During today’s Senate Homeland Security Committee Hearing, both Committee Chairman Ron Johnson, R-Wis., and Cybersecurity and Infrastructure Security Agency (CISA) Director Chris Krebs agreed that CISA’s role is largely similar to the Federal Emergency Management Agency’s mandate.
Johnson explained that one of CISA’s mandates is to both help state and local governments (SLGs) prepare for attacks and aid in the recovery process following an attack. Krebs agreed, saying he’s setting up CISA to serve in an advisory—rather than a hands-on—role, helping SLGs harden their networks and providing guidance during any recovery process. He did stress that CISA will not come in and repair networks or systems, saying SLGs are responsible for managing their own networks. CISA, instead, will advise SLGs on what broad steps they should take during an attack and what Federal resources are available for them. Krebs also explained that when states are “getting hit up” by vendors, CISA can provide vendor neutral guidance on what technologies and capabilities states actually need.
In regard to how CISA is helping SLGs prepare, Krebs discussed CISA’s Cyber Essentials Recommendations. He stressed the importance of leadership buy-in, training users to practice good cyber hygiene, following identity and access management best practices, and having a good instant response process and recoverable backups.
Christopher DeRusha, chief security officer for the state of Michigan, and Amanda Crawford, executive director for Texas’ Department of Information Resources, praised CISA’s handling of the recent Iranian conflict. During the conflict, CISA issued a call for increased vigilance. Krebs tweeted “Bottom line: time to brush up on Iranian [tactics, techniques, and procedures] and pay close attention to your critical systems, particularly [Industrial Control Systems]. Make sure you’re also watching third-party access!” Crawford said the information CISA shared “was extremely helpful, it was very timely, and it was detailed.”
DeRusha also pushed for legislation introduced last month by Sens. Maggie Hassan, D-N.H., John Cornyn, R-Texas, Rob Portman, R-Ohio, and Gary Peters, D-Mich. The legislation would establish a Cybersecurity State Coordinator program where each state would have a Federally funded Cybersecurity Coordinator who would be tasked with helping to prevent and respond to cybersecurity threats. DeRusha said that in the state cybersecurity community, they have a saying: “If you’ve seen one state, you’ve seen one state.” Meaning, he explained, that each state is trying to figure out its own role and manage its own network and risks. With a dedicated cybersecurity coordinator, the Federal government can offer “tailored specific plans to meet our needs,” which are “quite different.” Crawford agreed with DeRusha that having tailored resources would be “extremely helpful.”
Crawford further urged for increased information and communication regarding what resources are available in the midst of an attack – what Federal services are available and who offers them. She said that depending on the type of attack, a state may need to reach out to different agencies or parts of the government. “There are a lot of players,” she explained, so it can be confusing to know who exactly a state should contact. She asked for “clear expectation setting” and a “playbook” states can use to understand how the Federal government can help during an attack.