CISA Continues To Evolve Amidst Complex Cyber and Infrastructure Threats
After six years of operation, the Cybersecurity and Infrastructure Security Agency (CISA) has evolved significantly while maintaining its core focus on partnerships and collaboration, according to CISA’s outgoing Deputy Director Nitin Natarajan.
In a recent interview with SIGNAL Media, Natarajan reflected on the agency’s efforts during his tenure as deputy director over the last four years.
"When you look at CISA today versus CISA four years ago, those core tenants of who we have been and need to continue to be remain the same,” he stated. “And we have matured a lot in our operational execution as well as the strategic vision of where we need to go."
Overall, the agency has deepened its partnerships across state, tribal and local governments, as well as with the private sector. Having more of a united front is a key part of fighting cybersecurity and infrastructure threats. These relationships have moved beyond formal exchanges to enable frank discussions about security challenges.
“The stronger partnerships are the ones where you can have the honest conversations,” Natarajan noted. “Having those honest discussions where people are able to represent their unique vantage points, and then, more importantly, coming to some type of a joint path forward, as well as acknowledging areas of consensus, and directly addressing areas of disagreement.”
These types of frank discussions have helped support CISA's voluntary incident reporting program. Companies feel more comfortable sharing breaches or vulnerabilities, and CISA has made sure it is responding in a qualitative way. Rather than simply collecting data, the agency is focusing on providing actionable guidance, the deputy director stated.
“When an entity reports an incident to CISA, that information doesn't just end up in some database or repository,” Natarajan emphasized. “We work with the individual reporting or with the victim...to come up with what are the steps that need to be taken to mitigate this type of an incident. And more importantly, how do we take that information on what we've learned, share that back out with that sector and frankly, with the broader universe, in an anonymized way?”
Known for its cybersecurity activities, CISA also is responsible for improving physical infrastructure security. Here, the agency has expanded its focus beyond cybersecurity to address supply chain vulnerabilities, natural disasters and terrorism threats. More work has to be done to secure the nation’s 16 critical infrastructure sectors.
Natarajan cited the Baltimore bridge collapse as an example of an interconnected physical security risk.
“How do we understand what the impact is to the supply chain of vessels that were coming in and out of that port and what impact that would subsequently have?” he considered.
Further examination of global supply chain risks will be a task for his successor.
“We just don't have as strong visibility into those changes as we would like, and it's not due to lack of desire or not trying,” Natarajan acknowledged. “These are just very complex sectors and complex networks, and we have a worldwide supply chain.”
Part of CISA’s role there will be to raise awareness about the risks. “I'm always surprised when people aren't truly understanding of the nature of our global supply chain and the vulnerabilities that just inherently present,” he warned. “I think it's easy to forget what goes into keeping that supply chain viable. Frankly, this is the fundamental challenge we have with critical infrastructure.”
We’ve only just begun. We are six years young, and when you compare that against a lot of our other federal departments and agencies, we're relatively young. There's a lot more great work to come from this agency.
The agency has made strides in promoting its Secure by Design principles among software companies, though Natarajan said he acknowledges that this remains a long-term challenge, especially given the amount of legacy code on which companies depend.
“Even if we get 100% of companies to agree that this is the best thing we need to do, what we are going to do today, it's not gonna be fixed by tomorrow,” he explained. “It really is kind of a two-stage effort of what do we do in the short term...and then really looking at this longer term of how do we make sure that the software that is going out there is secure.”
Looking ahead, Natarajan emphasized the need for continuous improvement in security practices. For the deputy director, it is important to remind everyone that it is not one easy fix. He suggests an analogy of "dimmer switches" rather than a simple on/off approach to fix security.
“People want it to be a light switch,” he said. “They just want to flip the switch and say, ‘I'm now secure.' To me, this really is about 100 or 500 dimmer switches. How do we get people to do something every day in one of those dimmer switches, to move it up, to really be able to help to continue to build resilience against these types of incidents?”
As he prepares to leave the agency—still considering his next steps—Natarajan said he remains optimistic about CISA’s future impact.
“We’ve only just begun,” the deputy director said. “We are six years young, and when you compare that against a lot of our other federal departments and agencies, we're relatively young. There's a lot more great work to come from this agency."
