Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency, said the agency's focus on election security operations is a good model for other critical infrastructure sectors.
The head of the federal government's top civilian cybersecurity agency told two House panels this week that he would prioritize increased technical assistance to critical infrastructure entities if provided with additional funding in the fiscal 2020 budget.
Christopher Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, pointed to the substantial investment Congress has made to CISA's budget for election security operations over the past few years as a model for how the agency would like to deploy additional resources to other critical infrastructure sectors.
"Congress has invested in my agency to date, close to $60 million, purely related to election security," Krebs said at an April 30 hearing with the House Homeland Security Cybersecurity, Infrastructure Protection and Innovation Subcommittee. "Outside of federal networks, I don't think I have another critical infrastructure sector that Congress has invested specifically to that level."
CISA provides a variety of services to the 16 critical infrastructure sectors it serves, from sharing of cyber threat intelligence to in-depth vulnerability scans. The agency has also indicated in recent months that it has plans to begin installing technical sensors around critical infrastructure systems to detect malicious activity, similar to the Albert sensors it has deployed around election and voting systems.
Krebs told an appropriations panel on May 1 that CISA would use additional funds to "significantly expand" its engagement with stakeholders in critical infrastructure, saying "we have to do more to get out there and engage, but once we do, we have to be able to follow through."
CISA just released its long-awaited list of national critical functions, essentially a compilation of services and activities that, if disrupted, would have the most negative and cross-cutting impact on American society. While DHS and CISA have traditionally defined their defensive work on critical infrastructure through a sector by sector approach, agency leaders have said the new approach focusing on what those entities do and the services they deliver will allow DHS to consider a broader range of entities when developing protection strategies.
"I think in the current formulation, it's possible that we're not hitting all the right bits and pieces of the supply chain for instance, or small and medium-sized businesses," Krebs said during the House Homeland Security hearing. The list, he said, "gives us a better appreciation of some of those niche or boutique companies that may deliver a really critical service that doesn't fall neatly within the 16 sectors."
CISA plans to use the list as a starting point for the development of a tiered "risk register" that games out potential scenarios that would have the most debilitating effect across sectors and "prioritizes areas of national risk to critical infrastructure in need of mitigation and collective action." That work, Krebs said, will guide more targeted discussions in the future around funding and resource allocation.
It's clear that the idea of boosting cyber funding for CISA has supporters in Congress. Twenty-eight members of the House Homeland Security Committee signed a letter urging their colleagues on the House Appropriations Committee to fund CISA's cybersecurity mission above the levels set by the president's 2020 budget request, and multiple members in both hearings made unprompted comments or expressed concern that CISA needed more money to carry out its cybersecurity mission.
"There's bipartisan support to increasing your budget," said Rep. John Katko (R-Texas), ranking member on the House Cybersecurity, Infrastructure Protection and Innovation Subcommittee. "We understand the critical function you play, and we understand you need more money to be able to do it properly."
NEXT STORY: TSA preps new guidelines on pipeline cyber