Chris Krebs, former head of the nation’s cybersecurity agency inside the Department of Homeland Security, caused a stir this week when he suggested the agency break out on its own.
Instead of the Cybersecurity and Infrastructure Security Agency residing in DHS, Krebs told an audience at the Black Hat cybersecurity conference in Las Vegas, a standalone CISA could help streamline how the private sector and other stakeholders work with the government to combat cyberthreats.
“Instead of going to five or six different agencies, make the front door clearly visible — and as I see it that’s CISA,” Krebs said.
But former CISA officials and other cybersecurity experts said that idea is simply unrealistic and impractical. CyberScoop spoke with eight former U.S. cybersecurity officials, executives and experts about Krebs’ comments and a majority said that CISA needs to reside inside DHS in order to accomplish its mission.
“DHS gives CISA size and Cabinet-level seniority in the interagency,” Looking Glass CEO Bryan Ware, who previously served in senior cybersecurity roles at CISA and DHS, told CyberScoop. “I worry that without that top cover [CISA] could be diminished by DOD, FBI and others.”
Megan Stifel, the chief strategy officer at the Institute for Security and Technology and a former National Security Council and Justice Department cyber official, said private sector engagement needs to be made as “seamless as possible, and at the present it is not.”
But she said that unlike the Securities and Exchange Commission or Federal Trade Commission, CISA is unlikely to succeed in its mission if it stands on its own. Stifel said that Krebs’ idea merits consideration but that because of the need for private sector engagement to inform and potentially drive requirements within the executive branch, turning CISA into an agency whose “capability is only advisory” would likely undercut its work.
Being housed inside DHS is not ideal for CISA, said former CISA Director Suzanne Spaulding. But she said it is worth tolerating the headaches DHS oversight brings in exchange for the department’s muscle.
If CISA “becomes this little sub-agency of a few thousand people” it will make it much harder for it “to get in at the table” inside the government, Spaulding told CyberScoop.
She acknowledged that DHS has become more consumed by immigration controversies in recent years — preoccupying department leadership and potentially repelling talented and hard to find cyber talent in disagreement with the department’s immigration stance — but she said those disadvantages are not serious enough to support separating from DHS.
The White House’s National Cyber Director Chris Inglis has only been in power for about a year and still hasn’t received his full budget or finished hiring, Spaulding pointed out. Inglis is charged with coordinating all cybersecurity efforts across the government, she said, and should be given time to do that “before we assume failure and reach for another solution.”
If anything, CISA should be moved to Inglis’ office, said James Lewis of the Technology and Public Policy Program at the Center for Strategic and International Studies. He called DHS a “hodgepodge” that needs to be reorganized but said CISA isn’t big enough to stand alone.
CISA Director Jen Easterly spoke with CyberScoop about Krebs’ idea from DEF CON in Las Vegas, calling the creation of CISA a “huge game changer” for American cybersecurity efforts. But she didn’t want to offer a position on the notion of making CISA a stand…
Read More: Ex-CISA chief Krebs advocates for standalone cyber agency. Experts say that’s impractical.