CISA Cybersecurity Advisory Committee recommends chief people officer post, launch of ‘311’ national campaign

The  Cybersecurity and Infrastructure Security Agency (CISA) held its third Cybersecurity Advisory Committee meeting in Austin, Texas. The members met and provided updates and key recommendations to CISA Director Jen Easterly on the work of its six subcommittees. These recommendations will now be reviewed by the director and provide a response to the subcommittee recommendations.  

“I was thrilled to host CISA’s Cybersecurity Advisory Committee today in Austin to discuss the recommendations from Committee members that will help ensure that CISA is the cyber defense agency that this country truly needs and deserves,” Easterly said in a statement. “I couldn’t be more grateful for the Committee’s partnership and look forward to closely studying their recommendations. With their guidance and the great work of the CISA team, we will help CISA fulfill its mission of ensuring the security and resilience of our critical infrastructure.”  

Easterly also assigned the Committee a new topic for their advice, specifically that they assess the feasibility and key characteristics of a national alert system for cyber risk. The goal of this capability would be to provide a clear and simple method to convey the current severity of national cybersecurity risk to America’s critical infrastructure owners and operators taking advantage of the unique insights from CISA’s analysis of evolving threat activity and global partners. 

The system would complement CISA’s existing production of alerts and advisories on specific, actionable risks. The move comes as Easterly and Chris Inglis, the National Cyber Director, wrote in an op-ed post this month that  “we will never stop defending cyberspace, maintaining a maximum alert posture is not sustainable over a long period of time, and could lead to vigilance fatigue —the opposite of what we are aiming for in building a collective cyberdefense.”

Director Easterly looks forward to the Committee’s evaluation of the operational efficacy of a national cyber alert capability. 

The Cybersecurity Advisory Committee is made up of expert opinions on cybersecurity, technology, risk management, privacy, and resilience, and held its inaugural meeting last December. In the intervening six months, Committee members have brought their unique experiences, perspectives, and insights to bear and provided recommendations on the development and refinement of CISA’s cybersecurity programs and policies. 

The mission of the Committee is to advise, consult with, report, and make recommendations to the CISA on the development, refinement, and implementation of policies, programs, planning, and training pertaining to the agency’s cybersecurity mission. The focus of the subcommittees has primarily been on IT network-associated considerations and assuming that these decisions would apply to operational technology (OT) and control systems, as well.  

The Cybersecurity Advisory Committee members provided tangible updates on the work of the subcommittees. The ‘Transforming the Cyber Workforce Subcommittee’ is focused on building a comprehensive strategy to identify and develop the best pipelines for talent, expand all forms of diversity, and develop retention efforts to keep our best people, according to Ron Green, chief security officer at Mastercard. 

“During today’s meeting, the subcommittee recommended that CISA prioritize its strategic workforce development; dramatically improve its talent acquisition process to be more competitive with the private sector; radically expand recruitment efforts to identify candidates across their professional lifecycle; and leverage talent identification and hiring success through interagency collaboration,” according to Green. “They also recommended creating a new position in CISA, a Chief People Officer,” he added.

The ‘Turning the Corner on Cyber Hygiene Subcommittee’ is “helping us think through and execute a holistic, scaled approach to ensure that all organizations – public or private, large or small – have the information and resources needed to implement essential security practices,” George Stathakopoulos, vice president of corporate information security at Apple, said. “During today’s meeting, the subcommittee chair outlined its 3 key recommendations. The subcommittee recommended that CISA launch a ‘311’ national campaign, to provide an emergency call line and clinics for assistance following cyber incidents for small and medium businesses.” 

Stathakopoulos also said that the subcommittee recommended that CISA build out its current multi-factor authentication (MFA) campaign by identifying additional vehicles for publicizing the ‘More Than A Password’ campaign including reaching out to nonprofits, educational institutions, fellow government partners, and the extended cybersecurity community to amplify the importance of MFA. “Lastly, they recommend CISA takes all available steps to ensure that companies are working with the Federal Government fully adopt MFA by 2025,” he added.

The Technical Advisory Council said that its subcommittee is helping further catalyze CISA’s relationship with the technical community to shift the balance in favor of network defenders.

“During today’s meeting, the subcommittee chair recommended that CISA develop incentives and access to information to aid security researchers who will submit vulnerabilities affecting critical systems; encourage an environment that works to enable frustration-free vulnerability research and reporting; invest in a central platform to facilitate the intake of suspect vulnerabilities and communication between security researchers, agencies, and vendors; and improve the notification processes after a disclosure has been verified and acted on,” Jeff Moss, founder and president, DEFCON Communications, said. The subcommittee also recommended that CISA simplify the reporting process and provide feedback to those reporting vulnerabilities. 

The ‘Protecting Critical Infrastructure from Mis- Dis- and Mal (MDM) information Subcommittee’ is evaluating and providing recommendations on CISA’s role in confronting MDM harmful to critical infrastructure, in particular election infrastructure, according to Dr. Kate Starbird, Associate Professor, Human Centered Design & Engineering, University of Washington. “During today’s meeting, the subcommittee chair recommended that CISA focus on addressing MDM risks that undermine critical functions of American society. As part of this work, the subcommittee recommends that CISA should invest in external research to assess the impact of MDM threats and the efficacy of its MDM mitigation efforts.”

The ‘Building Resilience and Reducing Systemic Risk to Critical Infrastructure Subcommittee’ is helping CISA determine how to best drive national risk management and identify the criteria for a scalable, analytic model to guide risk prioritization, Tom Fanning, chairman, president and CEO, Southern Company, said. “During today’s meeting, the subcommittee chair discussed how they are scoping the best frameworks to collaborate with industry to identify systemic risks across National Critical Functions including the need to hold tabletop exercises with critical infrastructure partners. The subcommittee plans to provide their recommendations at a future meeting,” he added.

The ‘Strategic Communications Subcommittee’ is focused on expanding CISA’s reach with critical partners to help build a national culture of cyber resilience, Niloofar Razi Howe, board member at Tenable, said. “During today’s meeting, the subcommittee chair discussed their recommendations, which included an expansion of CISA’s ‘More Than A Password’ MFA campaign to include a corporate partnership program with Fortune 500 companies. They also recommended CISA launch a ‘311’ national campaign, to provide an emergency call line and clinics for assistance following a cyber incident,” she added.

The Cybersecurity Advisory Committee had last met in April and is now slated to next meet virtually on Sept. 13, 2022.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.