignments of dedicated CISA representatives to the VA.
But Spaeth also echoed Pearson’s comments on information-sharing. When CISA is “notified by some of these major vendors [of a vulnerability], and I’m not saying they don’t pass the information along, but sometimes it takes a while to get down [into some of the] really in-depth technical pieces instead of, ‘hey, this was a compromise,’” he said.
Many of the comments made during Tuesday’s panel mirrored findings from an October 2023 CSIS report, titled “CISA’s Evolving .gov Mission: Defending the United States’ Federal Executive Agency Networks.” The report called for major investments into the federal cybersecurity workforce, better preparation for cyber threats brought on by artificial intelligence and machine learning, and the adoption of a more standardized and centralized cyber defense strategy, akin to the Department of Defense Information Network.
The topic of defense came up frequently during Tuesday’s panel. King pointed specifically to two Microsoft breaches over the past year in which “significant portions” of the tech giant’s corporate infrastructure were “completely compromised, including the teams that do vulnerability management and incident response threat intelligence.” In cases like that, King said agency IT leaders look to CISA to “balance out the risk landscape.”
That was also the case with a Citrix vulnerability last October. A senior CISA official said at the time that the agency notified nearly 300 organizations that could have been vulnerable to the exploit. In exploits of that kind, King said that Treasury would “need [indicators of compromise] yesterday.”
“We really need to kind of rethink the recover-and-respond part of this and less about the protect-and-defend part of it,” King said. “And I think that’s where CISA probably needs the opportunity to grow to kind of meet the threat where they are.”
The consensus from the panelists on the role of the Joint Cyber Defense Collaborative was that the CISA-managed nerve center — where federal, state and local and private cybersecurity experts come together to work on “actionable cyber risk information” — is on the right track but still in its infancy.
Going forward, Spaeth would like to see even more collaboration and involvement among federal agencies as part of the JCDC, which counts the Department of Homeland Security, U.S. Cyber Command, the National Security Agency, the Federal Bureau of Investigation, the Department of Justice, and the Office of the Director of National Intelligence, among others, as participants.
“I know that we have ISACs out there,” Spaeth said, “but I think JCDC has really taken the charge for all federal agencies to share that type of information, or [coordinating] the quick reactions and trying to close the holes as quickly as possible.”
The agency representatives’ feelings on CISA and JCDC mostly aligned with private sector assessments shared Tuesday during a House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hearing.
Rob Lee, CEO and founder of Dragos, a company that focuses on operational technology and industrial control system cybersecurity, said it’s important to recognize that agencies like CISA are “putting in the effort to collaborate and that’s a beautiful thing,” but acknowledged that the JCDC is still suffering from “growing pains.”
“The reality is we’re not seeing a lot of success out of [the JCDC] currently, but I think that’s the growing pains,” Lee said. “When government ends up focusing, especially CISA, on the ‘here is the strategy’ level, it’s very effective. … When it gets to the tactical and actually having the experts around the table, that tends to be a bit lacking.”
Approaching security from a more defined and risk-based approach wouldn’t necessarily be an easy shift for CISA or the JCDC, the agency officials acknowledged. But focusing more on the latest threat vectors and threat actors as opposed to “ports, protocols and services,” Spaeth said, is a worthy target.
“There needs to be, I think, more formulation if this is the way we’re going into a top-down, enforceable strategy,” King said. “And I recognize that is very much a divergence from the way that we’ve thought about cyber and acted on cyber probably over the past decade, if not two.”
CyberScoop reporter Derek B. Johnson contributed to this article.