The independence and importance of the top U.S. domestic cybersecurity agency, the Cybersecurity and Infrastructure Security Agency (CISA), is headline news, leading late-night monologues, and receiving full-throated bipartisan support from leaders of the House and Senate. President Donald Trump’s firing of CISA Director Chris Krebs with a single tweet after the agency and a national council of election-cybersecurity committees essentially refuted the president’s unsubstantiated claims of polling irregularities, opened a window of opportunity for the incoming Biden administration and Congress. The rising national profile of CISA, as Krebs gives primetime interviews and Trump responds again on Twitter, provides political capital that Biden and Congress should seize to establish CISA as an independent regulatory agency and thereby help it fully achieve its mission of protecting the nation’s critical infrastructure.
An independent, regulatory CISA was needed long before this political episode. CISA is more than an election-security agency; it is responsible for supporting the cybersecurity of the nation’s critical infrastructure, which provides everything from water and energy to transportation and information technology. Such infrastructure is, as CISA explains, “so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” CISA provides threat intelligence and key cybersecurity offerings such as penetration testing, industrial-control assessments, and incident-response training that many infrastructure providers and state, local, tribal, and territorial authorities could not afford otherwise.
Transforming CISA into an independent, regulatory agency would require three necessary steps: elevating CISA out of the Department of Homeland Security (DHS) into its own independent agency, reformatting CISA’s leadership structure into a commission protected by for-cause removal, and providing regulatory authority over critical infrastructure sectors that lack oversight.
Independence From DHS
CISA must be elevated out of DHS into an independent agency because national cybersecurity resilience demands it. Twenty-three federal entities are responsible for various aspects of national cybersecurity, but there are increasing calls for centralized responsibility and accountability for national cybersecurity policy. The U.S. Government Accountability Office (GAO), for instance, cited in 2020 “an urgent need to clearly define a central leadership role to coordinate government efforts. Despite the issuance of a National Cyber Strategy in 2018, it is still unclear which executive branch official is ultimately responsible for not only coordinating implementation of the strategy, but also holding federal agencies accountable once activities are implemented.”
In response to this need for a central leader on cybersecurity strategy in the federal government, the congressionally authorized and chaired U.S. Cyber Solarium Commission was clear that “[t]he key is CISA, which we have tried to [elevate and] empower as the lead agency for federal cybersecurity and the private sector’s preferred partner.” When Philip Reitinger, the former top official for CISA’s predecessor, the National Protection and Programs Directorate, critiqued the commission’s call for a new Office of National Cyber Director in order to elevate cyber, he closed with a “simpler solution: give CISA a larger budget and stronger authorities, as the commission recommends elsewhere. And if that is not enough, then make CISA an independent, Cabinet-level agency with direct access to the president.”
A DHS-independent CISA could successfully become the central authority for the numerous GAO and U.S. Cyber Solarium Commission recommendations to promote national resilience, reshape the cyber ecosystem toward greater security, and operationalize cybersecurity collaboration with the private sector.
The general drawbacks of establishing a new agency are well-known in the field of bureaucratic politics and organizational theory or by anyone who has spent too much time in the food courts of U.S. House and Senate office buildings: money, time, and turf. But elevating CISA into an independent agency avoids the typical drawbacks. CISA is already a standalone federal agency within DHS on par with the Secret Service or the Federal Emergency Management Agency. A promotion out of the DHS conglomerate is a straightforward organizational lift.
Independence via For-Cause Removal
As Trump has made obvious, cybersecurity has direct political valence. Having the top federal official for election security (or other critical infrastructure) be fireable without cause is clearly a flaw in need of a remedy. Not only can the CISA director be fired for challenging the president’s misinformation that the election was insecure, but it doesn’t take too long of a memory to imagine the CISA director being fired for honestly disclosing that there was foreign election interference in favor of a newly-elected president (even if it did not necessarily determine the outcome).
The president ought to be able to remove the nation’s most senior cybersecurity official only “for cause” due to inefficiency, neglect of duty, and malfeasance in office. To ensure CISA’s leadership has this for-cause removal protection, CISA must have a multi-member commission, not a single director, per the Supreme Court’s recent decision in Seila Law v. Consumer Financial Protection Bureau. (The court will likely clarify this holding in a similar case this term, Mnuchin v. Collins.) If CISA is promoted out of DHS into a freestanding independent agency, especially one with regulatory authority, then Seila Law requires CISA to have a multi-member commission to receive for-cause removal protection.
