Insiders worry CISA is too distracted from critical cyber mission

Written by Suzanne SmalleyNihal Krishan and AJ Vicens
DEC 22, 2022 | FEDSCOOP

When Congress was still trying to understand the full extent of Russia’s 2016 election meddling and growing increasingly anxious about possible cyberattacks on other U.S. targets, lawmakers rallied behind an idea to shore up the nation’s digital defenses.

In the fall of 2018, they passed legislation establishing an agency inside the Department of Homeland Security to streamline federal cybersecurity efforts, encourage industry to improve vulnerable systems and help safeguard critical infrastructure from determined nation-state hackers.

Republicans and Democrats praised the new Cybersecurity and Infrastructure Security Agency, which replaced the National Protection and Programs Directorate inside DHS. Rep. Michael McCaul, R-Tex., said it would “strengthen the security of federal networks and our nation’s critical infrastructure.” Rep. Jim Langevin, D-R.I., was another early booster of the new agency — and has been one of its most vocal champions.

But four years in, CISA appears to be struggling with internal divisions over the direction of the agency, morale problems and growing concerns about leadership priorities. CyberScoop and FedScoop spoke with 14 current and former CISA employees and 18 additional people familiar with CISA’s internal operations. Most described an agency that lacks a clearly defined strategic direction and often seems more focused on its public image than working on the nation’s thorniest cybersecurity problems.

Even Langevin, who is retiring from Congress next month after spending years promoting cybersecurity legislation, is frustrated. “There are a lot of things that the agency can and should do better,” Langevin told this publication, pointing out that CISA is a year late submitting its organizational planning, staffing and budgeting document to Congress.

If Congress doesn’t have the document — known as a “force structure assessment” — to evaluate budgeting for CISA soon, Langevin suggested it could impact the agency’s funding.

“I’m disappointed that it wasn’t completed before the end of my final term,” he said. Others in Congress appear to be fed up by delays from CISA, too: The pending omnibus government funding bill includes unusual language that would fine the agency $50,000 for every day it’s late on quarterly congressional briefings.

An organization struggling to find its way

People inside the organization, and those who recently left, complain that leadership hasn’t articulated priorities and often seems insulated from staff, leaving many to hear about agency initiatives via Twitter instead of from managers.

“Front-line employees would benefit from having a consistent directional strategy,” said Beau Woods, a noted cybersecurity researcher who left CISA in November after two years as a senior adviser. He said that what’s absent from agency brass is direction on “clear outcomes or a clear understanding of what good looks like.” Without that, he said, employees can have “the perception that every new email will be just the flavor of the week and next week they’ll be on to something different.”

A current senior U.S. cyber official was more direct. “I don’t know what the CISA vision and agenda is internally from leadership,” the official said. “I think they do far more external communication than internal communication.”

The official highlighted that one of the agency’s key challenges lies in its inability to hire the right cyber talent, which has had significant negative downstream effects on other problems it faces. “Their hiring challenges significantly hurt their ability to execute their mission,” the official said.

Still, CISA’s employee base has grown. Federal numbers show that between September 2021 and June 2022, CISA grew from 2,392 to 2,626 employees. However, multiple sources said the hiring pace has been slower than it should be and that CISA has particularly struggled to hire highly skilled technical talent. A CISA blog post from June said the agency had nearly 150 open cybersecurity positions it sought to fill.

Many of the people who spoke with CyberScoop and FedScoop did so on the condition of anonymity due to concerns that they could jeopardize current or future relationships with CISA. Nearly all of those interviewed acknowledged the agency has plenty of existential challenges such as a vast DHS bureaucracy and a difficult mission due to the sheer number of U.S. entities needing cybersecurity assistance.

Still, many said there’s a growing perception inside — and outside — CISA that an over emphasis on carefully managing and promoting Director Jen Easterly’s brand is taking precedence over more critical matters. Easterly is a staple at industry gatherings such as the RSA ConferenceDEF CON and CYBERWARCON as well as at corporate speaking events such as the Mandiant mWise conference, a recent Google panel and another on the floor of the New York Stock Exchange.

Easterly also maintains an active social media presence and was the subject of a recent “60 Minutes” feature. She often appears in videoson the CISA Instagram page promoting cybersecurity messages.

“The day-to-day effect of Jen’s branding push is that it hurts the work and mission execution,” a former CISA official said. “It’s not what the staff want … They want the focus to be about the work, not about one person.”

Nominated by President Biden to run the agency in April 2021, Easterly arrived with impeccable credentials. She most recently worked as a cybersecurity executive at Morgan Stanley where she defended the firm against global cybersecurity threats. Before that, she helped stand up U.S. Cyber Command and served in the Obama White House and the National Security Agency as a senior counterterrorism official. She’s an Army veteran, West Point graduate and Rhodes Scholar. She is known for starting her workday early and usually arrives at CISA headquarters no later than 7 a.m.

