CISA Views Critical Infrastructure and Cybersecurity Through Global Lens

If an international coalition that includes multiple U.S. agencies gets its way, software manufacturers rather than their customers will be largely responsible for securing software used to defend critical infrastructures.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), the National Security Agency and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands and New Zealand jointly developed “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and-Default.” The first-of-its-kind joint guidance was announced in June and “urges manufacturers to take urgent steps necessary to ship products that are secure-by-design and -default,” according to a CISA press release.

Kaitlin Jewell, CISA’s associate director of international affairs, said in a recent interview that her agency is committed to promoting a shift in the approach to cybersecurity. Jewell works with foreign partners to build CISA’s capacity and strengthen the U.S. government’s ability to globally defend against cyber incidents and enhance the security of critical infrastructure.

“We engage with the global community to ensure CISA is well positioned to understand how these emerging challenges overseas impact our domestic infrastructure and networks. We also work to build partnerships with peer nations to bolster collective defense against both adversaries and hazards and to assist emerging partner states as they build their own domestic capabilities to complement and expand that shared network defense,” Jewell explained in a recent SIGNAL Media interview.

She emphasized the value of the security-by-design-and-default approach. “CISA’s really committed to promoting a shift collectively on how we’ve been doing cybersecurity. Really what this means is shifting the burden of security away from the customer, shifting the burden for mitigating cyber risk to the most capable entities, the private and public sector, and particularly for CISA International, shifting how we promote this to international partners in our coordination efforts.”

The multinational guidance exemplifies the degree to which the United States and its international partners view critical infrastructure and cybersecurity through a global lens, Jewell said. “When we talk about the benefits of CISA International, we are increasingly at the forefront of efforts to shape the global policy ecosystem. That’s really ensuring that the U.S. and our partners speak with one voice on the development of international policies and standards. An example of that is secure-by-design, of course, and really ensuring secure and open networks and building resiliency to what are now shared challenges to infrastructure throughout the world.”

Security-by-design and -default is highlighted in the agency’s strategic plan for 2024-2026. “We must be clear-eyed about the future we seek, one in which damaging cyber intrusions are a shocking anomaly, in which organizations are secure and resilient, in which technology products are safe and secure by design and default. This is a shared journey and a shared challenge, and CISA, as America’s cyber defense agency, is privileged to serve a foundational role in the global cybersecurity community as we achieve measurable progress to our shared end state,” according to the strategy.

CISA officials will add an international annex to the strategy over the coming year. Working with like-minded countries strengthens critical infrastructure cybersecurity at home and abroad, Jewell explained. “Helping other countries to harden their defenses really denies those malicious actors opportunities to practice their tactics and undertake those attacks that could harm American interests.”

CISA International personnel offer training opportunities, participate in international exercises and focus on information sharing. “We’re also working to expand operational collaboration and information sharing with countries that share our cyber goals and with international organizations to increase CISA’s ability to detect and defend against threats that we face here in America’s critical infrastructure and networks. These targeted engagements really enhance CISA’s understanding of the threat environment and help us create new—and build on existing—international partnerships to secure critical infrastructure and enhance our cybersecurity.”

Cooperation is important, she stressed, because the threat is global, varied and shared. “A lot of the challenges that our partners and allies are looking at are not that different: ransomware, other criminal hacking, malign activity by certain nation-state actors, attempts to play havoc with industrial control systems, software—again, just to foot stomp that—software that’s not secure by design,” Jewell listed. “And sadly, sometimes simple inattention to timely cybersecurity and system security that renders systems vulnerable. Those are collective challenges that we face.”  

The People’s Republic of China (PRC) tops the list of “certain nation-state actors.”

“I believe China poses one of the most significant threats to U.S. critical infrastructure, including cyber attacks and cyber-enabled influence,” Jewell asserted, echoing public statements from CISA Director Jen Easterly. “An example of that would be malicious cyber activities such as cyber espionage to pursue their national interest. Not to state the obvious, but it’s problematic because cyber espionage operations have included things like compromising telecommunications firms and providers of managed services, and broadly used software and other targets ... for intelligence collection or attack or influence operations and coordinated theft of information.”  

Additionally, in July of last year, the agency signed a memorandum of cooperation with Ukraine to aid its efforts to ward off Russia’s cyber attacks. “One area to highlight would be our continued efforts to support Ukraine as they fight against the certainly unprecedented Russian cyber aggression throughout this unprovoked war. Over the last year, we’ve been able to work with them on information exchanges and sharing best practices on cyber incidents, critical infrastructure security, technical exchanges and cybersecurity training and joint exercises,” Jewell explained.

In May, CISA, the National Security Agency (NSA), the FBI, the Australian Signals Directorate’s Australian Cyber Security Centre, the Communications Security Establishment’s Canadian Centre for Cyber Security, the New Zealand National Cyber Security Centre and the United Kingdom National Cyber Security Centre released a joint cybersecurity advisory highlighting China’s recent activities.

The advisory described so-called “living off the land” activities by PRC cyber actors to evade detection by using built-in networking administration tools to compromise networks and conduct malicious activity. “This enables the cyber actor to blend in with routine Windows system and network activities, limit activity and data captured in default logging configurations and avoid endpoint detection and response (EDR) products that could alert to the introduction of third-party applications on the host or network,” the advisory stated.  

The advisory is another example of the global perspective needed to combat cybersecurity threats to critical infrastructure, Jewell notes. “Our private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and it is believed that the actor could apply the same techniques against these and other sectors worldwide,” she added.

While CISA officials share information and lessons learned with other nations, they also learn from those international partners. She cites multiple examples of “products” released with cooperation and collaboration from other countries, including guidance on ransomware, security-by-design and best practices for smart cities.

“In April, we did a joint release of CISA’s best practices for smart cities, which was a collaborative effort through us, National Security Agency, FBI, the United Kingdom’s National Cybersecurity Center, the Australian Cybersecurity Center, Canadian Center for Cybersecurity and New Zealand National Cybersecurity Center. And this product, in particular, is interesting because it addresses the growing global demand for communities around the world to integrate information and communications technologies into their infrastructure to increase efficiency in their day-to-day life.”  

She cited specific smart-city capabilities such as efficient access to public services and automating infrastructure operations like wastewater treatment and traffic management. “That’s an area where we learn a lot from our global partners’ best practices. That product includes an overview of risks to smart cities, including expanded and interconnected attack surfaces, things like information and communications technology, supply chain risks and increasing automation of infrastructure operations.”

She described much of CISA International’s work as capacity building. “One of the exciting things that we do is capacity building. That really does include assisting countries and building their own competency in managing risk and strengthening security and resiliency and addressing both current and emerging risks,” she explained.  

And while CISA International works with departments and agencies across the federal government, the agency works especially closely with the State Department, which has a Bureau of Cyberspace and Digital Policy. “Through our partnership with the Department of State, just the last year, we’ve been able to deliver workshops and training to cybersecurity specialists from Africa and Europe, Asia and South America. And by enhancing other country’s organic capabilities, it simultaneously enables CISA to protect the homeland. It bolsters international security, and it promotes global societal resilience,” Jewell said.