Is It Time To Change Mission, Or At Least Expectations, For DHS?

President Trump’s firing of CISA Director Chris Krebs on Tuesday served no purpose except for petty vengeance. In just over two months he would not have to deal with Chris or any other appointees. At a minimum, Chris and some of his teams departures mean a few wasted months until the new team comes. Does it mean more than that to the security of private industry ICS?

It is hard to argue that there has been dramatic improvement in CISA’s approach to ICS over the past two years. Chris was kind enough to come on a podcast and answer some tough questions this August. What existed at that time and still today is:

  • CISA’s ICS page is in the worst state I have seen in ten years. This is where ICS asset owners, vendors and others go to get the information from the lead USG agency on ICS security. Minimal, stale info on that page.
  • The vulnerability advisories have not improved. Too many are just plain wrong as Reid Wightman and others have shown after studying a whole years worth of advisories.
  • ICSJWG still happens. Little change here, and this was what Chris said was his top priority for the ICS private sector. While the regional and free nature of the event is good for attracting newcomers, there are plenty of events. The in person and online training continues to be a bright spot, but again this has been the case for 10+ years.
  • CISA is still competing with industry for services to private sector asset owners, and touting this as a main mission and mark of success.
  • The content still lags in quantity and quality what ICS vendors and industry organizations are putting out about threat, ICS security programs and other important topics. There have been a handful of notable exceptions in 2020 where CISA put out uniquely helpful and high quality content.

There has been the little change in the state or results of DHS’s ICS security effort post Stuxnet. With only marginal changes, does it really matter that Director Krebs is no longer in charge? 

There is a case that it does.

In my limited interactions with Chris and some on his team it appeared there was an energy there that did not exist before. CISA was looking more objectively at past and current failures, and there was a hope that this team was growing into the mission and was about to actually drive change. I heard these notes of optimism and “things are different” from many who interacted with CISA a lot more than I did.

CISA has a huge job, and election security certainly sucked up a lot of the resources and mindshare in 2020. Now that the election was over, and if President Elect Biden chose to keep the same team in place, would we have seen results that were hinted at and hoped for? Or were we taken in by Chris’s charisma and activity in the community?

We won’t know, which is a shame.

It’s probably time we reduce CISA’s mission and the private sector’s expectations related to ICS security. In both my interviews with Chris he emphasized DHS’s responsibility for ensuring federal government ICS were secure and his view that much more effort is required by CISA to assist state and local governments. That’s a huge mission, and one that they are best positioned to do. And it’s enough.

DHS has never led in private sector ICS security. They have been looked at to lead since there creation. DHS should stop trying, and we should stop expecting it.