Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
House Bill Seeks to Insulate CISA Director From PoliticsBipartisan Measure Would Give Cybersecurity Agency Leader 5-Year Term
A bipartisan group of lawmakers is looking to better insulate the director of the U.S. Cybersecurity and Infrastructure Security Agency from political pressure by giving the position a defined five-year term that could keep the agency's leader in place even when presidential administrations change, according to a copy of the bill.
The legislation, called the CISA Leadership Act, would codify the CISA director's position as lasting five years and also reaffirm that the position will be appointed by the president but require approval by the U.S. Senate, the bill states.
Currently, the position of CISA director has an undefined term. Under the bill, however, it would have a set term, in the same way the FBI director is appointed to a 10-year term following Senate approval.
Rep. Andrew Garbarino, R-N.Y., who is the ranking member for the House Homeland Security's Cybersecurity, Infrastructure Protection, and Innovation Subcommittee, says the bill is designed to ensure that CISA's director can prepare for cyber incidents without political interference and across different administrations if needed.
"With cyberattacks on the rise, CISA, the lead federal civilian cybersecurity agency for the United States, needs consistent and stable leadership presiding over our nation’s cyber preparedness," Garbarino says. "This bipartisan bill will remove any uncertainty from the CISA director role so that the director can focus squarely on strengthening our cyber posture."
The bill has also attracted bipartisan support in the House, including from Rep. Bennie Thompson, D-Miss, who is the chair of the full House Homeland Security Committee, and Yvette Clark, D-N.Y., who is the chairman of the Cybersecurity, Infrastructure Protection, and Innovation Subcommittee.
"The Cybersecurity and Infrastructure Security Agency is the lynchpin for federal government cybersecurity and for coordinating the protection of our critical infrastructure. That is not a responsibility that should be taken lightly," says Rep. Jim Langevin, D-R.I., who also serves on the Homeland Security Committee. "By creating five-year terms for CISA’s director, the CISA Leadership Act ensures that this critical agency is a step removed from the day-to-day politics of Washington."
While the House bill was introduced earlier this month, a similar bill in the Senate, called the Defense of United States Infrastructure Act, would also create a five-year term for the position of CISA director. The Senate bill, introduced in July, has the backing of Sens. Angus King, I-Maine; Mike Rounds, R-S.D.; and Ben Sasse, R-Neb.
CISA and Politics
The issue of politics interfering with the director of CISA was brought home in the weeks following the November 2020 U.S. elections when then-President Donald Trump fired Christopher Krebs from the agency (see: Trump Fires Christopher Krebs, Head of CISA).
Before he was fired, Krebs released a statement calling the 2020 elections "the most secure in American history," which appeared to counter assertions by Trump and his supporters that the election was rife with fraud and rigged against the former president, according to a report in The New York Times.
Langevin told The Washington Post that the firing of Krebs following the election is one reason to insulate the CISA director from political pressure. "It should raise everybody’s eyebrows if a CISA director is removed in that way," the congressman says.
Protecting CISA from politics also has support from security experts in the private sector.
"This type of legislation is fundamentally important for the continuity of the nation's cybersecurity leadership," says Tom Kellermann, the head of cybersecurity strategy for VMware and a member of the Cyber Investigations Advisory Board for the U.S. Secret Service."
CISA After Krebs
After Trump fired Krebs in November 2020, CISA remained without a Senate-confirmed director until Jen Easterly officially took over the agency in July following her confirmation hearing. Even then, Easterly's appointment was held up for several weeks by Sen. Rick Scott, R-Fla., following a dispute over President Joe Biden's immigration policies (see: US Senate Approves Jen Easterly as CISA Director).
Since then, Easterly has worked to build her staff and on Tuesday she announced that Kiersten E. Todt, who is the managing director of the Cyber Readiness Institute, would join CISA as chief of staff.
In the time between Krebs' firing and Easterly's appointment, the U.S. experienced several significant cyber incidents, including the SolarWinds supply chain attack, which came to light in December 2020, and several ransomware attacks, including one that targeted Colonial Pipeline Co. in May.
And while CISA has a role in defending the nation against these types of attacks, not everyone thinks that a specific term is needed for the director position. Phil Reitinger, the president and CEO of the Global Cyber Alliance, says this type of statutory term for the agency's director might be "premature."
"The environment and organization are evolving very fast, and I'd lean toward flexibility in term right now," Reitinger says. "There is also the question of influence: Does a 'nonpolitical' CISA director have more or less influence with the president and administration? I worry that a CISA director with a statutory term would have less."