The threats facing critical infrastructures have never been more serious, and the ability to defend against them is strained by limited resources. The key to CISA’s success will not be decided by a single policy, budget line, or leadership decision. It will be decided by the agency’s ability to maintain and strengthen its partnership with the industry that the country depends on. That was the essence of my April 29th testimony before the House Homeland Security Committee’s Cybersecurity and Infrastructure Protection Subcommittee.
The IT-ISAC has long considered the Cybersecurity and Infrastructure Security Agency (CISA) an essential partner, as we share a common mission of defending against today’s threats while planning for future risks. Although the agency’s partnerships are facing some headwinds, Acting CISA Director Nick Andersen has noted the important role of these partnerships in building and maintaining resilience. We remain committed to helping CISA succeed because when CISA succeeds, the country succeeds.
But this partnership extends beyond CISA and industry. It requires Congress and the Administration to preserve and reinstitute policies and frameworks that have been proven to be effective. My testimony highlighted specific steps that can be taken to stabilize CISA and renew the public-private partnership. These include:
- Implement a Replacement for the Critical Infrastructure Partnership Advisory Council (CIPAC). When CISA disbanded the CIPAC, it removed the legal framework that enabled and protected strategic engagement between CISA and industry. As a result, joint projects between these entities have been greatly reduced.
- Provide for a Long-Term Extension of the Cybersecurity Information Sharing Act of 2015 (CISA 2015). CISA 2015 is a critical tool that provides a combination of liability, anti-trust, and Freedom of Information Act (FOIA) protections for sharing cyber threat intelligence. It is important to maintain a trusted legal framework that incentivizes and protects companies that voluntarily share threat intelligence.
- Confirm a CISA Director. The absence of a Senate-confirmed Director creates a leadership gap and makes it harder for CISA to advocate for resources and priorities. While Nick Andersen is doing an admirable job as Acting Director, the agency will benefit from having a Senate-confirmed Director.
- Prioritize Resources Through Collaboration. Resources — time, money, and people – are limited and must be leveraged to maximum effect. Collaborative risk management will help industry and government allocate resources more effectively.
- Enhance Analytic Engagement with Industry. CISA should designate cybersecurity analysts to support specific sectors. These analysts would build relationships with ISACs and their members to learn and understand these critical infrastructure sectors and the most relevant threats they face. This will foster trusted relationships, help analysts build a better understanding of sector-specific risks, and improve threat intelligence sharing between industry and government.
- Create Common Situational Awareness. The current “whack-a-mole” approach of government threat sharing needs to transform into a sustained capability that shares, in near real time, strategic and tactical threat intelligence to inform decision-making.
- Analyze the Impacts of CISA Staff and Funding Reductions. Changing staffing levels based on organizational priorities is a common management practice. To ensure it can maintain its vital core functions, CISA should engage with its partners to understand the impact of staffing reductions and evaluate whether any adjustments are warranted.
- Vulnerability Management Modernization. Our vulnerability and patch management processes are already struggling to keep pace with today’s disclosures. Threat actors now move fast enough to exploit vulnerabilities before organizations can deploy patches. AI threatens to further stress, if not disrupt, our vulnerability disclosure and patch management models. CISA can convene the relevant communities to prepare for this.
- Refining CIRCIA. Many stakeholders, including the IT-ISAC and the IT Sector Coordinating Council, have expressed concern that CISA’s draft CIRCIA regulations were too broad and would result in CISA receiving more information than it could process. Limiting CIRCIA’s scope and scale to more closely align with legislative intent will not only reduce the reporting burden on industry but will help CISA develop and distribute more meaningful threat intelligence. We applaud CISA for planning a series of town halls to receive additional input.
- Implement Effective Partnership Principles. In 2012, the IT Sector Coordinating Council conducted a study that identified 12 partnership practices that lead to successful outcomes. These have largely been forgotten, but were captured in an article by Larry Clinton of the Internet Security Alliance. As CISA looks to reset its engagement with industry, it should adopt these practices as its guideposts for engaging with industry.
Finally, while independent of the work within CISA, it is important to note the excellent work that National Cyber Director Sean Cairncross and his team are doing to reduce the regulatory burden on industry. This work is essential for eliminating duplication, reducing liability, and enabling companies to allocate security resources more efficiently. The plethora of overlapping – and in some cases, redundant regulations and reporting requirements – are increasing the costs on the defender, without improving security outcomes.
This is not a wish list. It is a roadmap that can be achieved with a renewed commitment. It is tempting to say that today’s age of autonomous threats, powered by advanced AI systems, requires a top-down approach in which government security experts dictate the required security controls. But the reality is that neither industry nor government has the knowledge, capacity, or expertise to manage these risks on its own. The need for effectively managed partnerships that enable informed risk management and effective resource allocation is as essential as ever.
