The Cybersecurity and Infrastructure Security Agency (CISA) does not see itself as the nation’s risk managers, but rather as the nation’s risk advisors, and is working to set clear priorities moving forward, said CISA Director Christopher Krebs.
Speaking at Forcepoint’s Cybersecurity Leadership Forum on April 4, Krebs made it clear that CISA is not looking to take control of all Federal networks.
“If you put it at the top line, what is our role? The way I see it, we’re the nation’s risk advisors. We’re not the nation’s risk managers, because I don’t manage much risk directly. I have some ability to apply direction and compulsory activities across Federal networks, but ultimately, the network owner owns and manages the risk,” said Krebs. “The individual agencies within the Federal government, that local level election official, the chemical company – whatever it is, they own the risk.”
But as Krebs noted, CISA does have authority to compel agencies to take action. He stated that removing Russia-based security technologies provider Kaspersky was one of the top priorities when he came back to government, and he described the framework created to evaluate components in Federal networks.
“Really what it boiled down to was three simple questions: what’s the thing, what does it do or have access to, and who controls it? Ultimately, we had an antivirus product that was running at a level we don’t typically monitor for, it was porting back to Moscow, it was subject to the jurisdiction of an authoritarian state and their military intelligence services, and hypothetically with broad reach across the Federal government. Not an acceptable risk,” he said.
With the same type of fears abounding about 5G network equipment made by Huawei and other Chinese companies, Krebs noted that the framework still stands.
“I can take those three questions, and apply them to any product. Our focus is not on the country of origin, or the company, but it’s about, what is the rule of law under which that product is potentially subject to.”
Looking towards the future, Krebs discussed his desire to build an alumni network of former CISA employees in the private sector, tackle the threat of election interference, and most importantly, prioritize the main threats for the agency – a sentiment in line with the National Risk Management Center’s efforts to define national critical functions.
“We can talk about generalities all day long, but we’ve got to find some things to focus on. If everything’s a priority, nothing’s a priority.”