Lawmakers, experts question whether CISA should be split from DHS after delayed confirmation of Easterly

Anger over the delayed confirmation of Jen Easterly has reignited calls for CISA to exist on its own.
Written by Jonathan Greig, Contributor

On Wednesday, Senator Rick Scott ended his objection to the unanimous consent needed for the Senate to vote on the nomination of Jen Easterly to be Director of CISA.

Scott had been holding up the vote as a way to force Vice President Kamala Harris to visit the US-Mexico border. He said he would refuse to confirm any Department of Homeland Security nominees until Harris went to the border, which she did last Friday. 

"This isn't about Ms. Easterly. This isn't about cybersecurity," Scott said last week. 

Despite lifting his hold on her nomination, all of Congress is away for the July 4 holiday and Easterly will not be confirmed until after Congress returns on July 9. 

CISA has not had an official director since former President Donald Trump fired Chris Krebs in November. His deputy, Brandon Wales, has been holding the position on an interim basis ever since, even as the country continues to deal with the fallout from the SolarWinds hacks and a number of other state-sponsored attacks on government organizations. 

A number of lawmakers and experts, like Krebs, took to Twitter to criticize the decision to hold up Easterly's confirmation. Krebs even joked that Easterly's confirmation was being "ransomed" by politicians and said the situation was "one more reason it's time for a conversation about splitting up DHS."

Rep. Jim Langevin, one of the most vocal members of Congress on cyber issues, told ZDNet that the Cyberspace Solarium Commission looked at several different models for civilian and critical infrastructure cybersecurity, including spinning off a separate agency.  

"However, our ultimate conclusion was to double down on CISA in its current form. We passed a number of new provisions intended to do just that last year, and the House just released draft legislation increasing CISA's budget by nearly 20 percent," Langevin said.  

"I believe CISA can be perfectly effective within DHS if properly resourced and given the right authorities."

Among former government officials, opinions were more mixed on the topic. 

Drew Jaehnig spent more than 20 years managing networks and IT services and other technology at the Department of Defense. Jaehnig, who is now a director of Bizagi Government Services, said that before CISA's creation in 2018, DHS already had the task of securing US critical physical and cyber infrastructure with the National Protection and Programs Directorate (NPPD). 

The NPPD was created in 2007 and was charged with tracking all visitors to the country, providing federal protective services for federal owned and leased assets, assuring the reliability of the nation's cyber and communications infrastructure, and reducing risks to the nation's critical infrastructure, according to Jaehnig, who added that the cyber component was originally organized under the Office of Cybersecurity and Communications (CS&C).
"It is important to understand that the Department of Defense was working to protect the DoD cyberinfrastructure initially with the JTF-GNO (Joint Task Force - Global Network Operations) that was later to be part of the Cyber Command," Jaehnig said. 
"The civil agencies and national infrastructure needed something similar and as such, the CS&C was created. The CS&C's resources and standing were not sufficient to accomplish the given task, and in 2018 the Cybersecurity and Infrastructure Security Agency Act elevated the agency to a higher standing in DHS. Subsequent actions have substantially increased the resources available to CISA. Indeed, in the upcoming year, Congress is seeking $2.42 billion for CISA, $300M above what the President's budget requested."
Jaehnig said there is a lot of overlap between the jobs of CISA and DHS, and the idea of spinning CISA into its own agency "would probably only complicate the nation's response to any major cyber or infrastructure incident."
"The mission to secure borders, uphold economic prosperity, and increase our preparedness and resilience are all tied to the cyber and physical infrastructure," he said. 
Despite advocating that the organizations stay connected, Jaehnig acknowledged that the arguments for splitting CISA from DHS are centered around it not getting enough attention and voice within DHS. 
He also noted that the situation with Easterly was part of a larger problem of CISA-related issues being lumped into the controversies that typically swirl around DHS in relation to border policies. He added that others have argued that any coordination issues created by separating CISA from the DHS can be overcome, as they have with DHS and the FBI on cybercrimes.
Some private industry cybersecurity groups have also expressed hesitancy about working with DHS due to the public debates over border policies, according to Jaehnig. 
But in the end, Jaehnig agreed with Langevin that CISA simply needed more resources and increased focus by the private and public sectors on infrastructure protection and resiliency. 
"With the continued blurring of the line between the cyber and the physical, this is more apparent than ever. These would be steps in the right direction and would address many of the concerns of those wishing a split and avoid a messy reorganization that would interrupt operational responses at a critical juncture," Jaehnig said. 

"In the current environment, this is an issue that is likely to be more troublesome to the hill than keeping the status quo and adopting the Solarium recommendations. The Solarium recommendations are more practical to pass in legislation, as already accomplished with the appointment of a National Cyber Director, also in the CSC's 2020 recommendations. Indeed, Congress adopted 27 of the 80 recommendations last year, and this year the CSC is working on getting 30 more of its recommendations codified into law. Politically, this approach is working even in today's polarized political landscape."
Other former government officials took a different stance, arguing that CISA's ties to DHS complicated the organization's mission and added additional red tape that made it harder for the agency to respond quickly to cyber incidents. 

Jake Williams, who spent years in the US Army and now serves as CTO at BreachQuest, told ZDNet he was working in the intelligence field when DHS was created and said, "even then it wasn't clear it could perform its mission without adding more bureaucracy." 

Williams said it is time to have discussions about a cabinet-level position for cybersecurity. 

"Politics aside, what we're seeing now is budget and focus being split within DHS between immediate cybersecurity and physical security needs. In these types of 'immediate need' dilemmas, cybersecurity almost always loses," Williams explained. 

"I would fully support a cabinet-level directorate focused on cybersecurity. It's sorely needed today and not something we can kick down the road."

Others who have worked alongside the US government on cybersecurity issues also said CISA may be better served by operating within another agency. 

Bill O'Neill, a vice president at ThycoticCentrify, has spent years at companies that worked with the Defense Department and other agencies on cybersecurity.

He noted that the previous presidential administration succeeded in ensuring CISA became a more fully realized government agency and added that Krebs' leadership -- coupled with its role in protecting the integrity of the 2020 election -- resulted in a new level of credibility, visibility, and autonomy for CISA.

O'Neill said DHS's agenda, regulatory focus, and priority to work with sector-specific agencies "undermines and supersedes CISA's mandate to handle civilian cybersecurity issues, diminishing the country's ability to fight cybercrime on a united front." 

"If CISA were decoupled from DHS and integrated instead into the ranks of US Cyber Command, the agency would have much greater efficiency and independence to implement policies for civilian incident response unencumbered," he said. 

"You can correlate a sharp rise in cyberattacks across the country with the lack of defined oversight of US cyber defense strategy. And although Jen Easterly was nominated for the role of CISA Director three months ago, the Senate failed to confirm her. At a time when cyberattacks are at an all-time high, a vacuum in cybersecurity leadership only emboldens cyber criminals."

Editorial standards