Even if the goal were solely to have the CISA director receive removal protection from the president while leaving it within DHS with its current authorities, Seila Law would still require a multi-member commission. Chief Justice John Roberts recognized “only two exceptions to the President’s unrestricted removal power”: expert agencies with multi-member commissions and inferior officers with narrowly defined duties. CISA is already an expert agency with broadly defined duties, so it is difficult to imagine the Supreme Court analogizing CISA to the only high-level inferior officer ever upheld as being protected by for-cause removal, an independent counsel.
To be clear, this is not “political” independence. Multi-member commissions are constitutionally allowed to have for-cause removal protection, but they are traditionally required to have a balance of commissioners based on their political allegiances. In fact, party polarization increasingly defines the relationship between the president and the nation’s independent commissions and even the relationships among the commissioners themselves, which could undermine the united front that brought CISA so much capital in this election cycle. However, certain institutional design improvements could provide better insulation.
Nor is a commission inherently a better option than a single director. This is simply the forced choice of Seila Law between an independent commission and an unprotected, but more efficient, single director. Empirical legal studies have shown that independent commissions are “working as well as [they] can” in a time of intense party polarization. Commissioners are staying in office through the ends of their terms, limiting presidential control, and the structure resists presidential efforts to stack independent commissions with their preferences. But single-director agencies, in comparison, are more efficient at accomplishing statutory mandates with clearer lines of accountability.
In truth, these real-world tradeoffs may increase the likelihood of establishing an independent commission governing CISA. Those concerned about the president removing the nation’s top cybersecurity administrator without cause would get their requested for-cause removal, while those concerned about overregulation will receive a commission less efficient than a single director. A natural compromise.
Regulation
An empowered and independent CISA should include some regulatory muscle. Today, the federal government largely relies on voluntary compliance with cybersecurity standards by immense and largely privately owned critical infrastructure. But while the American public and the U.S. economy relies on private-sector cybersecurity, the sector has only minimally adopted the standards established by the National Institute of Standards and Technology (NIST). GAO explained in 2018, and reiterated in 2020 that the federal sector-specific agencies responsible for critical infrastructure do not even have qualitative or quantitative measures of private-sector adoption of the NIST Cybersecurity Framework, and that the voluntary nature of the framework is an impediment for collecting such information. Providing CISA with regulatory oversight for critical infrastructure cybersecurity is long overdue.
The harder question is which parts of U.S. critical infrastructure would come under CISA’s purview. Some critical infrastructure is already heavily regulated from a cyber perspective by sectoral regulators. For example, the financial services sector is overseen by the Department of the Treasury and the Federal Reserve. Taking away that oversight and replacing these regulators with CISA is not necessary at this point and would walk straight into a turf war.
The immediate goal should be to raise the level of cybersecurity in critical infrastructure by providing more oversight of sectors that currently have no good cyber regulator. As CISA already serves as lead agency for protecting eight of the 16 critical-infrastructure sectors, that is where their regulatory jurisdiction should begin: chemical, commercial facilities, communications, critical manufacturing, dams, emergency services, information technology, and nuclear reactors, materials, and waste, plus the elections subsector.
Some concern is merited that regulation might reduce information-sharing. But this is not an argument against regulation, which is clearly needed. Instead, CISA must continue to develop better benefits for critical-infrastructure providers who coordinate. In the runup to the 2020 election, GAO found that elections officials appreciated CISA’s free cybersecurity services, spoke highly of their expertise and availability, and believed that CISA’s “cybersecurity assistance has helped them to assure voters that elections in their states are secure or to promote election security efforts.” These CISA-aided cybersecurity efforts helped election cyber-security committees be confident enough to refute the president’s unsubstantiated claims of polling irregularities.
The incoming Biden administration and Congress should seize the day and quickly establish CISA as an independent regulatory agency outside of DHS, led by a multi-member commission protected with for-cause removal requirements, and provided with regulatory authority.