Threat Management, Governance, Risk and Compliance

Former CISA head calls for new legislation to crack down on insider threats

Share
Former Cybersecurity and Infrastructure Security Agency Director Chris Krebs elbow bumps Trump campaign attorney James Troupis (L), while Trump campaign attorney Jesse Binnall (R) looks on following a Senate Homeland Security and Governmental Affairs hearing. Krebs said he supports Congress passing enhanced insider threat program requirements on f...

Former Department of Homeland Security cyber chief Chris Krebs said he recommended to lawmakers legislation that would impose enhanced requirements for federal contractors around their insider threat programs.

Speaking remotely at the Insider Risk Summit Tuesday, Krebs noted that federal contractors are already required to have an insider threat program in place, but said he has been urging members of Congress to explore further measures that would open up communication channels between contractors and government and provide more visibility over how those programs are being managed and enforced.

“When you’re talking about companies that are providing a service to the federal government – not just the Department of Defense but the civilian agencies as well – I would expect to see enhanced requirements not just on the external threat management but also insider threat management,” said Krebs. “One of the things that I’ve suggested to some of the legislators up on the Hill is: look we can put demands on industry all day long…but we’re not doing enough on the structural, the organizational piece,” he said. “What we need to do is be thinking more about what the governance mechanisms are for a federal contractor or key supplier of a critical component to the government. What does their plumbing look like internally?”

As a corollary, he pointed to provisions in the Oil Pollution Act passed after the Exxon Valdez oil spill in 1989 that required all facilities and vessels to have a response plan for future spills as well as a qualified employee on standby 24/7 to communicate with the government on future accidents.

Asked specifically if he thought Congress would eventually pass broad requirements for all U.S. companies to do the same, he said “I don’t think so. I don’t think we’ll get there,” citing the financial and security struggles of many small and medium sized businesses who may already struggle to put more fundamental security processes in place, but he also thinks such rules could be effective for larger, public companies.

“I think that’s entirely sensible at a bare minimum for federal contractors, but I suspect that’s also a requirement that we should think through for publicly traded companies where the Securities and Exchange Commission has more authority and the ability to turn dials and require.

Krebs, who served as Director of the Cybersecurity and Infrastructure Security Agency under President Donald Trump, was eventually fired in late 2020 after refusing to support false and unproven claims of fraud during the 2020 elections. The firing (as well as attempts by the Trump administration to pressure Krebs and the agency to go along with the claims or at least keep quiet about debunking them) led to substantial concern and discussion among lawmakers in Congress about how to prevent a key federal agency from being captured or compromised by politics in the future.

In the past, Krebs, who shepherded CISA through its inception and creation, said he intentionally made the executive director position – third in the agency’s hierarchy – a career civil service position to prevent a complete decapitation of CISA’s leadership in the event political pressure was exerted.

One result of those discussions is bipartisan legislation reintroduced this year that would establish a five year term for the CISA Director. However, like the FBI director, which has a statutory 10-year-term, it doesn’t mean a future president would be prevented from firing their CISA chief, but it does seek to create a norm that would mean the tenure of appointees would likely span from one administration to the next.

Some co-sponsors, like Rep. Jim Langevin, D-R.I., have specifically raised the specter of Krebs’ as the impetus for the legislation. However, on Tuesday another cosponsor, Rep. John Katko, R-N.Y., did not cite or mention CISA at all when asked why the legislation was needed. Instead, he answered “stability” and then pointed to other agencies that had experienced rocky leadership changes in the past.

“You look at the FBI director who has similar terms, and others do. I was able to get one for the TSA director to stabilize that agency. Look, before we got that bill at TSA and the first years I was in Congress, I think there were six directors of the TSA, some temporary, some enacted, some appointed,” said Katko. “But you need that stability [at CISA] in defense of our nation, so to have that five year term is very important for our stability and to cultivate the proper workforce.”

A previous version of the legislation introduced last year did not pass into law, but Katko said he and other lawmakers will continue bringing it up and looking for legislative vehicles to hitch a ride on if necessary.

“Hope springs eternal. You keep pushing it, if it doesn't go right, if it doesn't get [in] this term, I'm going to keep introducing it until it gets passed, and if we can get it attached to another bill we're going to do that as well,” he said.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.