Easterly defended her focus on external relations in a statement to this publication.

“CISA is fundamentally a partnership agency; our ability to effectively protect and defend the critical infrastructure Americans rely on every day — much of which is owned by the private sector — is dependent on our ability to develop trust with our partners,” the statement said. “People don’t trust institutions; they trust people.”

A leader who has become a lightning rod

Easterly succeeded Chris Krebs, who spent time at Microsoft as director of cybersecurity policy. Krebs also worked in several leadership roles in DHS and headed up the directorate that preceded CISA. He too became a high-profile figure during his tenure, especially as Washington became more concerned about election security and online disinformation. And then, in 2020, President Trump famously fired him via Twitter for disputing claims of election fraud, giving him a whole new level of notoriety.

Krebs told this publication that Easterly’s focus on the speaking circuit makes sense given the “almost exclusively voluntary nature of [CISA’s] engagement with the private sector as well as state and local governments.”

He said that when he held Easterly’s role, he frequently made speaking appearances, usually in small towns. “The future of CISA is in the field — reverse engineer that and it means it’s not sitting at a desk in Washington, D.C., all day, every day,” he said. But many of the sources CyberScoop and FedScoop spoke with said Krebs remained more plugged into agency specifics than Easterly.

“I don’t think that they’ve done enough to execute their mission at CISA,” said a former senior CISA official who now works with the agency frequently on behalf of industry. “Leadership is still in that mindset of let’s market this thing so we can create it. You’ve gotta stop chasing tweets and start actually doing things … They’re going to have Congress down their throat soon, the train is coming full speed in their direction.”

When appearing in public, Easterly often cuts a different figure than a typical government official. She’s known to swap the standard-issue government suit for a T-shirt and jeans and often signs Rubik’s Cubes, which have become something of a calling card. For an agency that’s not well known outside the beltway and needs to form partnerships with private sector organizations, that PR work is an essential part of her job, Easterly’s defenders argue.

To be sure, women in power are often attacked and marginalized for being strong leaders and taking on highly visible public roles. Nonetheless, many of the people CyberScoop and FedScoop spoke with said their criticism of Easterly’s speaking engagements isn’t personal and instead reflects serious concern over the challenges CISA confronts and the need for more leadership from the top.

Complaints about Easterly’s public persona don’t surprise Jim Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies. But that doesn’t make it fair either, he said.

“The technical community is always unhappy because they feel like the spotlight should be on them,” he said. “They’re the true guardians of cybersecurity … . She’s actually got a good technical background. So, to say there’s a complaint from the technical community it’s like, ‘So what else is new?’ You’re never going to be happy because the person they want doesn’t exist. They want someone who has executive experience and a great public persona, but also happens to be an uber-geek and uber-geeks don’t come with great leadership skills and great public skills.”

Many CISA employees said they wouldn’t take issue with Easterly’s PR focus if there was less discontent inside the agency. For example, the mood at CISA virtual town halls is such a concern that questions are typically limited ahead of time. As a result, some staffers have taken to asking Easterly hostile questions left anonymously in the town hall Zoom chat. After Easterly told CISA staff they would be held accountable for their work in one such virtual meeting, an employee went to the chat to ask how leadership is being held accountable. Easterly told the anonymous staffer, “If you don’t like it here, you can leave,” according to someone in the meeting.

A senior CISA official said Easterly has devoted town halls to workplace issues such as mental health, burnout prevention and inclusion and diversity. She also makes herself available to staff through weekly one-on-one office hours. The official noted that CISA’s Federal Employee Viewpoint Survey scores are higher than the average for government agencies.

A tense relationship with DHS

Easterly’s style also has led to tensions with Alejandro Mayorkas, Homeland Security secretary, two people familiar with the relationship told this publication.

Mayorkas and his team were incensed after they learned Easterly lobbied Congressional Republicans on the Cyber Incident Reporting for Critical Infrastructure Act that passed in September, two sources said. Easterly did so without getting sign off from Mayorkas or his top advisers first, according to the federal cyber official and an external CISA partner. The official said the incident hurt Easterly’s relationship with Mayorkas because the secretary and his top advisers at DHS determine the department’s political priorities.

Other interviewees said DHS bears some responsibility for CISA’s struggles. One prominent Washington cybersecurity expert defended Easterly, saying she has had “scant support” from DHS leadership.

“If the secretary’s team had come in and said, ‘Yeah, it’s important to get cyber right, we’re gonna support Jen to get this organization — which is still in its infancy — reworked,’ I think she might have had a chance to show more progress than she has,” the expert said.

