Chris Krebs, former director of Cybersecurity and Infrastructure Security Agency (CISA) and 2020 Wash100 Award recipient, recently stated that Congress should enable the agency’s shared services office to centralize common, internet-facing services across civilian agencies. To support this initiative, Krebs noted that CISA’s existing quality services management office (QSMO) will need the authority to oblige all .gov agencies to use govnet services.
“CISA can build those services through the quality services management office — like a hardened, secure, cloud-based email instance — and pull everyone in,” Krebs said. “As of now, there are 101 different instances of email across the civilian agencies; that’s just not a defensive posture.”
Dmitri Alperovitch, executive chairman of Silverado Policy Accelerator, said that CISA should act as an operational federal CISO for .gov agencies, adding that agencies should provide CISA with additional resources. Krebs added that CISA should strike information sharing agreements with .gov agencies’ on software with elevated privileges and sensitive data, following the SolarWinds breach.
“I’m hoping that … the Russian espionage campaign is enough for Congress to take bold action and change the way that the federal government does business to secure its own networks,” Krebs said. “Centralize authorities; provide capabilities that are hardened and more defensible than leaving it up to the 101 different agencies.”
Krebs’ call-to-action follows the White House’s appointment of Anne Neuberger, deputy national security adviser for cyber and emerging technology at the National Security Council, to oversee federal response to the SolarWinds security incident that occurred in 2020.
Neuberger, an inductee into Executive Mosaic’s Wash100 for 2021, will work with federal victims of the breach throughout the cybersecurity remediation process and investigate how the government handled the incident. The report said she will also launch an inquiry into the SolarWinds hack to identify approaches for preventing another information technology breach at agencies.