Congress is doling out money wholesale, including to the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. But CISA is only a couple of years old and not totally mature organizationally. That’s according to the latest looksie by the Government Accountability Office. Federal Drive with Tom Temin talked with the GAO’s Director of Information Technology and Cybersecurity Issues, Nick Marinos.
Tom Temin: Nick, good to have you back.
Nick Marinos: Thanks a lot, Tom, for having me.
Tom Temin: So you looked at the I guess what I’m calling organizational maturity of CISA, which is only about three years old. And they’re partway there, but maybe only two thirds of the way there to be precise. So what did you find?
Nick Marinos: Yeah, that’s right, Tom, there’s still a lot of work left to be done. But then step back, you know, CISA, although it is only three years old, it actually stems out of a prior organization at DHS called the National Protection and Programs Directorate. So it did have a head start, obviously, in having capacity. But the law that was passed in 2018, that established CISA as its own agency did set some pretty high expectations. And so CISA got through a couple of first phases, which were basically just around gathering data, sort of thinking through what the organizational changes needed to be. Another phase to really sit down with over 500 employees to get their feedback through listening sessions, over 40 listening sessions that they held. And now they’re in phase three, which is actually to execute the plan. And so that’s where we found that although CISA had hoped to complete all of them nearly 100 planned tasks by the end of last year, about 37 of them still remained unaddressed.
Tom Temin: Got it. So in other words, this was more than simply renaming a directorate. The name of which made no sense to anybody, but it was really a major reorganization as well.
Nick Marinos: That’s right. Yeah. So there was a big organizational transformation that needed to take place, not only to figure out what they already had, but needed to sort of be you know, restructured, but also what capacity they needed to build as well. And I think that’s what makes it so important for CISA to be able to complete many of those remaining activities.
Tom Temin: Yeah, those activities, characterize them for us, if you will, it’s a big number. But do they have a kind of theme in what is left to be done yet?
Nick Marinos: Yeah, I’ll pick out just a few to kind of mention maybe the ones that I think might be the most important to CISA to getting to its full potential. So things like establishing mission essential functions, for each of the divisions. So that would identify clearly what each division is responsible for, not only during normal times, but also during emergencies. And then probably a really important piece, especially relative to you know, what we’re dealing with right now, with these major high profile cyber attacks, is workforce planning. There’s still more workforce planning that needs to be taken to really identify where are the gaps, and then fill those gaps. And that’s going to be extremely important for CISA to actually get to its full potential in terms of what kind of services and products they can provide on cybersecurity, infrastructure security, and emergency communications, which are sort of their three pillars.
Tom Temin: Yes, because when you think of the mission, which is to help the government respond and be prepared for the types of cyber attacks that seem to get more lurid and exotic with every passing month, if the organizational functions and the workforce are not sorted out, then in a sense, with everybody responsible, then nobody is for a given task.
Nick Marinos: That’s exactly right. And you can kind of imagine the world that they’re operating within to try to get themselves set up, is not letting them you know, just sit by get prepared, and then start taking action. I mean, they’re still an operating agency that is confronted by many challenges. So we talk about recent high profile attacks, like the ones related to SolarWinds, and the Microsoft Exchange more recently, you know, CISA plays a major role. And it’s not just within the federal government, although they play a very key role on federal government, cyber security, they also play a major role in helping to support the key private sector organizations that maintain our critical infrastructure as well. So they have many hats that they have to wear. And so I think it is important and ultimately, kind of what we think really could help them here is, you know, step back reprioritize, come up with realistic time frames, and then take action.
Tom Temin: We’re speaking with Nick Marinos, director of information technology and cybersecurity issues at the Government Accountability Office. And now under this new spending bill, they’ve gotten, I think, a couple of 100 million dollars to boost their mission. This is in addition to the technology modernization fund money, presumably some of which would go to cybersecurity, but CISA was directed with extra funds. And then they have new responsibilities from the latest National Defense Authorization Act. So there’s a lot piling on their shoulders, that they might have difficulty handling, you’re saying?
