Recruiting and retaining talent — not organization — is the Cybersecurity and Infrastructure Security Agency’s biggest challenge currently, Jeh Johnson, former Department of Homeland Security secretary, said Wednesday.
Altering CISA‘s structure after it successfully secured the 2020 election would be a mistake. But the agency needs to do a better job convincing potential hires to serve their country rather than making a buck at companies like Goldman Sachs and Citigroup or the defense industry, Johnson said.
Johnson’s comments came during a hearing of the House Appropriations Homeland Security Subcommittee, in response to Rep. Dutch Ruppersberger‘s, D-Md., musing that perhaps CISA should be spun off from the Department of Homeland Security — much like Space Force was from the Air Force — in light of recent cyberthreats. The SolarWinds hack discovered in December compromised at least nine federal agencies and was perhaps “the most devastating cyberattack” in U.S. history. But CISA is “going in the right direction” and should focus on its workforce, Johnson said.
“Some of our best cybersecurity people were stolen away by the financial services sector, who could pay them two or three times what the government pays them,” he said.
Former Homeland Security Secretary Mike Chertoff echoed Johnson that turnover, particularly at the leadership level, has been a destabilizing force across DHS of late.
The Trump administration’s focus on border security was “treated in many ways as the only issue,” to the detriment of DHS’s other missions responding to newer threats, Chertoff said.
“As demonstrated by SolarWinds and other attacks — including an attack on a water system in Florida — cyberattacks are becoming more dangerous and more frequent,” he said. “Adequately funding and giving more authorities to CISA, working with the Secret Service to respond to those attacks, is probably the No. 1 hazard that requires urgent action.”
Chertoff said it would be a “serious mistake” to remove either agency from DHS, given that physical security is often compromised ahead of cyberattacks.
For now, CISA’s place inside DHS seems assured, with Congress recently appropriating an extra $650 million in the American Rescue Plan Act for the agency.
Ruppersberger also expressed concern about CISA’s delay in submitting a quadrennial Homeland Security review (QHSR) to Congress for resource planning purposes.
“Regrettably the executive branch often does not take congressional deadlines seriously,” Johnson said. “The last QHSR — it was supposed to be every five years — was the one that I helped write in 2014.”