CISA’s Cybersecurity Advisory Committee meets, now set to build resilience and reduce systemic risk

CISA’s Cybersecurity Advisory Committee meets, now set to build resilience and reduce systemic risk

The Cybersecurity and Infrastructure Security Agency (CISA) held this week its fourth Cybersecurity Advisory Committee meeting, with members providing updates to the agency on the work carried out by the subcommittees. Apart from this, two of the seven subcommittees – Protecting Critical Infrastructure from Mis- Dis- and Mal (MDM) information and Building Resilience and Reducing Systemic Risk to Critical Infrastructure – provided new recommendations to Jen Easterly, CISA director. 

“The Committee continues to provide thoughtful recommendations, and I look forward to their continued partnership as we strive to ensure CISA has the right strategy in place to prepare for, respond to, and mitigate cybersecurity threats to our nation’s critical infrastructure,” Easterly said in a media statement. “I was especially pleased to receive recommendations from our subcommittees specializing in protecting election infrastructure from the threat of foreign malign disinformation and from our experts on building resilience and reducing systemic risk.” 

Easterly added that the insight from these recommendations, and the thoughts of the full committee, promise to make CISA the cyber defense agency that the nation deserves.

The committee also held a closed session to participate in an operational discussion that will address areas of critical cybersecurity vulnerabilities and priorities for CISA. Government officials were expected to share sensitive information with the Cybersecurity Advisory Committee members on initiatives and future security requirements for assessing cyber risks to critical infrastructure.

During this week’s meeting, the Transforming the Cyber Workforce Subcommittee, presented by Ron Green, chief security officer at Mastercard said that subcommittee is focused on building a comprehensive strategy to identify and develop the best pipelines for talent, expand all forms of diversity, and develop retention efforts to keep our best people. The subcommittee chair proceeded to discuss how they are working to refine the recommendations initially made to Easterly during the June meeting. 

Easterly said that CISA expects to hire a Chief People Officer in the coming months to improve the agency’s talent acquisition process.

The Turning the Corner on Cyber Hygiene Subcommittee, presented by George Stathakopoulos, Apple’s vice president of corporate information security, said that the subcommittee is “helping us think through and execute a holistic, scaled approach to ensure that all organizations – public or private, large or small – have the information and resources needed to implement essential security practices.” 

The subcommittee chair during the meeting provided refinements of the recommendations made to Easterly during the June meeting of the Cybersecurity Advisory Committee. 

“In June, the subcommittee recommended that CISA launch a ‘311’ national campaign, to provide an emergency call line and clinics for assistance following cyber incidents for small and medium businesses,” the CISA said. “The subcommittee also recommended that CISA build out its current multi-factor authentication (MFA) campaign, ‘More Than A Password,’ by identifying additional vehicles for publicizing it, including reaching out to nonprofits, educational institutions, fellow government partners, and the extended cybersecurity community. Lastly, they recommended CISA take all available steps to ensure that companies fully adopt MFA by 2025,” it added.

CISA executive assistant director Eric Goldstein discussed how the Technical Advisory Council, under the leadership of Jeff Moss, is working to catalyze CISA’s relationship with the technical community, and assist the Cybersecurity Advisory Committee in providing the agency with recommendations for improving its collaboration with the research community on a more tactical level. This includes methods for identifying specific vulnerabilities and improving coordination on broader vulnerability disclosures.

The Protecting Critical Infrastructure from MDM information subcommittee is evaluating and providing recommendations on CISA’s role in confronting MDM harmful to critical infrastructure, in particular election infrastructure. Presented by Suzanne Spaulding, senior advisor for Homeland Security at CSIS, the subcommittee recommended that CISA work with the Intelligence Community (IC) and the Federal Bureau of Investigation, to ensure that the information needs of election officials around foreign disinformation threats are prioritized. 

The subcommittee also emphasized the essential role courts play in ensuring the resolution of disputes about the election process and ensuring the peaceful transfer of power, and that they, too, may be the target of an intensified campaign to undermine public trust in the legitimacy of their processes. Given their essential role, the subcommittee stated that CISA should share relevant information around foreign hacking and disinformation attacks with the courts, and that the IC include adversary activity targeting the courts in the collection and analysis priorities related to elections.

The Building Resilience and Reducing Systemic Risk to Critical Infrastructure Subcommittee, presented by Tom Fanning, chairman, president and CEO at Southern Company, said that the subcommittee is helping CISA determine how to best drive national risk management and identify the criteria for a scalable, analytic model to guide risk prioritization. “During today’s meeting, the subcommittee chair outlined their recommendations to improve national risk management, highlighting the varying levels of maturity across critical infrastructure sectors, insufficient scope for national resiliency outcomes, and underutilization of existing policy and regulatory approaches that address risk management,” the statement added.

The Strategic Communications subcommittee, presented by Niloofar Razi Howe, board member at Tenable, identified that the subcommittee is focused on expanding CISA’s reach with critical partners to help build a national culture of cyber resilience. 

“During today’s meeting, Ms. Howe discussed how the subcommittee has been assessing the agency’s website redesign to ensure it meets the agency’s needs, and the needs of CISA’s stakeholders,” the CISA said. “The subcommittee is also assessing the agency’s redesign to ensure that the website reflects the mission and vision of the agency.” 

Howe also discussed that the subcommittee continues to refine and examine the recommendations they made to Easterly in June, which included CISA’s ‘More Than A Password’ MFA campaign to include a corporate partnership program with Fortune 500 companies. They also recommended CISA launch a ‘311’ national campaign, to provide an emergency call line and clinics for assistance following a cyber incident. 

Easterly said she looks forward to reviewing the recommendations made during the Committee meeting and providing a response to the subcommittee recommendations.   

So far, the focus of the subcommittees has primarily been on IT network-associated considerations and assuming that these decisions would apply to operational technology (OT) and control systems, as well. 

“For IT and OT networks, network security is necessary and sufficient; the discussions were relevant,” cybersecurity expert Joe Weiss, wrote in an April blog post, which covered the Cybersecurity Advisory Committee meeting. “However, for control systems, network security is necessary but NOT sufficient. This is because control system devices often have lesser communication and security capabilities than IT and OT network technologies and it is those limitations that are not being addressed,” he added.  

The next CISA Cybersecurity Advisory Committee has been scheduled to be held in December.

The CISA said last year that the month of November will be recognized as ‘Infrastructure Security Month 2021’ that will focus on the umbrella theme ‘Critical Infrastructure Security and Resilience: Build it In.’ The move is meant to serve as an annual effort that works towards educating and engaging at all levels, while seeking to remind stakeholders of how important it is to consider infrastructure security and resilience right from the design concept through development and implementation.

Earlier this week, the CISA brought out its initial comprehensive plan of action to focus on and guide the agency’s efforts over the next three years. The Strategic Plan communicates the agency’s mission and vision, promotes the unity of effort across the agency and partners, and defines success for CISA as an agency. It also focuses on reducing risk and building resilience to cyber and physical threats.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related