Increasing visibility into cyber threats to quickly stop intrusions, strengthening resilience through actionable guidance, and confronting the challenge of technology products that don’t have security baked in are core goals that must be innovatively executed to stay ahead of cyber threats, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said in its new Cybersecurity Strategic Plan 2024-2026.
“CISA’s Strategic Plan continues a pleasant trend of the administration of publishing strategic documents designed to guide programmatic efforts, align ends ways and means, and communicate publicly and with stakeholders about priorities,” Bob Kolasky, who led CISA’s National Risk Management Center as one of the agency’s assistant directors, told HSToday. “Ensuring alignment between overall administration strategy and agency efforts is important and CISA’s plan acknowledges the linkage.”
CISA Executive Assistant Director for Cybersecurity Eric Goldstein wrote on the agency’s website that the strategy “goes beyond overarching goals and spells out specific measures of effectiveness – not just measuring whether we’ve done the work, but whether the work is making our country more secure.”
“We must change how we design and develop technology products, such that exploitable conditions are uncommon and secure controls are enabled before products reach the market. We must quickly detect adversaries, incidents, and vulnerabilities, and enable timely mitigation before harm occurs. We must help organizations, particularly those that are ‘target rich, resource poor,’ take the fewest possible steps to drive the most security impact,” the strategy states. “Recognizing that we will not prevent every intrusion, we must ensure that our most essential services are resilient under all conditions, with particular focus on under-resourced communities where loss of key services can have the greatest impact. Most importantly, we must do it together, recognizing that true collaboration is the only path toward a more secure future.”
The plan “will serve as a keystone for implementation, resource, and operational planning” and collaboration guide for stakeholders including federal agencies, critical infrastructure sectors, key technology providers, and “target rich, resource poor entities where federal assistance and support is most needed” while underscoring that cybersecurity is a whole of CISA mission, a whole of government mission, and a whole of nation mission. Prioritization of resources “with rigor and humility” is emphasized “to make prudent tradeoffs where necessary to maximize our contributions.”
“Where we determine that a given program, service, or capability is not resulting in expected impacts, we will be disciplined in ‘failing fast’ and making best use of our resources to pivot with agility,” the plan adds.
Former CISA Senior Advisor Katherine Ledesma told HSToday that she continues “to be encouraged by a consistent focus on a whole-of-nation approach to collective defense in recent strategy documents across the executive branch.”
“As CISA’s Cybersecurity Strategic Plan acknowledges, the challenge is too big for one organization and the private sector is on the front lines of this fight, right along with our government partners,” she said. “We are in the best position as a nation to manage this risk by leveraging the agility and subject matter expertise in industry, along with that of our government partners.”
Ledesma said that the plan’s identification of key tech providers as priority stakeholders is critical because they “are a vital part of the ecosystem.”
“I’m also really encouraged to see Industrial Control System and Operational Technology uniquely acknowledged,” she added. “These specialized computers and networks interact with the physical world to control processes and devices in our infrastructure and have risk profiles that are unique to the IT environment.”
The agency’s Strategic Plan 2023-2025, released last September, was anchored by goals to strengthen cyber defenses, increase resilience, build and grow critical partnerships, and nurture its workforce to thrive as “One CISA.” That iteration of the agency’s roadmap built on and aligned with the DHS Strategic Plan for Fiscal Years 2020–2024, with a focus on promoting “unity of effort across the agency and our partners” and defining “success for CISA as an agency.” The new revision of the plan acknowledges from the outset its alignment with the 2023 National Cybersecurity Strategy.
“Among the areas that I found most interesting was articulating Measures of Effectiveness because it demonstrates how CISA is going to assess success and allows for tracking and accountability,” said Kolasky, an HSToday Editorial Board member.
The previous strategic plan was divided into four goals rooted in CISA’s core values of collaboration, innovation, service, and accountability: cyber defense, risk reduction and resilience, operational collaboration, and agency unification through integrated functions, capabilities, and workforce.
The new plan is centered around three goals. The first, address immediate threats, includes the objectives of increasing visibility into cybersecurity threats and campaigns and strengthening the ability to mitigate those threats, coordinating the disclosure of and hunt for critical and exploitable vulnerabilities while driving mitigation, and planning for, exercising, and executing joint cyber defense operations and coordinating the response to significant cybersecurity incidents.
“We must increase the costs borne by transgressors and increase friction for malicious activities by leading a national effort defined by speed and scale: when an adversary compromises an American network, they are rapidly detected and evicted before damage occurs; when an exploitable condition manifests, it is similarly detected and remediated before an intrusion takes place,” the document says.
“I am glad to see a focus on enhancing visibility into intrusions and adversary campaigns as a foundational capability for producing and sharing actionable and accurate analysis and insights with owners and operators of critical infrastructure,” Ledesma said. “In fact, in the Strategic Plan, CISA specifically recognizes that increasing operational visibility must be done in partnership with other government partners and the private sector, leveraging partner data sources, industry tools and analytic capabilities.”
The second goal to “harden the terrain” promises “clear, actionable guidance, by using all available levers to influence risk decisions of organizational leaders, by providing best-in-class services that help ‘target rich, resource poor’ entities address gaps in their security programs, and by continuously measuring the state of American cybersecurity to understand areas for needed focus and investment, all informed by our understanding of the adversaries.” Objectives within this goal are to better understand how attacks really occur and how to stop them, drive implementation of measurably effective cybersecurity investments, and provide cybersecurity capabilities and services that fill gaps and help measure progress.
“The reality is, we can’t harden all infrastructure sufficiently to prevent all cyber attacks. The attack surface is too great,” Ledesma said. “The Strategic Plan acknowledges this, by not only including measures to enhance prevention efforts, but objectives that ‘reduce the likelihood of damaging intrusions’ and support swift incident remediation and impact mitigation. That is true resilience.”
The final goal is to “drive security at scale” as “we can no longer accept a model where every technology product is vulnerable the moment it is released and where the overwhelming burden for security lies with individual organizations and users.” Objectives are to drive development of trustworthy technology products, understand and reduce cybersecurity risks posed by emergent technologies, and contribute to efforts to build a national cyber workforce.
Kolasky stressed that this goal “is the most innovative aspect of the Strategic Plan and puts further meat on the bone of the CISA’s leadership call from Secure-by-Design and Secure-by-Default.”
“I was pleased to see the recognition that cybersecurity and safety are interrelated to each other and the willingness to blend the objectives, which the government sometimes unnecessarily keeps separate,” he said.
Ledesma noted that “even as the threat landscape increases and cybersecurity investments climb across government and industry, one reality that we all face is that resources are finite.”
“As a community, we are doing a better job than ever in making the business case for security investments, both at the strategic and operational level,” she said. “We saw this in the National Cybersecurity Strategy and the new CISA Strategic Plan includes measures of effectiveness assess the plan’s ‘impact in reducing cybersecurity risk.’ It is also noteworthy that the plan expresses a ‘strong bias …to leverage commercially-available tools and services,’ pursuing in-house capabilities only where the commercial market does not provide viable solutions.”
The strategic plan concludes by noting that “together with our partners, we hope to look back on 2023 as the point when the trajectory of national cybersecurity risk began to change for the better.”
“Through the implementation of this strategy, we will first focus our efforts and energy to ensure our core cybersecurity functions are executed to the greatest effect,” the CISA plan says. “We must get the fundamentals right.”