n the weeks just before President Trump fired its leader, the federal Cybersecurity and Infrastructure Security Agency (CISA) was repeatedly flagged by the Homeland Security Department’s watchdog for poor performance, including inadequate physical security planning for election sites, poor intelligence sharing with its private and public partners and weak information security for its own systems, internal reports show.
The repeated Inspector General’s warnings in September and October about CISA — under then-Director Chris Krebs’ leadership — provide a stark contrast to Democrats’ and the news media’s portrayal of Krebs as a skilled leader whose firing jeopardized national security.
The internal memos, reviewed by Just the News, also provide some fodder to understand how the U.S. government could have failed to detect for nine months one of the largest cyberattacks in history, which was finally revealed earlier this month. CISA is primarily responsible for quarterbacking cybersecurity at civilian federal agencies.
“Risks to the Nation’s systems and networks continue to increase as security threats evolve and become more sophisticated. As such, the cyber threat information DHS provides to Federal agencies and private sector entities must be actionable to help better manage this growing threat,” the inspector general warned in one report earlier this fall. “Until CISA improves the quality of its information sharing, AIS participants remain restricted in their ability to safeguard their systems and the data they process from attack, loss, or compromise.”
The inspector general faulted CISA for failing to have adequate staff, resources and policies in place to complete its mission, even going as far as to suggest it was weaker in cybersecurity than some of its fellow Homeland agencies.
For instance, on Sept. 30, the Inspector General’s office reported that of three major Homeland Security offices audited, CISA had the lowest scores by far for information security, a remarkable irony given the agency’s cybersecurity mission. CISA earned the lowest rating of 1 in four of the six categories studied. In contrast, fellow agencies Immigration and Customs Enforcement (ICE) and Customs and Border Patrol (CPB) achieved a score of 4 or 5 in all but two of the categories.
“CISA’s overall information security program was not effective,” the inspector general reported, scolding the agency for having “not yet developed component specific policies, procedures, and business processes as required by DHS policy.”
Just five days earlier, the DHS inspector general reported CISA met only the “basic requirements’ of a 2015 law passed to improve America’s cyber defenses. That report strongly faulted CISA for failing to produce and distribute the sort of actionable intelligence that its cybersecurity partners need to fend off threats and attacks.
“CISA has made limited progress improving the overall quality of information it shares with AIS participants to effectively reduce cyber threats and protect against attacks,” the inspector general warned. “CISA’s lack of progress in improving the quality of information it shares can be attributed to a number of factors, such as limited numbers of AIS participants sharing cyber indicators with CISA, delays receiving cyber threat intelligence standards, and insufficient CISA office staff.
It added: “To be more effective, CISA should hire the staff it needs to provide outreach, guidance, and training.”
In late October, just a couple of weeks before the Nov. 3 election, the inspector general’s office sounded another warning, reporting that while CISA had done a good job securing voting software systems from cybersecurity penetration it had substantially ignored the physical security of polling and vote counting places.
CISA “has developed a set of plans and guidance aimed at securing election systems for the 2020 election cycle. But, the plans do not sufficiently mitigate other potential risks to physical security, terrorism threats, or targeted violence to the election infrastructure, nor do they identify dependencies on external stakeholders that impede mission performance,” the Oct. 22 report warned.
The warning contrasted with Krebs’ declaration that the 2020 elections were the safest and most secure in history, a boast that captured the wrath of President Trump and led to Krebs’ firing.
Krebs did not immediately return a call Monday seeking comment. But after his termination, Krebs testified before the Senate Homeland Security and Governmental Affairs Committee and doubled down on his election security claims, saying he was proud of his former agency’s work.
“The entire nationwide election infrastructure community worked diligently and effectively to make the 2020 election safe and secure,” he testified last week. “This achievement should be a great point of pride for the tireless efforts of so many thousands of elected officials and public servants.”
The IG’s election security report did not give as rosy an assessment, laying blame for CISA’s failures on a wide-range of factors, some that were external to the agency. “DHS senior leadership turnover and ongoing CISA reorganization have hindered CISA’s ability to enhance planning and effectively monitor its progress in securing the Nation’s election infrastructure,” the report said.
But the inspector general also blamed CISA’s own performance, declaring the agency “has not updated other critical plans or strategic documents concerning the election infrastructure” and failed to “include in its plans the priority actions cited” in the Homeland Security Department’s 2019 security framework.
The overall assessment was that CISA had created “inadequate DHS plans and strategies to support the 2020 election,” the inspector general said.
The failure of CISA to pay closer attention to physical security related to elections was echoed in other inspector general reports in 2020. For instance, a June report said CISA was doing a poor job sharing information with and securing commercial sector partners.
“CISA does not effectively coordinate and share best practices to enhance security across the commercial facilities sector,” the inspector general warned. “Specifically, CISA does not coordinate within DHS on security assessments to prevent potential overlap, does not always ensure completion of required After-Action Reports to share best practices with the commercial facilities sector, and does not adequately inform all commercial facility owners and operators of available DHS resources.”
In most of the IG reports, CISA accepted the conclusions and recommendations, including on election security. But Krebs expressed displeasure that the election report had been released just two weeks before Election Day.
“We are concerned that the release of the report less than one month before Election Day is problematic,” he wrote in a response letter to the inspector general. “We recommend adjusting the timeline of future audits to account for the entirety of an election cycle … CISA remains committed to defending our election infrastructure from foreign influence and physical threats and continues to make election security a top priority for the Department.”