CISA Cybersecurity Strategic Plan emphasizes on collaboration, innovation, service, accountability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Friday its Cybersecurity Strategic Plan FY2024-2026 which outlines the agency’s central role in advancing toward a future where robust collaboration is the norm. It also works on rebalancing the responsibility for cybersecurity to be more effective and more equitable. The agency yet again highlighted the need to change how technology products are designed and developed so that exploitable conditions are uncommon and secure controls are enabled before products reach the market.
“We must quickly detect adversaries, incidents, and vulnerabilities, and enable timely mitigation before harm occurs,” CISA said in its Cybersecurity Strategic Plan document. “We must help organizations, particularly those that are ‘target rich, resource poor,’ take the fewest possible steps to drive the most security impact. Recognizing that we will not prevent every intrusion, we must ensure that our most essential services are resilient under all conditions, with particular focus on under-resourced communities where loss of key services can have the greatest impact. Most importantly, we must do it together, recognizing that true collaboration is the only path toward a more secure future,” it added.
CISA identifies that addressing “immediate threats will enable us to prioritize investment in the security controls, measures, and capabilities that most effectively reduce risks. In turn, as we provide guidance and services that help organizations reduce their enterprise risk, we will be able to more clearly define the attributes of a safe and secure technology product.”
The agency added that “as we advance security across the product lifecycle, we will force threat actors to adopt more time-consuming and expensive tactics, reducing the prevalence of attacks. It is only through this virtuous cycle that we will make necessary progress.”
The cybersecurity agency prescribed three goals – address immediate threats; harden the terrain; and drive security at scale.
The agency calls upon agencies to address threats by making it increasingly difficult for adversaries to achieve their goals by targeting American and allied networks. “We will work with partners to gain visibility into the breadth of intrusions targeting our country, enable the disruption of threat actor campaigns, ensure that adversaries are rapidly evicted when intrusions occur, and accelerate mitigation of exploitable conditions that adversaries recurringly exploit,” the plan added.
It recommends hardening the terrain by catalyzing, supporting, and measuring the adoption of strong practices for security and resilience that measurably reduce the likelihood of damaging intrusions. “We will provide actionable and usable guidance and direction that helps organizations prioritize the most effective security investments first and leverage scalable assessments to evaluate progress by organizations, critical infrastructure sectors, and the nation.”
The CISA Strategic Plan aims to drive security at scale by prioritizing cybersecurity as a fundamental safety issue and asking more technology providers to build security into products throughout their lifecycle, ship products with secure defaults, and foster radical transparency in their security practices so that customers clearly understand the risks they are accepting by using each product.
“Even as we confront the challenge of unsafe technology products, we must ensure that the future is more secure than the present — including by looking ahead to reduce the risks and fully leverage the benefits posed by artificial intelligence and the advance of quantum-relevant computing,” the Strategic Plan added. “Recognizing that a secure future is dependent first on our people, we will do our part to build a national cybersecurity workforce that can address the threats of tomorrow and reflects the diversity of our country.”
It added that “as we progress toward these goals, we must embody the hacker spirit, thinking creatively and innovating in every aspect of our work. The ongoing work of CISA’s workforce—our threat hunters, vulnerability analysts, operational planners, regionally deployed cybersecurity advisors, and others—epitomize this collaborative spirit.”
The CISA Cybersecurity Strategic Plan aligns these nine objectives to specific enabling measures and measures of effectiveness to drive accountability that increases visibility into, and ability to disrupt, cybersecurity threats and campaigns; coordinate disclosure of, hunt for, and drive mitigation of critical and exploitable vulnerabilities; plan for, exercise, and execute joint cyber defense operations and coordinate the response to significant cybersecurity incidents; and understand how attacks really occur—and how to stop them.
It also aims to drive implementation of measurably effective cybersecurity investments; provide cybersecurity capabilities and services that fill gaps and help measure progress; drive the development of trustworthy technology products; understand and reduce cybersecurity risks posed by emerging technologies; and contribute to efforts to build a national cyber workforce.
In its conclusion, CISA outlined that through the implementation of this strategy, “we will first focus our efforts and energy to ensure our core cybersecurity functions are executed to the greatest effect. We must get the fundamentals right. We will optimize our cyber defense operations to identify, prevent, and address acute threats and vulnerabilities, and mitigate incidents more quickly. We will provide innovative shared services to directly address risks as well as actionable and practical guidance that helps defenders prioritize investments to address the most likely and impactful threats.”
“But we know this is not enough. We will drive progress toward a future where technology is purposely designed, built, tested, and maintained to significantly reduce the number of exploitable flaws before it is introduced to the market for broad use,” the Strategic Plan added. “We will take steps to shift the burden for security to those who can bear it. And we will do it together. The risks are severe and mounting, the hurdles are high. But they are surmountable. Through our shared efforts, we will shift the arc of national risk and create a safer future for generations to come.”
Earlier this year, the U.S. administration released a National Cybersecurity Strategy, identifying a deep and enduring collaboration among stakeholders across the nation’s digital ecosystem. The move serves as a foundation for making a path to resilience in cyberspace more inherently defensible, resilient, and aligned with the country’s values. It also imposes additional mandates on organizations that control the majority of the nation’s digital infrastructure, with an enhanced government role in upsetting hackers and state-sponsored entities.
Related
