Last November, the former, somewhat awkwardly named National Protection and Programs Directorate (NPPD) was elevated within the U.S. Department of Homeland Security (DHS) to become the Cybersecurity and Infrastructure Security Agency (CISA) following enactment of the Cybersecurity and Infrastructure Security Agency Act of 2018. CISA is responsible for protecting the country\u2019s critical infrastructure from physical and cyber threats, overseeing a host of cybersecurity-related activities. This includes operating the National Cybersecurity and Communications Integration Center (NCCIC), which provides round-the-clock situational awareness, analysis, incident response and cyber defense capabilities to the federal government, state, local, tribal and territorial governments, the private sector and international partners. Department of Homeland Security CISAChristopher Krebs, CISA directorCISA made its first prominent mark as an independent agency during the 35-day government shut-down when, on January 22, it issued an unexpected, and to some a startling, emergency directive ordering admins at most government agencies to protect their domains against a wave of attacks on the domain name system infrastructure (DNS). The directive was prompted by a number of DNS tampering efforts at multiple executive branch agencies. This malicious, complex and widespread campaign, dubbed DNSpionage by Cisco Talos, allowed suspected Iranian hackers to steal massive amounts of email passwords and other sensitive data from government offices and private sector entities.Christopher Krebs serves as CISA\u2019s first director. Krebs previously headed the NPPD as assistant secretary for infrastructure protection and joined DHS as a senior counselor to the secretary after working in the U.S. Government Affairs team as the director for cybersecurity at Microsoft.I caught up with Krebs last week ahead of his speech about the nation\u2019s cybersecurity threats at this year\u2019s RSA Conference to check in with him on how CISA is faring, its priorities and some timely cybersecurity supply-chain issues that swirl around the cybersecurity debate at the federal level.CISA seeks to break down silos, organize regionallyKrebs says that he\u2019s looking at the next year or two \u201cto mature the organization and have it be the CISA we know it can be.\u201d That requires a two-pronged approach to get the agency where it needs to go. The first prong is an organization plan to structure CISA to be its most effective, breaking down silos within the bureaucratic apparatus, flattening the organizational structure and integrating cybersecurity and physical security functions related to critical infrastructure.Krebs also hopes to improve stakeholder engagement with the agency to deliver better customer service and reorganize the field structure of CISA\u2019s hundreds of employees to look more like FEMA\u2019s regional model with a regional director that can operate around regional priorities. Krebs believes this reorganization will give the agency improved economies of scale.5 key priorities to protect critical infrastructureThe more substantive part of Krebs\u2019 vision is to executive on a set of mission priorities, \u201cfive discrete lines of effort that have mission opportunity but also mission risk.\u201d The most pressing of these priorities right now, according to Krebs is \u201con China, supply chain and 5G and how are we going to engage managing risk going forward.\u201d These priorities are tightly intertwined.Keeping China, Russia out of critical networks and dataKrebs is referring to the mounting battle by the U.S. to keep Chinese tech suppliers, most specifically telecom tech giant Huawei, out of critical networks including upcoming 5G mobile communications networks. According to press reports, the Administration was supposed to have issued an executive order banning Chinese telecom equipment from U.S. wireless networks before the end of February, although the order has yet to be issued.As part of a defense spending authorization bill last year, executive agencies within the government are barred from using technology and equipment made by Huawei and another Chinese tech giant, ZTE. The fear driving the ban of Chinese tech suppliers is that by law they are beholden to the Chinese government and could potentially be required to incorporate spying and other malicious technology into their products as a consequence.In a parallel set of developments, the DHS issued a binding operational directive against another foreign technology supplier, Russia\u2019s cybersecurity leader Kaspersky Lab. Operational Directive 17-01, issued in September 2017, directed Federal Executive Branch departments and agencies to identify the use of Kaspersky\u2019s security products, solutions and services and remove them from use.In that directive, DHS says it was \u201cconcerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.\u201dKrebs says that DHS got positive feedback about the Kaspersky ban from the interagency process and from Congress. \u201cFrom the Hill it was \u2018what took you so long,\u2019\u201d Krebs says. He adds that the agency\u2019s decision regarding the Kaspersky ban broke down to three fundamental questions: What is the thing, what does it do and what does it have access to?In terms of Kaspersky Lab\u2019s hallmark product, its antivirus software, it has unfettered access throughout the machine and any information it collects would or could go back to Moscow. \u201cWhat do we know about Russia with respect to intelligence services? They have access\u2026the FSB and other intelligence services can require access to that information,\u201d Krebs says. \u201cThat\u2019s not a good posture to be in when you\u2019re thinking of IT security.\u201dThe same principle holds true when it comes to China or any other foreign technology supplier. A central question for Krebs and his agency when it comes to foreign suppliers is \u201cwhat are the systems of value and rule of law that are in place in those countries? If I have product coming into my network from a nation-state that has contrary values to that of the U.S\u2026it\u2019s not something we can continue to tolerate, particularly in federal networks. The time to act was years ago.\u201dCISA looking into potential threats from foreign VPNsYet another area of possible Chinese supply chain threat was raised in a letter sent to Krebs on February 7 from Senators Ron Wyden (D-OR) and Marco Rubio (R-FL). They asked DHS to \u201cconduct a threat assessment of the national security risks stemming from foreign virtual private network (VPN) apps.\u201d The letter mentions three Chinese company-related VPNs: Dolphin, Yandex and Opera. Citing the same kind of national security concerns that are raised about both Kaspersky Lab and Huawei, Wyden and Rubio have asked Krebs to issue a Binding Operational Directive prohibiting use of the VPNs on federal government smartphones and computers, assuming CISA finds them to be likewise national security risks.Krebs acknowledges the Wyden-Rubio letter and says that CISA is looking at \u201cany appliance that could pose a risk\u201d and is planning to \u201dget the right guidance to folks on their personal devices. It\u2019s being actively looked at.\u201dSecuring elections, government networks, ICS and physical assets are key prioritiesAside from these issues, four other mission priorities will keep CISA busy over the next two years. One obvious priority is election security. DHS ramped up efforts to protect the midterm 2018 elections, and Krebs says he is happy with the increased participation by stakeholders. However, he adds, \u201cWe recognize we have a significant challenge ahead of us in managing risks to the election system.\u201dGovernment network security is yet another mission priority, one that the DNS hijacking campaign directive reflects. \u201cWe\u2019ve been able to harden federal networks and introduce more monitoring to look for that activity,\u201d Krebs says. CISA\u2019s efforts aren\u2019t just restricted to just the federal government. \u201cWe want to work with state and local partners in improving their cybersecurity\u201d and \u201chelp get them where they need to be.\u201dBeefing up the security of industrial control systems (ICS) is also a CISA priority over the coming years. \u201cThe challenge here is that industrial control systems are that area in information security\u2026that is a less mature space than information security. In the ICS space we have a lot of ground to make up,\u201d Krebs says.Finally, CISA plans to intertwine more physical security issues into its efforts, looking at soft targets such as schools and stadiums to better increase efforts that can be taken to protect facilities. Krebs says that one of CISA\u2019s advisors had worked with the synagogue in Pittsburgh that suffered the deadly shooting attack last summer in a way that ultimately saved lives.