CISA's head was fired. How a leadership vacancy impacts the private sector

The federal government is playing catch-up in cyber and its leaders know it. The Cybersecurity & Infrastructure Security Agency (CISA) succeeded DHS's National Protection and Programs Directorate (NPPD) in 2018 to bolster cyber resilience across sectors.

Chris Krebs worked in the private sector before he joined DHS in 2017 and was confirmed by voice vote in the Senate in 2018 for CISA. He's left a mark on the agency as its first director overseeing two secure elections.

Cyberspace Solarium Commission Co-Chair Sen. Angus King, I-Maine, commended Krebs's efforts, alongside Director of the U.S. National Security Agency Paul Nakasone for work that resulted in a "boring" Election Day.

But in the days following the election, Krebs was criticized by President Donald Trump for assuring the integrity of the election amid the president's legal disputes. Trump tweeted Krebs's termination Tuesday night.

"Chris Krebs did his job and did it extremely well. The country is safer and our last two elections were secure from foreign interference because of his leadership," said Rep. Mike Gallagher, R-Wisconsin and co-chair of the Cyberspace Solarium Commission, in an emailed statement to Cybersecurity Dive. Krebs worked with King and Gallagher to finalize the nonpartisan Commission's inaugural report this year.

"We want working at CISA to become so appealing to young professionals interested in national service that it competes with the NSA, the FBI, Google, and Facebook for top-level talent (and wins)."

Cyberspace Solarium Commission's 2020 report

While Krebs's termination won't change CISA's mission, it might have unintended consequences on how the federal government acquires cyber talent. Krebs's firing could discourage applicants from wanting to work in federal spaces.

"I would not want to be a cybersecurity staff person at any level in the federal government or in any state government where the governor behaves like the current president," said Dr. Donald F. Norris, professor emeritus of Public Policy at the University of Maryland, Baltimore County. "Politicizing cyber is something I thought I'd never see."

Prior to working within DHS, Krebs was director for Cybersecurity Policy in Microsoft's U.S. Government Affairs. The federal government already struggles with attracting and retaining technology and cyber talent when the private sector offers larger salaries. The federal government is "not optimized to be quick or agile," while private sector companies are, according to the Cyberspace Solarium Commission's report.

The U.S. government has always had an issue luring talent away from the private sector. As it stands, "I know that most, if not all, of my colleagues would currently pass on opportunities in the public sector, which is a shame," said Joe Saunders, CEO of RunSafe Security.

The Cyberspace Solarium Commission estimates there are more than 33,000 unfilled cybersecurity positions in the U.S. government. CISA was supposed to help change that.

CISA is meant to be the "lead agency for federal cybersecurity and the private sector’s preferred partner. We want working at CISA to become so appealing to young professionals interested in national service that it competes with the NSA, the FBI, Google, and Facebook for top-level talent (and wins)," the Cyberspace Solarium Commission's report says.

Because the pandemic opened up the possibility of remote work, it "opens up the aperture for our hiring significantly," CISA's Former Assistant Director for Cybersecurity Bryan Ware said during a virtual FedScoop's Security Transformation Summit this week, before he departed the agency. But government officials are already concerned about the ripple effect it might have on existing CISA and cybersecurity personnel.

"Chris was fired and Bryan forced out for telling the truth and doing their job," said Suzanne Spaulding, senior adviser at DHS, International Security Program and Cyberspace Solarium Commission member, in a statement. The termination might result in national security professionals "tailoring" assessments for individuals.

Mass exodus

Krebs wasn't the only high-profile name to depart the agency this week. Ware resigned Nov. 12 and Deputy Director Matthew Travis exited following Krebs's dismissal on Tuesday. Brandon Wales, executive director of CISA is taking over Krebs's leadership in an acting capacity. Wales, who is a civil servant, can't be fired in the same capacity as Krebs, according to CyberScoop.

Ware told CyberScoop Wales is stepping into a $2 billion startup "whose entire leadership team was just decapitated in the last week," but Wales is "the best guy for the job."

While there is always agency turnover when administrations change, cybersecurity "will not go away," said Jonathan Reiber, senior director for Cybersecurity Strategy and Policy at AttackIQ and former chief strategy officer for Cyber Policy in the Office of the U.S. Secretary of Defense under the Obama administration. The partnership between sectors is a "pre-eminent requirement for effective national cybersecurity."

But with CISA's leadership uncertain, the impact on the relationship the agency cultivated with the private sector is not yet clear.

Because the federal government relies on companies as buyers and sellers, it "shapes the playing field for cybersecurity [at] large," said Saunders. "The real power is in setting the agenda, standards, requirements and acquisition regulations."

If companies lose confidence in the standards promoted by agencies, it will ripple through other areas of collaboration, including information sharing, Saunders said.

Cross-sector reliance

Together, CISA and companies are creating layered cyber deterrence. The agency's existence is "almost exclusively for, and measured its success, by brokering a strong partnership with the private sector," said Jerry Ray, COO of SecureAge. Due to the work done under Krebs, it's unlikely those relationships will quickly deteriorate. "The reasons behind the firing of Krebs did nothing to tarnish the image of him or the agency."

One or two people do not make or break an agency and its progress, but depending on who takes over CISA's leadership before the Biden administration takes office in January, it will impact the strength of those relationships. "Any lack of integrity or loss of trust could turn off both current and potential partners," said Ray.

The market received a signal saying, "don't take this job and you can't trust us."

Joe Saunders

CEO of RunSafe Security

Because the private sector owns most of the U.S.'s critical infrastructure, the federal government relies on its participation in cyber deterrence. Outside of election security, CISA has made "equally important" but "less publicized" contributions in protecting U.S. critical infrastructure, King said in a statement Tuesday night. "We should be empowering Chris and his team to do more, not punishing them for doing their job."

During the pandemic, CISA increased its information-sharing structure with the pharmaceutical industry while it worked to develop COVID-19 vaccinations. CISA is currently deploying sensors in pharma networks for threat hunting, said Ware, during the FedScoop event. "We've really taken this pandemic as an opportunity to pilot out, learn from, and really work with industry to come alongside them and help protect them."

While Operation Warp Speed, the project designated to safely deliver a vaccine, will continue, there are some residual fears CISA's leadership turnover might have on information sharing. The market received a signal saying, "don't take this job and you can't trust us," Saunders said.