Several members of CISA leadership expressed agreement with the goals laid out in the report to secure critical infrastructure, but they stopped short of endorsing plans for new government bodies.
At the end of a section detailing recommendations and a call to action, authors of the recent National Infrastructure Advisory Council draft report on cyber threats facing critical infrastructure wrote: "we need to act now" in bold, capitalized and underlined letters.
The version of the report unanimously approved Dec. 12 will alter that sign off, which some members found a bit over the top. The substance of the report, however, will still emphasize bold suggestions to shake up a status quo that some members think is insufficient to meet the rising threat.
Perhaps the most controversial recommendations were the creation of two new entities -- the Federal Cybersecurity Commission and the Critical Infrastructure Command Center (CCIC). The first would be charged with leading the government's response to cyberattacks within critical infrastructure, while the second would be stood up to improve information sharing between government, industry and other critical infrastructure stakeholders in the energy, financial and communications sectors.
While the CICC would be housed within the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Cybersecurity Commission would be its own independent entity, one that could challenge the role carved out by CISA as the preeminent federal agency protecting critical infrastructure.
According to Mike Wallace, former chief operating officer for Constellation Energy and chair of the NIAC working group, that was by design.
"The situation is so dire that existing government and partnership structures are not agile enough to respond at network speed to the threats we're facing," Wallace said during his presentation.
Several members of CISA leadership also at the meeting expressed agreement with the report's goals to improve efforts but stopped short of endorsing plans for new government entities.
Brian Harrell, assistant director for infrastructure protection at CISA, thanked the council for "thinking bold" but pointed out that "a lot of the recommendations you highlight here, CISA is already doing" in some form or fashion.
CISA Director Chris Krebs said he found elements of the NIAC report "jarring" but also that "in some sense, I take this as a performance evaluation."
"I think as you look at this report, there's a lot of thought that's been put in it," Krebs said. "At the same time there are a lot of jarring recommendations that are not consistent with previous approaches, but … as you put it, the status quo is not working."
He said conducting a national-level exercise in 2020 to pilot the new command center model would be "extremely challenging" and indicated that improvement might come from bolstering CISA's current efforts rather than adding new organizations to the field.
"There's an opportunity for us through this report on the government side to take a look at existing bodies, existing investments, existing programs … and look to see what may need to be sunsetted, what may need to be reinforced, where we need to turn up the intensity or expand and … what we need to streamline," said Krebs.
There were indications of some dissent within the council itself about how drastic a change to make. Among the feedback provided on the draft report was concern from one unnamed member that creating a new independent Federal Cybersecurity Commission could "delay response efforts" by the federal government and suggested providing those authorities to existing government agencies.
"Establishing a new commission may not be the best way to achieve the functions/end-state the report is driving to," the member wrote.
Rich Baich, chief information security officer at Wells Fargo and a member of the NIAC working group, also floated the possibility that some of the new authorities or entities suggested within the report could be funneled to or merged with current organizations. On information sharing, he said the government likely already has inherent authority to consolidate the multiple existing public and private sharing organizations "into one coordinated and empowered entity" to direct collection, validation, evaluation and dissemination of cyber threat information.
However, he stressed that they need not necessarily stand up a brand-new center to achieve that goal.
"There exists basic authorities already for the creation of a public-private team in the classified space, and with time being of the essence, if there are opportunities to leverage existing organizations as the basis of this effort, we should," Baich said.
A new Federal Cybersecurity Commission would almost certainly take an act of Congress, which has spent much of the past two years propping up CISA as the federal lead for protecting critical infrastructure.
Following the meeting, Wallace told FCW the working group "looked broadly at where things are right now, how they've evolved over the past decade, and we've concluded we're not in an acceptable place right now."
Wallace said the group, which counts a number of private-sector executives among its membership, would like to see government do more in this space, even if it means additional regulations on industry. He also stressed that the federal government needed one organization to be accountable for cybersecurity in the three sectors outlined in the report.
"We did not seek to look at exactly what's there and fine tune things or be critical of anything that's there today," said Wallace. "We looked with a more holistic approach and said where we are today, this could be done. It's not that complicated, and it would be a new model of public-private partnership together. The degree to which that goes forward, that's got to be left up to other people, but we draw our line on our recommendation and what we think is the best thing to do."
Asked if he felt an independent Federal Cybersecurity Commission was needed to achieve that accountability, Wallace replied, "We do."