Lawmakers Urge CISA to Devise Better Measures of PerformanceJen Easterly Tells Congress Quantifying Impact of CISA Spending Is Difficult to Do
U.S. lawmakers responsible for funding the Cybersecurity and Infrastructure Security Agency pressed its director Tuesday to demonstrate how its proposed $3.1 billion budget will generate tangible results.
The agency says its proposal will allow it to fund a workforce of nearly 4,000 positions to defend federal civilian networks and manage risks to critical infrastructure.
Directly measuring the effectiveness of cyber defense has been a wicked problem in policy circles for decades since metrics such as number of malicious attempts blocked or percentage of systems patched don't necessarily demonstrate that a network is safe.
"We are starting on this journey around how we measure not only things, activities or performance, but actually how we measure effectiveness," CISA Director Jen Easterly told a panel of the House Appropriations Subcommittee on Homeland Security. "We are on our journey to be able to give you very quantifiable metrics to allow us to articulate that return on investment," she told Rep. Dave Joyce, R-Ohio.
Rep. Henry Cuellar, D-Texas, said the federal government erred by allowing agencies to develop their own performance metrics rather than having agencies and Congress hammer out which metrics to focus on. Cuellar said too many of the metrics proposed by CISA and other federal agencies focus on measuring activity rather than measuring results. And too many federal agencies have come up with performance assessments that consist of little more than "patting themselves on the back," he added.
Easterly said CISA's strategic plan looks to measure outcomes and effectiveness rather than activities and performance, but acknowledged it can be hard to measure bad things not happening. One outcome Easterly said she hopes to measure in the current fiscal year is CISA's effectiveness in reducing ransomware incidents in target-rich, cyber-poor environments such as K-12 schools, hospitals and public utilities through outreach and free services (see: US CISA Official: 'Forcefully Nudge' Users to Adopt MFA).
"We're not looking for a certificate of participation," Easterly said. "We're looking to actually reduce risk to the nation."
Easterly said her agency's most critical programs for deterring attacks are the Cyber Analytics Data System, for which the budget request is $424.9 million; the Continuous Diagnostics and Mitigation Program, for which the budget request is $408.3 million; and implementation of the Cyber Incident Reporting for Critical Infrastructure Act, for which the budget seeks $97.7 million. The 2022 law requires CISA to develop regulations mandating that segments of critical infrastructure report cyber incidents to the government within 72 hours. The act also authorizes the agency to scan critical infrastructure organizations to detect ransomware vulnerabilities (see: US CISA to Warn Critical Infrastructure of Ransomware Risk).
Easterly also said CISA has deployed endpoint detection and response across civilian federal networks, allowing the agency to spot everything from malicious activity on networks to TikTok on federal government devices (see: US Official Reproaches Industry for Bad Cybersecurity).
"It allows us to understand if there are vulnerabilities that need to be remediated, but actually measuring that is a challenge," Easterly said.
'We Have Made Hiring a Top Priority Here'
The agency director said she has significantly increased the size of CISA's workforce since joining as director in July 2021, adding 516 new people in fiscal 2022 and targeting 600 new hires in the current fiscal year. By focusing on CISA's mission and the stability of a federal job to counter the larger salaries prospects could get in the private sector, CISA is on track to have less than 8% of open positions vacant by September 2024.
"We have made hiring a top priority here," Easterly said. "We have used a full range of new authorities to enable us to be able to more quickly recruit people and then bring them into a culture where they feel like they can make impact."
Rep. Lauren Underwood, D-Ill., asked Easterly about the Republican proposal to cut federal spending back to fiscal 2022 levels, which she said would result in a 13% reduction in the size of CISA's regional field force. Easterly said pushing CISA back to fiscal 2022 spending levels would severely restrict the agency's work with small critical infrastructure owners and operators around the country.
Over the past two years, Easterly said, CISA has significantly boosted its state- and field-level workforce focused on providing support to critical infrastructure organizations.
"I would be very concerned about any cuts to those capabilities, as well as any capabilities or things that we asked for, because that'll put us back in a pre-SolarWinds world where we'll lose that visibility that we've developed," Easterly said. "And that's harmful to our security innovation."