CISA’s Cybersecurity Advisory Committee Pivots to Meet the Threat
The two-year-old Cybersecurity Advisory Committee of the Cybersecurity and Infrastructure Security Agency (CISA) is evolving to provide CISA a greater range of expertise as cybersecurity threats increase in complexity and frequency.
As an advisory group to the Department of Homeland Security agency, the committee, known as CSAC, provides recommendations to CISA Director Jen Easterly and other CISA leaders on a wide area of cybersecurity issues.
“We're up to 34 members,” explained CISA Deputy Director Nitin Natarajan in a recent interview. “At the March meeting, we added some additional folks to the forum. We are bringing in some different areas of expertise that we didn't have before. We now have a healthcare CEO and a state commissioner of environmental health, for example, all to bring in different perspectives and help tackle some of the priorities that we're looking at.”
Some of the new members include Robert Scott, commissioner, New Hampshire Department of Environmental Services; Brian Gragnolati, president and CEO, Atlantic Health System; Cathy Lanier, former police chief in Washington, D.C. and now senior vice president and chief security officer of the National Football League; and Rahul Jalali, senior vice president and chief information officer, Union Pacific.
The CSAC also added several more cybersecurity experts, including Chris Inglis, the first the national cyber director, and former U.S. Rep. Jim Langevin, now with Paladin Capital’s Strategic Advisory Group. While in Congress, Langevin authored many cyber-related bills and was one of four legislators appointed to serve on the Cyberspace Solarium Commission (CSC) that created the National Cyber Director Act. Langevin also co-founded and co-chaired the Congressional Cybersecurity Caucus.
The officials join existing members, including Suzanne Spaulding, CSC member and senior advisor for Homeland Security and the director of the Defending Democratic Institutions Project at the Center for Strategic and International Studies; Thomas Fanning, executive chairman of Southern Company; Ron Green, chief security officer for Mastercard; Steve Adler, former mayor of Austin, Texas; Marene Allison, former global chief information security officer, Johnson & Johnson; Lori Beer, global chief information officerof JPMorgan Chase & Co.; and Kevin Tierney, vice president of global cybersecurity, General Motors.
Preparing to meet next on June 22 in Virginia, the CSAC last met (for the sixth time) in March, advancing several priorities for 2023 through its subcommittees, including how to reduce systemic risks to critical infrastructure, Natarajan said.
“There's essentially six areas that we're looking at within the CSAC, including cyber hygiene and the cyber workforce,” Natarajan stated. “We have a Technical Advisory Council, which is looking at the more mechanical, technical aspects of cybersecurity, and what they can do. Another group is looking at corporate cyber responsibility. We are also looking how to build resilience and reduce systemic risk to critical infrastructure, and understand truly what is the ‘critical of critical’ and how do we focus our efforts on enhancing resilience there.”
In particular, the Building Resilience and Reducing Systemic Risk to Critical Infrastructure Subcommittee is examining the inherent interdependencies between the private sector and the government. Focusing on persistent collaboration, the subcommittee also reviewed CISA’s actions to create a joint collaborative environment, to be “a unique information-sharing platform for partners across the federal government and industry leaders to conduct analysis to build national security resilience,” according to the agency.
The National Cybersecurity Alert System Subcommittee is leveraging the successes of CISA’s recent Shields Up campaign and other models used in the U.S. to create an actionable alert system. This national cybersecurity alert system could be akin to the 311 nonemergency platform used in some cities or towns as a counterpart to the 911 nationwide emergency system, Natarajan noted.
“There have been various pilots throughout the nation where folks have raised ideas, whether it is a Cyber 311, where there's an ability to report information,” he said. “We've also had some initial discussions about, ‘What does a cyber advisory system look like?’ And ‘What does an alert look like?’ It's interesting, because sectors are different, potential actors are different, and it is about really getting ideas back from industry, and from state and local, tribal territorial partners on what they're seeing. Does it make sense to have such a system? What role makes sense for CISA to play versus others? These are the things we talk about and discuss and get feedback. And at the end of the day, if it means there is value, we should look at doing it. If there isn't value, we shouldn't do it."
We are seeing that everybody is a potential cyber victim.
In addition, the Corporate Cyber Responsibility Subcommittee is looking for CISA to better engage with corporate boards and the public sector to improve national cyber resiliency, including at K-12 school districts. Meanwhile, the Turning the Corner on Cyber Hygiene Subcommittee is looking closely at product safety, also with K-12 schools, as well as hospitals, water utilities and the wastewater sector, which can be vulnerable to cyber attacks.
Meanwhile, the Technical Advisory Council Subcommittee is focusing on so-called “memory safety and high-risk community protection,” with a call for mature technology products and a shift toward a holistic response to advanced persistent threats. And with the help of the Transforming the Cyber Workforce Subcommittee, the agency is addressing burnout and workload concerns to boost its internal workforce.
Natarajan, who also spoke at the Technology Summit hosted by the AFCEA DC Chapter in April, confirmed: “We're facing a very dynamic threat landscape. We are facing threat actors that are no longer just nation-states. We are facing actors who are no longer just targeting large companies and large cities or large nations. We are seeing small businesses being targeted, we're seeing small rural communities being targeted as much as we're seeing larger targets hit across the nation. We are seeing that everybody is a potential cyber victim.”