In weighing the prospect of a larger and more diverse workforce against the benefits of accessing classified intelligence, the Cybersecurity and Infrastructure Security Agency may be realizing it can do more with less.
“I think agencies like CISA are going to shift from a way of working where we had to be in one place or a couple of places and those places relied heavily on classified information,” said Bryan Ware, assistant director for cybersecurity at CISA. “I think what we’re already learning right now is how much insight we can get from commercial information.”
Ware spoke Tuesday along with CISA Director Christopher Krebs during the annual Billington cybersecurity conference, where they addressed challenges related to the pandemic and plans for the future.
“There’s still a gap between classified and commercial information but we had a chance to rethink the way that we work and where we work,” Ware said. “If we can work remotely right now, then we don’t need to hire all of our employees from the national capital region. We probably don’t need to require all of our employees to have top secret clearances if they’re not accessing top secret information.”
Ware said the agency would be able to scale its operations more effectively by leveraging commercial and open-source data.
“Those things are going to open up a whole new workforce, reduce our facilities, costs, and I think give us the chance to really accelerate innovation and mission,” he said.
Ware’s comments echoed those Krebs made in June regarding the benefits of expanding the geographic reaches of the talent pool for cybersecurity workers.
To account for a more dispersed workforce, the CISA officials both stressed the importance of mitigations they’ve been promoting long before the virus arrived.
“We have been advising departments and agencies to patch [virtual private networks] for a year now,” Ware said. “That VPN now has gone from 10 or 15% of your enterprise traffic to maybe 95% of your enterprise traffic and we still see unpatched VPNs.” The difference today, Ware said, is that “the locus of the attacks are the VPNs now. Our adversaries know where we are and where we’re working, so that’s where they go.”
Krebs said agencies, such as CISA, that had already migrated to the cloud were able to avoid some of the exposure others faced from their VPNs being specifically targeted during the crisis.
But agencies moving to the cloud introduces another opportunity for attackers, and Krebs said this should lead to greater investment in, and consolidation of, tools to more centrally manage cybersecurity.
“We have to make sure that … when we have all these federal agencies that are shifting to a remote work environment or have shifted to a remote environment, that are introducing new risks, that are expanding their attack surface, that we don’t take our foot off the gas in terms of the progress we’ve made through programs like [Continuous Diagnostics and Mitigation]” he said. “We should be doubling down on those investments right now, we should be accelerating the deployment of security tools like endpoint detection and response.”
Krebs also praised the Office of Management and Budget’s April designation of CISA as a quality service management office. The decision means CISA will serve as a marketplace of cybersecurity services—including for security operation centers and domain name system resolvers—that align with federal requirements while reducing costs.
QSMOs are also supposed to establish a customer engagement and drive implementation to standards that produce efficiencies in process and scale.
“There are 101 civilian federal agencies, if you’re talking about 101 really capable, built-out CISO shops, you’re never going to get there,” Krebs said. “It’s not efficient, it’s not going to be effective, there’s going to be too much internal competition, so the way I look at it is: you’ve got consolidation, you can provide higher fidelity cybersecurity services.”