CSIS provides insights into developing role of CISA in defending FCEB agencies, calls for boosting cyber defenses

The Center for Strategic and International Studies (CSIS) undertook a comprehensive six-month study evaluating the cybersecurity services provided by the Cybersecurity and Infrastructure Security Agency (CISA) to federal civilian executive branch (FCEB) agencies. With input from an expert task force, the report provides comprehensive analysis of the challenges and opportunities facing the U.S. government when it comes to securing cyberspace across FCEB agencies. It offers a roadmap for how to strengthen cybersecurity defenses, including specific recommendations for the CISA and its evolving mission to make civilian government networks more secure. 

Among its key responsibilities, CISA is tasked with establishing fundamental security measures for FCEB agencies and assisting them in effectively managing their risk profiles. The project highlights the importance of collaboration between the public and private sectors, as well as the need for continuous improvement and innovation in cybersecurity strategies. The findings and recommendations of this project will be valuable for policymakers, cybersecurity professionals, and anyone interested in the future of digital security.

The report, titled ‘CISA’s Evolving .gov Mission: Defending the United States’ Federal Executive Agency Networks’ found that increasing resources is necessary to meet the challenge at hand, but it is insufficient. Authored by Benjamin Jensen, Devi Nair, Yasir Atalan, and Jose M. Macias, the CSIS report identified that the U.S. government has increased funding for cybersecurity and created new agencies and authorities but still struggles with resourcing strategies that align budgets against risks.

It also disclosed that good news is that new initiatives and funding are extending the ability of key players in the federal government to secure the FCEB landscape. The bad news is that processes and procedures still need to catch up to create unity of effort. “And time is not on the United States’ side.”

The report recognizes that Congress needs to be prepared to further define and scope CISA’s role in this space and provide appropriate oversight into new tools and capabilities that will be rapidly deployed to meet future threats and challenges. Setting aside service-specific recommendations, CISA will significantly benefit by connecting its services more clearly and directly to the needs of FCEB agencies. By showing the value it brings to FCEB agencies, at an affordable price point, CISA can deliver as a true partner in network security efforts. 

At the same time, FCEB agencies, while not monolithic, need to operate with a greater understanding of CISA’s role in defending federal networks today in order to align the role to their respective individual FCEB initiatives. This requires adequate funding to enable choices based on merit rather than cost. The national security of the U.S. requires a CISA that is not bound to the lowest bid.

CSIS identified that adversaries see better returns from attacking the U.S. through cyberspace relative to the cost and risk of a more direct confrontation. “Perversely, it is easier for them to target critical infrastructure and the basic goods and services offered by the U.S. federal government than it is to shut down the Pentagon or hunt spies online. There is an increasing chance that a major geopolitical crisis becomes a form for digital hostage-taking, with authoritarian states seeking to disrupt FCEB agencies as a way of signaling the risks of escalation to U.S. politicians and the public.” 

It added that this logic flips decades of strategy on its head and makes countervalue targeting—holding innocent civilians at risk—the preferred gambit for authoritarians. “The old logic of focusing on counterforce targeting and narrowing hostilities to military forces to preserve space for diplomacy and avoid a broader war may be starting to crumble. In other words, cybersecurity is not just about force reassurance and protecting defense and intelligence assets during a crisis.” 

CSIS said that it comes down to people. “Denying adversaries the ability to hold Americans hostage in cyberspace is now a core national interest. Unlike traditional threats, this denial strategy is not owned by generals and appointees in the Pentagon. It is coordinated by the ONCD and executed by a mix of federal agencies and private sector companies still working to align their priorities and budgets to secure cyberspace.”

At the center of this strategy is the CISA and its evolving mission to make civilian government networks (i.e., [dot]gov websites) more secure and resilient. “New funding and authorities envision continuous diagnostics and mitigation (CDM) applications standing watch across the .gov ecosystem. These guards are extensions of a complex web of agencies, including the National Institute of Standards (NIST), the Office of Management and Budget (OMB), and the ONCD, all working to coordinate security priorities, technology standards, and budget submissions. On the ground, each FCEB agency has a chief information security officer (CISO) constantly negotiating with their agency leadership about imposing cyber hygiene measures and gauging how much money to dedicate to purchasing approved CDM applications and other cybersecurity efforts.” 

The report identifies that each of these agencies has to budget both for defending against national security risks and for their statutory requirements to provide unique goods and services. “They face rising costs and uneasy choices given the labyrinth of new resources and authorities coming online. In other words, they need help. And service starts with helping those most in need. In the pages that follow, the task force and research team offer a list of recommendations intended to start a broader dialogue between the branches of government and the U.S. people about how best to defend cyberspace.” 

The report is intended to serve as the start of a dialogue about how to best align ends, ways, and means. The strength of a democracy is its willingness to solve problems in the public square through debate. It is the task force’s hope that the recommendations below contribute to ongoing discussions around how CISA in particular can play a useful role in securing cyberspace.

The CSIS said that the number of cyberattacks against critical infrastructure appears to be on the rise. “There is a troubling history of cyber operations targeting critical infrastructure that warrants careful consideration. Consider an alternative indirect approach in which a hacker enters through the FCEB agencies linked to these sectors. This is exactly what happened in 2017 when the WannaCry ransomware spread across the National Health Services in the United Kingdom.  In other words, cyber operations targeting FCEB agencies could quickly pass through the federal government and spill over into the broader economy,” it added.

During 2021, ransomware attacks affected 14 out of the 16 critical infrastructure sectors in the U.S. This trend persisted in 2022, with cyber operations targeting the industrial sector, specifically critical manufacturing, witnessing a notable 140 percent increase.

The report noted that as the threat evolves, money alone is not enough to secure cyberspace. “The government must adapt and create new ways and means of achieving this common end. This report is part of that effort.”

It also identified that with increased resourcing, CISA is making meaningful steps to not only up its capabilities but also make sure those capabilities are integrated and provide a greater picture of the threats and vulnerabilities that FCEB agencies need to address. “CISA’s current capabilities, combined with planned reporting requirements and processes, will ensure that the agency has a more fulsome global cyber activity picture. CISA is well positioned not only to monitor and collect information but also to disseminate the information and help entities plan their responses at different levels. The challenge is to ensure CISA can adapt to the evolving threat landscape while navigating bureaucratic challenges.”

The report expects that in the coming years, CISA will expand its offerings as the lead agency for non-defense and intelligence federal network security. At the same time, the scale, frequency, and intensity of cyberattacks against FCEB agencies are increasing. Both state and non-state actors see opportunities for holding the U.S. hostage through cyberspace. As a result, money is not enough to solve the problem. The U.S. needs to imagine new ways of coordinating proactive cyber defense and deterrence aligned with its emerging resources that promote a change in how to think about network security and resilience.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.