Who will take over for Chris Krebs?
But who will be the next director? How will he or she help the agency make it up that ladder? I don’t have a crystal ball, and I certainly don’t claim to have inside knowledge, but if the Biden team wants to continue the CISA’s successes, they need to pick a strong replacement.
Krebs is best known for getting fired by Trump, but that is not his only success. He was a huge success as the first director of the CISA, formerly known (or not known) as the National Protection and Programs Directorate (NPPD). But does anyone remember what the NPPD was? Of course they don’t. And that was Krebs’ strongest contribution. He redefined the agency to focus on protecting and defending the cybersecurity and infrastructure security of the United States, and spun off noncore subagencies which focused on protecting government building and biometrics.
He accomplished this by pushing relentlessly for the rebranding of the agency from the NPPD to the CISA, becoming the face of an agency that didn’t have a name. Krebs’ work, perhaps most notably his final months with the agency fighting election misinformation and creating the bold Rumor Control website, put the CISA on the map. As a friend described it, it was like building the Federal Aviation Administration (FAA) with only air traffic controllers and no pilots, so his efforts are all the more laudable.
Now, as the incoming administration picks a new director, they have to choose someone who will deal with the CISA’s other problems—namely their disorganization and weakness within the government bureaucracy.
Constant reorganizations and personnel swapping, hiring problems and delays, and competing fiefdoms within the CISA continue to dog the agency as it attempts to grow from a largely forgotten Department of Homeland Security subsidiary, to the weighty counterpart to General Nakasone’s Cyber Command at the Pentagon. But the CISA director, with the mission of protecting federal government networks, coordinating public and private partnerships, and coordinating interagency efforts, has less than half the budget of Cyber Command. This stems from a concern within the halls of Congress, other agencies and sometimes the White House, that the CISA isn’t the DoD, and therefore isn’t qualified to handle more money or more responsibility. Today, Nakasone is more respected and more trusted on cyber than the CISA and that is a problem.
Whoever leads the CISA next must have the gravitas to go toe to toe with Nakasone and win. The perception of the CISA’s weakness and incompetence within the interagency—which sometimes is and sometimes isn’t earned—stems from weak internal discipline, disorganization and a lack of accountability. Policy making is confused and the people who technically have the pen are often overruled or ignored by other power players. The Cybersecurity Division has more power than any other division, which creates tension and resentment within the agency. And, year after year, the CISA enters a new stage of restructuring; often with well-meaning aims, but to no apparent effect.
The CISA does great work. But in order to become the true expert on cybersecurity for the nation and to climb that ladder of success, it needs a strong director who will deal with the internal squabbles and create a united front. This will fully establish the CISA as what it needs to be: the lead cybersecurity agency.
Image credit: Orhan Cam
