Experts Tell Lawmakers to Give CISA 'Operational' Federal Information Security Role

Experts Tell Lawmakers to Give CISA 'Operational' Federal Information Security Role

The Cybersecurity and Infrastructure Security Agency, which currently describes itself as the nation’s risk adviser, should play a more hands-on role managing the federal government’s information security, a leading cybersecurity thinker told members of the House Homeland Security Committee.

“Congress should take steps to set CISA on a path to becoming the operational CISO, or chief information security officer, of the civilian federal government,” said Dmitri Alperovich, founder of Silverado Policy Accelerator, a new bipartisan public policy organization focused on national security, foreign policy, and cybersecurity.

Alperovich, who also co-founded the cybersecurity firm Crowdstrike and served as chief technology officer there, testified before the committee on the state of cybersecurity Wednesday along with former CISA director Christopher Krebs, former principal deputy director of national intelligence Sue Gordon, and former White House cybersecurity coordinator Michael Daniel. 

The hearing came in the wake of the massive hacking campaign that has compromised several government agencies and top technology companies which federal officials believe is likely an intelligence gathering effort connected to the Russian government. 

The hackers leveraged their unauthorized access into the development environment of SolarWinds, a widely used IT management company, to deliver malware via a seemingly routine software update to about 18,000 organizations, including Microsoft. But they also used other methods of gaining initial access to organizations’ networks, including common tactics like guessing and phishing to obtain or crack weak passwords, CISA said

Alperovich said the vast majority of federal agencies will never have the talent, expertise or resources to defend themselves against sophisticated nation states like Russia and China and should be incentivized to adopt more of the shared services, such as secure email, that CISA has already started offering.