The Cybersecurity and Infrastructure Security Agency (CISA) held its third Cybersecurity Advisory Committee meeting in Austin, Texas, where Committee members met and provided updates and key recommendations to CISA Director Jen Easterly on the work of its six subcommittees.
The Committee, comprised of leading voices on cybersecurity, technology, risk management, privacy, and resilience, held its inaugural meeting in December 2021. In the intervening six months, Committee members have brought their unique experiences, perspectives and insights to bear and today provided recommendations on the development and refinement of CISA’s cybersecurity programs and policies. During Wednesday’s meeting, subcommittee chairs provided recommendations on key objectives outlined by the Director during the Committee’s inaugural meeting.
“I was thrilled to host CISA’s Cybersecurity Advisory Committee today in Austin to discuss the recommendations from Committee members that will help ensure that CISA is the cyber defense agency that this country truly needs and deserves,” said CISA Director Jen Easterly. “I couldn’t be more grateful for the Committee’s partnership and look forward to closely studying their recommendations. With their guidance and the great work of the CISA team, we will help CISA fulfill its mission of ensuring the security and resilience of our critical infrastructure.”
During the meeting, Committee members provided tangible updates on the work of their subcommittees:
- Transforming the Cyber Workforce Subcommittee, Presented by Mr. Ron Green, Chief Security Officer, Mastercard: The subcommittee is focused on building a comprehensive strategy to identify and develop the best pipelines for talent, expand all forms of diversity, and develop retention efforts to keep our best people. During today’s meeting the subcommittee recommended that CISA prioritize its strategic workforce development; dramatically improve its talent acquisition process to be more competitive with the private sector; radically expand recruitment efforts to identify candidates across their professional lifecycle; and leverage talent identification and hiring success through interagency collaboration. They also recommended creating a new position in CISA, a Chief People Officer.
- Turning the Corner on Cyber Hygiene Subcommittee, Presented by Mr. George Stathakopoulos, Vice President of Corporate Information Security, Apple: The subcommittee is helping us think through and execute a holistic, scaled approach to ensure that all organizations – public or private, large or small – have the information and resources needed to implement essential security practices. During today’s meeting the subcommittee chair outlined its 3 key recommendations. The subcommittee recommended that CISA launch a “311” national campaign, to provide an emergency call line and clinics for assistance following cyber incidents for small and medium businesses. The subcommittee also recommended that CISA build out its current multi-factor authentication (MFA) campaign by identifying additional vehicles for publicizing its “More Than A Password” campaign including reaching out to nonprofits, educational institutions, fellow government partners and the extended cybersecurity community to amplify the importance of MFA. Lastly, they recommend CISA takes all available steps to ensure that companies are working with the Federal Government fully adopt MFA by 2025.
- The Technical Advisory Council, Presented by Mr. Jeff Moss, Founder and President, DEFCON Communications: The subcommittee is helping further catalyze CISA’s relationship with the technical community to shift the balance in favor of network defenders. During today’s meeting, the subcommittee chair recommended that CISA develop incentives and access to information to aid security researchers who will submit vulnerabilities affecting critical systems; encourage an environment that works to enable frustration-free vulnerability research and reporting; invest in a central platform to facilitate the intake of suspect vulnerabilities and communication between security researchers, agencies, and vendors; and improve the notification processes after a disclosure has been verified and acted on. The subcommittee also recommended that CISA simplify the reporting process and provide feedback to those reporting vulnerabilities.
- Protecting Critical Infrastructure from Mis- Dis- and Mal (MDM) information Subcommittee, Presented by Dr. Kate Starbird, Associate Professor, Human Centered Design & Engineering, University of Washington: The subcommittee is evaluating and providing recommendations on CISA’s role in confronting MDM harmful to critical infrastructure, in particular election infrastructure. During today’s meeting the subcommittee chair recommended that CISA focus on addressing MDM risks that undermine critical functions of American society. As part of this work, the subcommittee recommends that CISA should invest in external research to assess the impact of MDM threats and the efficacy of its MDM mitigation efforts.
- Building Resilience and Reducing Systemic Risk to Critical Infrastructure Subcommittee, Presented by Mr. Tom Fanning, Chairman, President and CEO, Southern Company: The subcommittee is helping CISA determine how to best drive national risk management and identify the criteria for a scalable, analytic model to guide risk prioritization. During today’s meeting, the subcommittee chair discussed how they are scoping the best frameworks to collaborate with industry to identify systemic risks across National Critical Functions including the need to hold tabletop exercises with critical infrastructure partners. The subcommittee plans to provide their recommendations at a future meeting.
- Strategic Communications Subcommittee, Presented by Ms. Niloofar Razi Howe, Board Member, Tenable: The subcommittee is focused on expanding CISA’s reach with critical partners to help build a national culture of cyber resilience. During today’s meeting, the subcommittee chair discussed their recommendations, which included an expansion of CISA’s “More Than A Password” MFA campaign to include a corporate partnership program with Fortune 500 companies. They also recommended CISA launch a “311” national campaign, to provide an emergency call line and clinics for assistance following a cyber incident.
Director Easterly looks forward to reviewing the recommendations made during the Committee meeting and providing a response to the subcommittee recommendations.
Director Easterly was also pleased to assign the Committee a new topic for their advice, specifically that they assess the feasibility and key characteristics of a national alert system for cyber risk. The goal of this capability would be to provide a clear and simple method to convey the current severity of national cybersecurity risk to America’s critical infrastructure owners and operators taking advantage of the unique insights from CISA’s analysis of evolving threat activity and our global partners. This system would complement CISA’s existing production of alerts and advisories on specific, actionable risks. Director Easterly looks forward to the Committee’s evaluation of the operational efficacy of a national cyber alert capability.
The next Cybersecurity Advisory Committee will be held virtually on September 13, 2022. Details and information on how to attend will be forthcoming.
The full agenda from today’s meeting is available here. More information on CISA’s Cybersecurity Advisory Committee is available here.