Cybersecurity and Infrastructure Security Agency Director Chris Krebs said there are “some innovative, bold recommendations” in the new Cyberspace Solarium Commission report, “but more importantly, there are recommendations within the report that are practical and imminently implementable.”
“And that’s the most important aspect of the report in and of itself – that whatever’s in it, we can actually do it,” he said.
The Commission advocates a layered cyber deterrence strategic approach to cybersecurity, achieved by shaping cyber behavior, denying benefits to adversaries, and imposing serious costs on cyber threat actors who target the United States.
Krebs told the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Innovation on Wednesday that CISA is working through a “triage list” and identified “the sorts of resources that we will need – the things we can do now, the things we’ll have to do down the road,” given that some of the additional requirements on critical infrastructure will require either congressional or regulatory action.
“The defense-offense divide, that was one of the important policy signals that comes out of the report to me. At least that this is not just about investing in the Department of Defense and General Nakasone’s teams, it is also about ensuring that CISA and the rest of the civilian cybersecurity space and the private sector have the direction, guidance, and resources they need to be able to implement,” he said. “Some of the key takeaways … first is that it squarely put CISA at the central coordination point for civilian cybersecurity defense.”
“And that brings all the federal partners together, but that also, importantly, brings the federal or the private sector as well as state and local partners together. There are going to be some significant applications here.”
Krebs questioned whether CISA has the facilities to “truly set up a collaboration space,” and noted they are operating in nine facilities in the national capital region and “need a refresh.”
“We just need to make sure that we have the access for private-sector partners to the facility, that we can accommodate regular access from private-sector partners and make it an experience that they want to actually participate in. It’s a kind of an ‘if you build it, they will come’ sort of approach. So that aspect we’re focused on,” he said.
“There’s another piece of it – continuity to the economy – that we’re working through right now,” Krebs added. “And that is kind of, in some part, a manifestation of our national critical functions work that we launched last year, and we’re also seeing that play out right now across the COVID response. So we’ve developed a framework for analyzing broader supply chain impacts of COVID across four different elements.”
The first question, the director said, is whether there is a “commodity disruption that would disrupt a business or a function.”
“The second is, is there workforce disruption that you may not be able to continue delivering that service or function? And then, there are two kinds of demand side issues. One… you have too much demand and, therefore, you have a cratering within the function,” Krebs continued.
“And on the flip side of that, you may see in transportation is there’s a lack of demand, and so the function then degrades. So, those are the sorts of things that we want to push into that continuity of the economy. We have the rubric, but to fully implement that recommendation is going to require significant analytic investments within the agency.”
“And then, lastly, workforce, workforce, workforce, workforce… to be successful in this space, to be truly a customer-centric organization, I have to have personnel out in the field – not just engineers here in D.C., but customer service professionals out where our partners are. And that’s going to require significant investment in personnel.”