America’s digital defender is underfunded, outmatched and ‘exhausted’

CISA “just can’t do the job that they need to do,” Rep. Dutch Ruppersberger (D-Md.) argued at a House Appropriations Homeland Security Subcommittee hearing earlier this month.

It’s been a tough 12 months at CISA. The agency already had its hands full confronting a surge of digital intrusions that accompanied the coronavirus pandemic. It also went into overdrive to help state and local election officials protect their systems during the heated 2020 campaign — and served as a key check on false claims of widespread fraud, placing its leadership in Trump’s crosshairs. Then in December, the government learned from a security firm that suspected Russian hackers had exploited SolarWinds’ widely used software to tunnel into federal and corporate networks and rummage through the files of nine agencies and roughly 100 companies. As CISA was responding to those breaches, Microsoft disclosed that Chinese hackers had exploited a vulnerability in its email software, setting off a blizzard of attacks as criminals rushed to breach hundreds of thousands of affected servers.

CISA was already struggling last year to assist state officials with election security, and now “there are hundreds of times more incidents,” said Bryan Ware, who led the agency’s cybersecurity division in 2020.

Employees were more direct. “People are somewhat exhausted,” said one.

Staffers said the agency doesn’t have enough people to fill out its threat-hunting and incident-response teams, which deploy to agencies and help them investigate and recover from breaches such as the hack of SolarWinds’ IT monitoring software.

“It’s obvious that, to meet the demand, our supply of threat hunting is pretty low,” said a second CISA employee. Both employees spoke on the condition of anonymity to offer candid thoughts.

Mark Montgomery, the executive director of a congressionally chartered panel whose report has served as a blueprint for reforming CISA, said he’d be surprised if the agency had even 10 percent of the incident-response capacity it needed.

While CISA has been able to meet other federal agencies’ needs, it’s struggling to provide promised support to private sector critical infrastructure companies such as hospitals and power plants, which are facing increased attacks in part because of the pandemic, and to aid small businesses crippled by ransomware attacks, the second employee said.

And key parts of the effort to restructure the new agency have stalled, according to a March report by the Government Accountability Office, which said CISA hasn’t fully defined its different teams’ responsibilities and identified its workforce’s “capability gaps.”

Even so, the employees said staff are generally optimistic, expecting that Homeland Security Secretary Alejandro Mayorkas — who prioritized cyber issues as deputy secretary during the Obama administration — and new senior CISA leaders will listen to staff, advocate for their needs and keep cybersecurity on the front burner with the White House.

“Morale is generally really high,” the second employee said, because even though many people feel overworked, they still love CISA’s mission and “are super jazzed about the political appointees.”

And Eric Goldstein, who leads the agency’s cybersecurity division, said in an interview that while “the resource need for CISA is urgent” it hasn’t yet had to sideline projects.

“We are not, at this point, having to make triaging decisions,” Goldstein said.

Still, the agency remains without a permanent director or even a nominee for the position, and significant improvements may require a cash infusion well above what Congress has considered so far.

House Homeland Security ranking member John Katko (R-N.Y.) said CISA, which received $2 billion from Congress in each of the past two years, needs to become “a $5 billion agency in the next decade.”

Democrats have argued for a funding boost as well, including Homeland Security Chair Bennie Thompson (Miss.). “If Congress wants the private sector to take security seriously — and that means putting money where your mouth is — it has to lead by example,” Thompson said.

That bipartisan push has had some effect. In March, Congress approved an emergency $650 million for CISA as part of President Joe Biden’s coronavirus relief bill.

But the additional money comes as Congress is loading more responsibilities onto the agency.

In the fiscal 2021 defense policy bill, lawmakers directed the agency to take over supervision of .gov websites, and at recent hearings, some lawmakers have suggested having CISA directly manage other agencies’ cyber defenses.

“If you don’t fund the agency, but you do build up the expectations, you’re positioning it to fail,” said Matt Masterson, who served as a senior cybersecurity adviser at CISA from 2018 to 2020.

CISA’s overstretched status is undermining the U.S.’ cybersecurity defenses in multiple ways.

The agency’s two marquee federal network monitoring programs — a collection of perimeter-defense sensors placed on agency networks and a suite of tools to help agencies understand their IT settings — haven’t been updated to account for attackers’ use of never-before-seen malware, rented U.S. servers and clever identity-forging techniques. The SolarWinds hackers exploited these gaps, and fixing them could take years.

The agency also lacks the capabilities to analyze vast quantities of data about hackers’ activities on victim networks, which prevents it from identifying problems before they become crises. And the budget for its division that predicts risks to vital infrastructure systems such as electrical grids and waterworks is tiny compared with the sheer scale of this analysis work.