Inside former CISA chief Chris Krebs’s idea to spin CISA out of DHS—and why it might be premature

Former CISA chief Chris Krebs caused a stir in August when he proposed the department’s role be elevated into an independent “US digital agency,”—or perhaps more realistically, liberate it from its status as an operational component under the Department of Homeland Security.

“I think it’s time to rethink the way government interacts with technology,” Krebs told attendees at the Black Hat conference, according to the Record. “We’re not where we need to be and we’re falling behind and Americans are suffering as a result.”

As an alternative to the creation of a new agency, Krebs suggested CISA could be spun out of DHS to make cybersecurity “apolitical, non-political, bipartisan, and nonpartisan.” Either way, he added, instead of organizations going to “five or six different agencies” for their security issues, there should be “a front door that is clearly visible. And as I see it, that’s CISA.”

Former US cybersecurity officials and other experts who spoke with Cyberscoop were broadly skeptical of the idea, arguing that CISA benefits from DHS’s political pull and resources. Those who talked with IT Brew raised similar concerns, saying that centralizing cybersecurity functions currently spread out across the US government could be difficult—and in some cases, counterproductive.

Jonathan Reiber, the VP for cybersecurity strategy and policy at AttackIQ, wrote the first two national cyber defense strategies in 2010 while working in the office of the Secretary of Defense. He pointed out that while sector-specific agencies have their own cybersecurity apparatuses, CISA is only on its second confirmed director, Jen Easterly, and the separate office of National Cyber Director Chris Inglis was only established last year and has yet to “achieve maturity.”

“I think that will take probably more than one term,” Reiber said. “And on the question of CISA, the Joint Cyber Defense Collaborative and a lot of the authorities that CISA has been given as an agency have really yet to achieve operational fluency.”

Reiber added that while Krebs hadn’t gone into specifics, a CISA spinoff could run into major logistical hurdles. For example, DHS currently provides its personnel management capability, which CISA would perhaps have to contract out, and the director of CISA might spend most of their time managing the transition.

Bryan Ware, CEO of LookingGlass and a former CISA assistant director, told IT Brew via email that CISA’s relative newness as a federal agency needs to be considered when deciding how to move forward. Ware said he’d prefer that the National Cyber Director pulled out of the White House, for the positions of director of CISA and the NCD to be merged, and to see the US “commit to having a well-resourced, powerful, front door for private sector and international partners, and an operationally strong CISA that can coordinate and integrate USG efforts.”

Will Loomis, an associate director at the Atlantic Council’s Cyber Statecraft Initiative, told IT Brew that a more independent CISA is “a really interesting concept and can kind of push us in the right direction.” But he cautioned that CISA might currently be better off under DHS due to expanded access to resources and high-level interagency discussions.

Krebs’s idea “could definitely create some potential issues with some of the kinds of systems, relationships, and processes that already exist across the federal government,” Loomis said, as a wide swath of federal cybersecurity agencies and organizations “have legitimate claims to exist and legitimate goals right now within the current system.”

“We’re talking NSA, we’re talking CISA, we’re talking the Office of the National Cyber director, we’re talking FBI, we’re talking sector risk-management agencies like Coast Guard or DOT or DOE,” or banking infrastructure, Loomis told IT Brew. It was unclear, he added, whether Krebs’s idea would necessitate replicating that expertise at the newly formed entity or if it would fulfill a more straightforward role as a clearinghouse for reporting cybersecurity incidents.

“I think centralizing it is a good idea. But…it’s gonna be a long road for us to get to that point,” Loomis concluded.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.