GAO: CISA Has Many Unfinished TasksAudit Stresses Need for Better Communication With Companies
Although the Cybersecurity and Infrastructure Security Agency has made significant strides since it was established in 2018, it still has important work to do to fulfill its cybersecurity and national security obligations, according to a recent audit by the Government Accountability Office. This includes improving communication with companies that share responsibility for the security of critical infrastructure as well as soliciting private sector input on creating specific security plans for each industry.
The federal watchdog made 11 recommendations for how CISA can fulfill the requirements laid out in the Cybersecurity and Infrastructure Security Agency Act of 2018. That law established CISA as a stand-alone agency within the U.S. Department of Homeland Security with a charter to protect the nation's critical infrastructure.
Unless CISA takes key steps, including streamlining how the agency operates, it could have trouble responding to large-scale incidents, such as the SolarWinds supply chain attack, according to the GAO report.
"Until it establishes updated milestones and an overall deadline for its efforts, and expeditiously carries out these plans, CISA will be hindered in meeting the goals of its organizational transformation initiative," the audit states. "This, in turn, may impair the agency’s ability to identify and respond to incidents, such as the [SolarWinds] cyberattack discovered in December 2020 that caused widespread damage."
The Department of Homeland Security, which oversees CISA, agreed with all 11 recommendations published in the report, the GAO notes.
Meanwhile, on Thursday, a bipartisan group of House members announced plans to introduce the Industrial Control Systems Enhancement Act, which would require CISA to detect and respond to incidents involving attacks on industrial control systems and provide greater assistance to companies that support critical infrastructure, The Hill reports.
This bill is being introduced in response to the hacking of a water treatment facility in Florida last month, in which the attackers appear to have used TeamViewer to gain remote access to the plant's network (see: 5 Critical Questions Raised by Water Treatment Facility Hack).
Stuart Itkin, vice president at security consulting firm Coalfire, says an emphasis on operational technology security is long overdue.
"Commercial and government programs traditionally focus on securing our IT to the exclusion of OT," Itkin says. "We've seen the consequences in Florida and elsewhere as those with malicious intent target that which is most vulnerable. A focus on OT security at par with IT security is long overdue."
CISA is getting an infusion of $650 million in federal funds from the American Rescue Plan economic stimulus package, which President Joe Biden signed Thursday. That amount, however, is far less than the billions that the White House originally proposed.
During two public hearings in the House last month, lawmakers appeared open to giving CISA additional responsibilities for threat hunting across federal networks and coordinating intelligence following large-scale cyber incidents (see: House SolarWinds Hearing Focuses on Updating Cyber Laws).
CISA has completed two of the three phases that are outlined in the federal bill that created the agency, the GAO notes. These phases are: developing a new organizational chart for the agency, consolidating several incident response centers and designating points of contact within the agency that companies can reach out to after a cybersecurity incident.
GAO says the agency is falling short in phase three. As of December 2020, the agency had completed 37 of 94 planned tasks for this phase.
Of the tasks that are not complete, the audit notes, 42 are critical to "finalizing the mission- essential functions of CISA's divisions and issuing a memorandum defining incident management roles and responsibilities across CISA."
The audit recommends that CISA create a process for identifying overlapping duties and programs to streamline the agency and cut wasteful costs.
Mike Hamilton, a former vice chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council, says it's not surprising that CISA, which was formed in 2018, is having some growing pains.
"Like the rest of the world, CISA has challenges in attracting and retaining qualified practitioners that deliver products such as resilience reviews and IT security assessments," says Hamilton, now the CISO of CI Security. "The frequency of global cyberattacks has increased and we recently completed an election that required specific focus. These events, including the planning and preparation preceding the U.S. election, have likely resulted in the opportunity cost of these missed milestones."