A DHS spokesperson declined to comment on the incident with Congressional Republicans but provided this publication with a statement that Mayorkas is “incredibly proud” of the work done by CISA and that he believes Easterly’s “leadership and vision have been and will continue to be instrumental.” A senior CISA official sent a similar statement about Mayorkas.

Easterly did inherit plenty of problems. She is charged with running an agency that needs more in-house technical talent and therefore relies on a significant number of contractors. A former senior CISA official who now works with the agency on behalf of industry said contractors are often left struggling to understand what CISA wants. “It’s almost impossible to work for them and everyone in the industry knows it,” the person said. “Our biggest frustration is that they don’t communicate with contractors. Congress is throwing [money] at them and it’s not clear what they’re doing with it.”

Beyond that, CISA is fighting to manage major structural challenges caused by a slow-moving DHS and the control it exercises over many hiring and technology acquisitions, former CISA employees and outside cyber experts said. In fact, Rep. Langevin told CyberScoop he sees the benefit of CISA gaining more independence from DHS and said he would like Congress to study the issue.

“It seems to me to make sense that if CISA had its own hiring authority, as well as ability to purchase equipment, it would give them greater agility and flexibility to move more quickly,” Langevin said. He added that he believes CISA is headed in the right direction and that he supports Easterly.

Technical shortcomings take a toll

There are other challenges, too. Almost everyone interviewed for this story said the agency is hampered by the fact that CISA is divided across six divisions and between the field staff and headquarters. The split structure and CISA’s constrained ability to acquire technology limits the deployment of new software across the entire enterprise, according to a source with direct knowledge of the agency’s technology operations.

“What often happens is that individual teams manage their own infrastructure,” the source said. “That’s a [spending] problem, but it’s also a security problem because it means there is no central place for oversight to happen.”

CISA officials acknowledge the issue: One of four key objectives in the strategic plan released in September is “agency unification” so that CISA business operations will be “mutually supportive across all divisions” and “governance [and] management” functions will be integrated.

In one example of how this lack of cohesion plays out, each of the six divisions relies on different databases for analysis of critical infrastructure cyber trends, incidents and vulnerabilities without the ability to work in an agency-wide database, according to a former senior CISA employee and a current employee at the agency.

“Think about how much analysis we could get done if we weren’t trying to access six different repositories and rationalize the data and cut and paste from PDFs,” the current employee said.

Other CISA staff and observers said the agency sometimes prematurely stands up or rebrands existing initiatives. CISA’s Joint Cyber Defense Collaborative (JCDC) is a good example of an initiative the agency rebranded with mixed results, according to multiple sources, including two who partner with JCDC.

A CISA spokesperson sent CyberScoop and FedScoop a blog post Easterly wrote about the JCDC in September. The post highlights CISA’s work on Log4Shell, noting that the DHS-led Cyber Safety Review Board report on the incident credited JCDC as an “important catalyst for information sharing to address the threat.” The post said that JCDC members provided 17 threat analyses and that a related vulnerability guidance web page garnered more than 300,000 page views in its first three weeks.

Still, two of JCDC’s technical partners and a top cybersecurity expert in Washington said industry government affairs’ employees and lawyers are heavily involved in the center’s work, something they view as a problem. “None of us share anything anymore,” one of the JCDC technical partners said. “It turned out that we were just broadcasting to a channel of lawyers.”

The JCDC technical partner also said that security researchers, industry and others collaborate on an “operational” Slack platform that does not currently have much traffic. The general channel populated by more than 500 people had just 12 posts from Dec. 1 through this Tuesday and multiple other smaller single-subject channels where operational work happens were similarly quiet, the JCDC partner said. (A senior CISA official said the agency is “pleased with the subject matter expertise and level of engagement that our industry partners have provided.”)

“When it comes to operational collaboration, as opposed to indicators and warning, I think there’s still a need to evolve the JCDC,” said Megan Stifel, a former cybersecurity director at the National Security Council and currently the chief strategy officer at the Institute for Security and Technology. Still, she said, CISA is making good progress overall.

In general, many critics say CISA is focusing too much energy on building alliances with major industry players and large corporate partners. The relationships are often one-sided, said Bryson Bort, CEO of SCYTHE and a former adviser to Easterly’s predecessor Krebs.Ultimately, he said, these types of organizations have well-resourced cybersecurity teams to defend their interests, and often aren’t sharing significant information with CISA about current threats.

“Meanwhile, there’s a $1 billion asset community bank somewhere getting completely f—ed and CISA doesn’t know they exist, and they don’t know that CISA exists,” Bort said. “That’s the challenge.”



Leave a Reply