As he retires after two decades at Homeland Security, Brandon Wales reflects on CISA’s future

Brandon Wales sails into the sunset this week.

The outgoing executive director of the Cybersecurity and Infrastructure Security Agency (CISA), Wales will leave the Department of Homeland Security after almost two decades of service.

In that time, he has held a litany of key positions — even temporarily leading CISA following the 2020 presidential election after its chief was fired for debunking the false conspiracy theories pushed by former President Donald Trump and his allies. That stint saw him steer CISA through the sprawling SolarWinds compromise that impacted several federal agencies.

Recorded Future News spoke to Wales last week about CISA’s future, election security efforts and evolving threats, like ransomware and the notorious Chinese hacking operation Volt Typhoon — neither of which, he says, are going away anytime soon.

This conversation has been edited for length and clarity.

Recorded Future News: Where do you see CISA? Do you agree with people like former Rep. John Katko (R-N.Y.) who argued it needs to be a $5 billion agency?

Brandon Wales: I absolutely agree with former representative Katko that this agency needs to continue to grow, because the nature of the threats, the complexity of the challenges that we face, require it. The scale of, for example, Chinese cyber compromises of U.S. critical infrastructure highlights the urgent need that we have to scale up our capabilities to be able to address the threat that they pose.

But how do we get to $5 billion? How do we grow smartly to make sure that we do so in a way where we’re continuing to build deep expertise, that we’re hiring the right people that we can effectively use our resources?

It’s okay if it’s not doubling year over year but thinking about how you grow smartly as an organization is the right conversation.

I have seen this agency grow over the last 19 years that I've been part of the department, from a couple of hundred million dollars back in 2005 when I first started, to a $3 billion agency today. We have grown smartly. This agency is very capable of continued growth in the near term to meet the needs that this country has.

RFN: You mentioned China. Has anything the U.S. has done to date regarding Volt Typhoon changed Beijing’s behavior?

BW: China continues to target U.S. critical infrastructure. 

The exposing of the Volt Typhoon efforts has obviously resulted in changes in tactics, the tradecraft that they're using, but we know that they are continuing every day to try to compromise U.S. critical infrastructure.

If we want to get ahead of this challenge, we need to make sure that our technology backbone is more secure by design, more secure by default, more secure in operation. But right now, we know that they're continuing to hit us. They want to get into our systems and we need to urgently meet that challenge.

RFN: Is this something the U.S. government can ever declare victory on?

BW: Until a malicious actor, like the PRC [People’s Republic of China] government's cyber actors, decide that they no longer want to target our infrastructure, we're not going to be able to easily declare victory.

RFN: What do you see as the key takeaways from the recent CrowdStrike outage?

BW: We should never let any incident happen where we're not taking lessons from it.

We are going to take lessons away from the CrowdStrike update outage, including things that they're putting out in terms of how they could have better tested their updates. There are things that we are seeing in terms of the overall resilience of our critical infrastructure.

The IT outage associated with CrowdStrike highlighted that a lot of our systems are simply not resilient against these types of disruptions.

We need to think through how do we architect our systems to be more resilient? How do we examine the types of systems that had more of their computers affected and ones that had less?

How do we learn lessons from those so that we can get that advice out there and provide it so that our partners in the private sector can continue to build and make better decisions when it comes to their security and their IT architectures?

RFN: Turning to election security, how will CISA’s work this presidential cycle compare to previous campaign cycles? 

BW: The demand signal from our election officials has changed and evolved over time, and we need to meet them where they are.

In the wake of the Russian attempts to compromise election systems in 2016 there was an initial, huge focus between 2016 and 2020 on building up the cybersecurity of election systems, because it was not something that was a high priority.

That work continues to this day, but right now, when you talk to election officials, the primary threat that they're concerned about is physical threats to polling places and election officials. 

Over the past several years, we have increased the amount of support that we have provided to to state local governments in helping them assess the security at locations, either storage locations where they store equipment or election offices, polling locations, we have provided training to thousands of election officials around the country on things like how to respond to active shooter events, how to de-escalate if someone comes into your office or a polling location who might be considering violence. 

RFN: What is CISA doing in terms of collaboration with social media firms this year following the recent Supreme Court ruling? Has the lawsuit changed the agency's approach? 

BW: The lawsuit has not fundamentally changed what CISA has been doing this election cycle. 

We have met with some social media platforms, along with other parts of the U.S. government, and that information sharing is designed just to understand what they're seeing on their networks, and what we are seeing in terms of foreign adversaries present on those networks, what foreign adversaries are trying to accomplish. 

CISA is not in the business of trying to spot specific instances of disinformation on platforms. We're not the ones who share specific cases of foreign disinformation on platforms. That's handled by other parts of the U.S. government. Our job is to look more broadly at the overall information ecosystem so that we are available to help amplify the voices of local election officials as they battle with disinformation that could affect the American people's ability to get accurate information about the election.

At the end of the day, the social media platforms themselves are the ones that are going to be responsible for what's on their platform, what type of content they're willing to tolerate, what violates their terms of service. They'll make those decisions and CISA's not in the middle of that.

RFN: So are you getting anything from X, Facebook and others?

BW: I'm not going to answer questions about specific platforms and what they're sharing with us.

RFN: Where do you see the threat of ransomware going in the next few years? Will it ever recede or is it now a part of daily life?

BW: It’s an excellent question because we have not cracked the code on addressing the threat of ransomware at scale, and, where we have been able to address it, the adversary has been able to change tactics. 

For example, you see far more data theft and extortion today, in part because companies have gotten a lot better at things like backing up their network and backing up their systems in non-networked ways. That has reduced the impacts of things like encryption events through ransomware. 

But I think more fundamentally, your question gets to the challenge that we have not undermined the business model. As long as the business model continues to be lucrative, ransomware actors will continue to execute these attacks wherever they think they could get a payday.

I will say that the work that CISA is doing that tries to move this problem upstream, to try to address the underlying vulnerabilities in our technology ecosystem, is one way in which we can get ahead of this problem at scale.

There are ways to drive this ransomware scourge down to more manageable levels, but it’s going to require a fundamental change in the technology ecosystem that underpins modern life. At the same time, the government is going to continue to take action to try to disrupt the broader business model and to disrupt the actions of these criminal organizations.