Defending federal networks requires more than money, CSIS study finds
While the federal government knows how to throw money at a problem, it needs to do a better job at helping civilian agencies understand the complex risks when it comes to protecting itself against cyberattacks, according to a six-month study by the Center for Strategic and International Studies.
The report examined the Cybersecurity and Infrastructure Security Agency’s role in protecting the more than 100 federal civilian executive branch agencies from criminal and state-backed hackers. CISA is still one of the newest agencies on the block, and one of the main goals of the study was to explore the current state of .gov protections.
“CISA is a relatively young agency,” said Ben Jensen, the report’s lead author and a senior fellow for future war, gaming, and strategy in the International Security Program at CSIS. “So where are they? And where are they going? And do they have the resources authorities require to kind of live up to the task at hand?”
The report has three main pillars of recommendations: additional resources, leveraging and harmonizing authorities, and improving communication and coordination with stakeholders.
The report notes that the continuous diagnostics and mitigation program — a slew of tools and services to help agencies better defend themselves — should have a more predictable and flexible funding structure. Additionally, Congress should fund and formalize the Joint Collaborative Environment, as well as a cyber statistics program for anonymized incidents and vulnerabilities, the report recommends.
The study’s authors also said CISA should also should articulate its own roles and responsibilities as the lead agency for federal network defense. Congress, meanwhile, should harmonize incident reporting and make CISA the lead for government and agency reports of major incidents, among others.
Additionally, CISA needs to find a better way to effectively engage in misinformation and disinformation discussions, according to the report. While the problem is bigger than the one agency, the role disinformation has played in previous elections makes the issue core to the agency’s mission.
The report suggests a study of cyber-enabled disinformation campaigns as a first step.
But perhaps the biggest theme to come out of the study was that while money is always needed, “put bluntly, money is not enough to defend the .gov.”
“The U.S. government needs to do a better job of planning, coordinating, and communicating the risks associated with cyberattacks against federal executive agencies,” the report states.
Jensen explained that the goal is to help CISA grow into a larger advisory role by sending teams that can help the various civilian agencies balance near-term objectives with long-term risks.
And while protection of the .gov websites may seem like a simple assignment, the task includes a crucial assortment of services across a wide range of agencies, all with their own unique network needs, Jensen said. And those services can be anything from the data that energy markets rely on to assistance for everyday Americans.
“What would happen if someone were to use cyber operations to disrupt [Supplemental Nutrition Assistance Program] payments in the run-up to the next election? Over 40 million Americans would find themselves without a meal for start,” Jensen said. “What happens if nefarious actors manipulate or cast doubt in data from the Department of Labor or Commerce, and now most American economic statistics aren’t trusted?”
This is not a new issue. The report notes that policymakers have struggled to align resources to protect these civilian agencies for “almost 20 years.” However, both the Trump and Biden administrations have made massive changes to the way cybersecurity policy is handled at the federal level — particularly with the establishment of CISA and the National Cyber Director.
The study was a reunion of sorts, as many of the influential Cyberspace Solarium Commission members participated. Additionally, the study held 30 interviews with federal and private chief information security officers, in addition to conducting six expert tabletop exercises and another tabletop of 1,000 individuals from the general U.S. public.
