The Cybersecurity and Infrastructure Security Agency (CISA) held its fourth Cybersecurity Advisory Committee meeting, with Committee members providing updates to CISA Director Jen Easterly on the work of its subcommittees. Two of the subcommittees – Protecting Critical Infrastructure from Mis- Dis- and Mal (MDM) information and Building Resilience and Reducing Systemic Risk to Critical Infrastructure – provided new recommendations to the Director.
“The Committee members’ insight is incredibly valuable to our mission and will help drive CISA forward,” said CISA Director Jen Easterly. “The Committee continues to provide thoughtful recommendations, and I look forward to their continued partnership as we strive to ensure CISA has the right strategy in place to prepare for, respond to, and mitigate cybersecurity threats to our nation’s critical infrastructure. I was especially pleased to receive recommendations from our subcommittees specializing in protecting election infrastructure from the threat of foreign malign disinformation and from our experts on building resilience and reducing systemic risk. The insight from these recommendations, and the thoughts of the full committee, promise to make CISA the cyber defense agency this nation deserves.”
During today’s meeting, Committee members provided tangible updates on the work of their subcommittees:
- Transforming the Cyber Workforce Subcommittee, presented by Mr. Ron Green, Chief Security Officer, Mastercard: The subcommittee is focused on building a comprehensive strategy to identify and develop the best pipelines for talent, expand all forms of diversity, and develop retention efforts to keep our best people. During today’s meeting, the subcommittee chair discussed how they are working to refine the recommendations initially made to the CISA Director in June. Director Easterly announced that CISA expects to hire a Chief People Officer in the coming months to improve the agency’s talent acquisition process.
- Turning the Corner on Cyber Hygiene Subcommittee, presented by Mr. George Stathakopoulos, Vice President of Corporate Information Security, Apple: The subcommittee is helping us think through and execute a holistic, scaled approach to ensure that all organizations – public or private, large or small – have the information and resources needed to implement essential security practices. During today’s meeting, the subcommittee chair provided refinements of the recommendations made to the CISA Director during the third CSAC meeting in June. In June, the subcommittee recommended that CISA launch a “311” national campaign, to provide an emergency call line and clinics for assistance following cyber incidents for small and medium businesses. The subcommittee also recommended that CISA build out its current multi-factor authentication (MFA) campaign, “More Than A Password,” by identifying additional vehicles for publicizing it, including reaching out to nonprofits, educational institutions, fellow government partners, and the extended cybersecurity community. Lastly, they recommended CISA take all available steps to ensure that companies fully adopt MFA by 2025.
- The Technical Advisory Council. CISA Executive Assistant Director Eric Goldstein discussed how the Technical Advisory Council, under the leadership of Jeff Moss, is working to catalyze CISA’s relationship with the technical community, and to assist the CSAC in providing the agency with recommendations for improving its collaboration with the research community on a more tactical level. This includes methods for identifying specific vulnerabilities and improving coordination on broader vulnerability disclosures.
- Protecting Critical Infrastructure from Mis- Dis- and Mal (MDM) information Subcommittee, presented by Suzanne Spaulding, Senior Advisor for Homeland Security, CSIS: The subcommittee is evaluating and providing recommendations on CISA’s role in confronting MDM harmful to critical infrastructure, in particular election infrastructure. During today’s meeting, the subcommittee recommended that CISA work with the Intelligence Community (IC) and the Federal Bureau of Investigation, to ensure that the information needs of election officials around foreign disinformation threats are prioritized. The subcommittee also emphasized the essential role courts play in ensuring the resolution of disputes about the election process and ensuring the peaceful transfer of power, and that they, too, may be the target of an intensified campaign to undermine public trust in the legitimacy of their processes. Given their essential role, the subcommittee stated that CISA should share relevant information around foreign hacking and disinformation attacks with the courts, and that the IC include adversary activity targeting the courts in the collection and analysis priorities related to elections.
- Building Resilience and Reducing Systemic Risk to Critical Infrastructure Subcommittee, presented by Mr. Tom Fanning, Chairman, President and CEO, Southern Company: The subcommittee is helping CISA determine how to best drive national risk management and identify the criteria for a scalable, analytic model to guide risk prioritization. During today’s meeting, the subcommittee chair outlined their recommendations to improve national risk management, highlighting the varying levels of maturity across critical infrastructure sectors, insufficient scope for national resiliency outcomes, and underutilization of existing policy and regulatory approaches that address risk management.
- Strategic Communications Subcommittee, presented by Ms. Niloofar Razi Howe, Board Member, Tenable: The subcommittee is focused on expanding CISA’s reach with critical partners to help build a national culture of cyber resilience. During today’s meeting, Ms. Howe discussed how the subcommittee has been assessing the agency’s website redesign to ensure it meets the agency’s needs, and the needs of CISA’s stakeholders. The subcommittee is also assessing the agency’s redesign to ensure that the website reflects the mission and vision of the agency. Ms. Howe also discussed that the subcommittee continues to refine and examine the recommendations they made to the CISA Director in June, which included: CISA’s “More Than A Password” MFA campaign to include a corporate partnership program with Fortune 500 companies. They also recommended CISA launch a “311” national campaign, to provide an emergency call line and clinics for assistance following a cyber incident.
Director Easterly looks forward to reviewing the recommendations made during today’s Committee meeting and providing a response to the subcommittee recommendations. The next CISA Cybersecurity Advisory Committee will be held in December.
The full agenda from today’s meeting is available here. The Committee, which was established in 2021, was created to provide recommendations to CISA’s Director Jen Easterly that will help to advance the cybersecurity mission of CISA as well as strengthen the cybersecurity of the United States. More information on CISA’s Cybersecurity Advisory Committee is available here.