Rep. Yvette Clarke, D-N.Y., has questioned the efficacy of voluntary cybersecurity relationships between government and industry as the GAO calls for CISA to complete its post 2018 evolution and build on previous efforts to bring other stakeholders into the process when developing programs and regulations. ("Rep. Yvette Clarke (D-NY)" by Talk Media News Archived Galleries is licensed under CC BY-NC-SA 2.0)

The Department of Homeland Security must further lean into its role protecting critical infrastructure from cyberattacks, but first it must work to finish its post 2018 evolution and build on previous efforts to bring other stakeholders into the process when developing programs and regulations.

That was the primary conclusion from a Government Accountability Office report released this week ahead of a House oversight hearing on how the federal government, DHS and its digital security wing the Cybersecurity and Infrastructure Security Agency are moving to protect critical infrastructure from state-backed and criminal cyberattacks.

The findings build off previous GAO investigations, including a more comprehensive report on DHS and CISA's efforts released last month.

During an oversight hearing Wednesday, Rep. Yvette Clarke, D-N.Y., who chairs the House Homeland Security subcommittee on cybersecurity and infrastructure protection, provided the latest example of how Congress has broadly shifted its thinking on cybersecurity regulations. She noted that in previous stint as subcommittee chair during the Obama administration, cybersecurity proponents in Congress helped lay the groundwork for the largely voluntary relationship between agencies responsible for regulating cybersecurity requirements within critical infrastructure.

Today, she and others are far more willing to consider a heavier regulatory hand to ensure companies are following minimum security standards and reducing the likelihood that a breach or ransomware attack could have far-reaching consequences throughout the supply chain or IT ecosystem.

“With all due respect to the hard work that’s been done, I think it’s time to be candid about the limits of these voluntary partnerships and authorities,” Clarke said this week.

CISA's growing pains taking lead federal cyber role

Part of that job, according to the GAO, will involve completing activities that are leftover from CISA’s transition from the National Protection and Programs Directorate, an agency that was in many respects reliant on DHS headquarters for authorities and resources, into the operational component agency that it is today.

That transformation, enacted by legislation in 2018, included mandates to overhaul CISA’s organizational structure and create separate divisions for cybersecurity, infrastructure security and communications.

Most of those tasks have been completed, but the agency has yet to finalize its mission-essential functions or complete workforce planning. The latter task takes on more relevance when you observe that CISA has spent the past few years heavily pushing the message that government, industry schools are not doing enough to develop a sufficient pipeline of cyber talent.

There’s also evidence in the GAO report that the agency has experienced some growing pains over the past five years as it has morphed from an afterthought agency to the federal government’s primary vehicle for outreach to the private sector and critical infrastructure and now one that wields increasingly powerful regulatory tools for the private sector and the rest of government.

Auditors identified “a number of challenges that selected government and private sector stakeholders had noted when coordinating with CISA, including a lack of clarity surrounding its organizational changes and the lack of stakeholder involvement in developing guidance.”

Agency officials have spoken before about some early stumbles as they worked through how to best use and apply new authorities to issue binding and emergency cybersecurity directives to civilian agencies. More recently, CISA has gained the ability to demand administrative subpoenas from private internet service providers for ownership information on vulnerable IT assets and compel incident reporting on breaches and ransomware payments from critical infrastructure entities.

While the agency often receives praise for its engagement and collaborative spirit with the private sector and other agencies, there are critics.  

For example, in recent years CISA updated its process for prioritizing cybersecurity assistance to different sectors when it developed a list of national critical functions — or services and processes where a cyber or physical attack could have significant impact and disrupt operations more broadly across one or multiple industrial sectors.

It was meant to replace an older process, the National Critical Infrastructure Prioritization Program, a relic of the agency’s NPPD days and one that was designed to focus primarily on physical, isolated threats and allow for smarter prioritization of limited federal resources and assistance. Despite the shift, just seven out of 25 critical infrastructure owners and operators interviewed by GAO were both aware and supportive of the list, with many saying they didn’t know about the framework or didn’t understand its goals.

Oddly, GAO said it has made 11 recommendations to DHS to address the problems but does not specify them in the report other than to say that DHS officials have committed to addressing them all by the end of 2022.

“While the department has communicated to us that they are taking steps to implement our recommendations, we urge them to do so even more expeditiously to protect our economy, public health and safety and national security from any future attacks,” Tina Won Sherman, director of homeland security and justice at GAO, told lawmakers Wednesday.