Nick Marinos: Yeah, that’s right, Tom, I think difficulty is a good way to put it. Now, having said that, at least they’ve done their homework. So in fact, actually, even before the law was passed in late 2018, CISA, well, NPPD, DHS officials were already planning. They had seen the writing on the wall that the likelihood was that this legislation would pass in that year. So they actually started the early phases even before the law had passed. So on the plus side, they’ve got a good roadmap. Now it’s just a matter of completing that roadmap. I would also mention just ’cause I think it kind of is worth noting, when we went to officials to get a sense of why some of these delays are occurring, one thing that they did not point to was the pandemic. So they had generally found that they were able to manage in light of the pandemic pretty well. And actually, when we also went outside to talk to their stakeholders, their stakeholders had indicated that they were pretty happy with how this had been operating in light of the pandemic. Now, what we did here in terms of those delays was ultimately that it took a little bit longer, especially for many of the key activities, the things that were very consequential to other activities, it took a little bit longer to get through, you know, getting input from Congress, and then coordinating with DHS leadership, and also with the Office of Management and Budget to get the thumbs up to keep moving forward. So that’s really where CISA saw a lot of those delays transpire.
Tom Temin: And looking back to the NPPD days, the Homeland Security established a range of industries that would share cyber information with Homeland Security. And in a few cases, they would share that information with other agencies more allied to that particular industry, say, electrical generation would report to the Energy Department. But now it seems like there’s questions about who’s sharing data with whom. And that would seem like an important task that CISA has to reestablish or somehow clarify where information sharing about cyber incidents with the federal government where and how it should happen.
Nick Marinos: Yeah, there have been long standing challenges in getting, in particularly the private sector, comfortable with two way sharing of information. And DHS has, and CISA has in place programs that are intended and operating to do that kind of sharing. But there’s several challenges that we continue to see. The first is making sure that that sharing is actually meaningful. In other words, the information that the government is providing to those private sector organizations is something that they can take action on. So having not only the expertise in house, within those sector organizations, to be able to interpret the data, but then actually take action on it. And then on the other side, getting the companies comfortable with sharing the information back to the government. There have been laws passed intended to provide liability protection so that it can help to diffuse some of the concerns companies have, that if they’re sharing information regarding potential vulnerabilities that they identified and that have been potentially exploited, that they won’t see some sort of legal recourse that might come down the line, if they, you know, end up seeing a breach that occurs from it. And so there’s definitely more work that probably needs to be done, not only within that structure of the private sector and government using what are now going to be called sector risk management agencies. Those are the key agencies, about nine of them that coordinate with the private sector, but also just rules of engagement on how to get to a better place where the information that’s being shared can actually be useful in actually improving the protection of cybersecurity.
Tom Temin: And would you say that the recent Microsoft breach, where people’s active directories were hit, would be a great test case to see if this whole symphony can play together, since everybody has Microsoft?
Nick Marinos: Well, it’s definitely a good example of how challenging this is. With a breach like this, and it’s obviously still evolving, it’s hard to know just how far reaching it is. And so then, if you start to think about what private sector organizations might need, you know, think about the financial service sector as one that’s considered to be one of the most robust in terms of its information sharing, and its capabilities. But you have anywhere from major corporations, major banks, down to mom and pops. So you’re going to have different needs, when it comes to how to provide guidance to provide hands on support. And those are things that CISA is intended to create. It has capabilities in place, we saw them use it, for example, in the early days of prepping for the 2020 election that they were working with states and local municipalities more actively, we’ve seen it even more recently with the 2020 census. So on the federal agency side, they had a dedicated team that was serving the Census Bureau to provide them extra support in monitoring their systems while key operations are taking place. So CISA has a capability. But we think it’s important now to step back, you’ve got 37 additional activities that need to be completed. Figure out what are the most vital, most critical and come up with realistic time frames to complete them.
Tom Temin: So 37 open items and 11 recommendations from GAO, did the agency leadership generally go along with you?
Nick Marinos: We got full agreement with the recommendations. And those recommendations were not only to, like I mentioned, kind of set new expectations since obviously the December 2020 deadline has passed, but we also back them up against a set of best practices for organizational transformation. And we found a mixed bag there. So some of those recommendations are really aimed at ensuring that they can do this in a way that meets best practices, which would include things like thinking ahead on workforce planning as an example.
Tom Temin: Nick Marinos is director of information technology and cybersecurity issues at the Government Accountability Office. As always, thanks so much.
Nick Marinos: Thanks a lot, Tom.