A new report out today from the Center for Strategic and International Studies (CSIS) focuses on the Cybersecurity Infrastructure Security Agency’s (CISA) growth and mission needs, and offers a range of findings and recommendations that go beyond basic funding needs to bolster CISA’s ability to defend the nation’s cyberspace and the security of Federal Civilian Executive Branch agencies (FCEB).
Beyond ongoing funding concerns, the report says CISA also needs to move forward with improving its planning, coordination, and communication activities with Federal agencies.
“Over the last 40 years, the Unted States has made progress in securing cyberspace, but its federal networks remain vulnerable to attacks by state and non-state actors,” the Oct. 23 report says. “Beyond the battlefield, the ‘.gov’ – [FCEB] agency – networks remain a critical requirement for American prosperity as well as a crucial vulnerability,” CSIS said.
“Absent renewed efforts to secure these networks, the United States will remain at risk of cost imposition and political warfare in cyberspace,” the report says.
During an event hosted by CSIS today to showcase its new report, CISA Executive Assistant Director Eric Goldstein said that the .gov protection mission across more than 100 FCEB networks is a priority for the agency, but emphasized CISA can’t do that job without funding from Congress.
“We’re making real progress. I would say Congress has been extraordinarily helpful, over multiple administrations in a bipartisan manner, to provide both the resources and the authorities that we need to drive meaningful progress in this direction,” Goldstein explained. “We have significant resources, we have significant authorities, but we have been on a very positive trend line where we have not yet reached the end stage.”
“One critical question for us is going to be can we continue on this trajectory? And can we continue just shifting that balance of visibility, of agility, towards giving CISA the ability to help agencies understand their own risk,” he said. “That’s going to require ongoing sustained investment over multiple future fiscal years for us to actually make sure that we can accomplish our goals.”
CSIS formed a task force of former senior government appointees, cybersecurity experts, and private sector chief information security officers to create the new report. After a six-month study, the think-tank found that resources and money alone were insufficient to address the multitude of the challenge.
The task force recommends more than 20 changes to how the U.S. government resources cybersecurity, executes existing authorities, and creates opportunities and incentives to coordinated across the 100 FCEB agencies.
“Put bluntly, money is not enough to defend the .gov. The U.S. government needs to do a better job of planning, coordinating, and communicating the risks associated with cyberattacks against Federal executive agencies,” the report says.
“This will likely require consistent staffing at CISA and exploring new service models such as creating collaborative planning teams that deploy to help agencies develop cyber risk strategies and tailored dashboards to monitor their networks,” the report concludes.
Goldstein reiterated that within the .gov domain, cybersecurity must not be an end in itself, but rather a “means to enable the resilience and continuity of critical functions under all conditions.”
