Updated Nov. 18: In a clearly political move, Christopher Krebs was removed from his post for continuing to insist the elections had been secure. "The dismissal of Christopher Krebs as Director of the Cybersecurity and Infrastructure Security Agency is political, surreal, and disheartening," said Chloe Messdaghi, vice-president of strategy at Point3 Security. "Many in the cybersecurity community are deeply disappointed and more than a bit nervous."
"CISA's role was to be the organization that works closely with all stakeholders-industry, public sector and the American people-and to help keep the US ahead of cybersecurity threats, both those in the form of attacks and of misinformation campaigns," Messdaghi said.
The Cybersecurity and Infrastructure Security Agency’s role goes beyond national security and securing elections. Any shakeup at CISA’s leadership level would affect the work the agency has been doing with privacy sector organizations.
Rumors have been rampant over the past few days that Christopher Krebs will be ousted as CISA’s top official—Reuters reported Krebs expects to be fired. Several key figures at the Department of Defense resigned shortly after Secretary of Defense Mark Esper was fired. (Heads have also rolled at the U.S. Agency for International Development, the Energy Department and the National Oceanic and Atmospheric Administration—a climate change denier is now in charge of NOAA’s US Global Change Research Program.) Bryan Ware, CISA’s Assistant Director for Cybersecurity and a Krebs deputy, resigned from his post but declined to discuss the terms of his departure.
“I’m very proud of the work that CISA has done this year,” Ware told Cyberscoop. Ware also noted that CISA played a role in the country’s pandemic response by working closely with healthcare organizations, pharmaceutical companies, medical research institutions and universities to protect them from cyberattacks targeting research and other work related to the novel coronavirus. “We leaned into protecting the nation’s COVID response.”
Along with election security—“The November 3rd election was the most secure in American history”—and pandemic response, CISA has pushed forward on other key areas, including supply chain, information sharing and threat hunting, and 5G. The agency was established two years ago with the Cybersecurity and Infrastructure Security Agency Act of 2018, which reorganized the Department of Homeland Security's (DHS) National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency, to “build the national capacity to defend against cyber attacks.”
CISA has substantially raised awareness of third party risks, especially through the dedicated task force focused on supply-chain issues, said Chloé Messdaghi, vice-president of strategy at Point3 Security. “He’s [Krebs] helped educate companies that they’re only as secure as is the weakest link in their supply chain, and he’s continuously urged companies to evaluate the security and risk management of their vendors.”
CISA also provides “trusted communications channels” to talk about vulnerabilities and security threats. Pandemic response is just one example. CISA issues binding operational directives, which are rules federal agencies have to comply with, such as deploying security updates or changing a security configuration to make networks more secure. These directives are mandatory only for government agencies, not private sector organizaitons, but they set the tone. When CISA issued a binding operational directive ordering patching for a Microsoft flaw, it hightlighted how important this was.
“CISA has provided unified emergency communication around cybersecurity and national risk management issues, and has helped unify and structure communications around these issues from the myriad of US intelligence agencies such as the FBI, NSA and CIA,” Messdaghi said.
Any kind of personnel move is tricky during times of transition—there is a lot of institutional knowledge to pass on and it is reassuring to have new and previous leaders work together to avoid interruptions to day-to-day operations. It is similar to why executives may be asked to stay on after an acquisition. Changes in leadership of an agency tasked with securing the country’s critical infrastructure will heighten the government’s vulnerability, and potentially disrupt the security of private sector organizations, as well.