Shields Up: Improving Nationwide Safeguards

To better safeguard digital and physical infrastructure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is employing a nationwide program called Shields Up. The multifaceted approach of advisories, protections and engagement with CISA is meant to reach communities, cities and businesses of all sizes across the United States, explains CISA Deputy Director Nitin Natarajan.

“At the end of the day, Shields Up is about cyber resilience,” Natarajan stresses. “It is how we as a nation take the steps we need to build our resilience against cyber attacks, whether these are attacks from nation-states, cyber terrorists or cyber criminals. Regardless of the source, it is how we work together to really build that resilience globally.”

After Russia invaded Ukraine, CISA warned the United States that the Russian government might also commit malicious cyber attacks against the U.S. homeland as a possible retribution of the unprecedented economic sanctions imposed on Russia by the United States and other NATO countries. Given the threat level, Shields Up provides specific guidance on how to understand, mitigate and respond to any Russian state-sponsored attacks to cyber assets and critical infrastructure.

But even as intelligence pointed to possible cyber attacks by Russia, CISA is taking additional steps to shield U.S. organizations, companies and individuals from other nation-state attackers, including China, Iran and North Korea.

“Obviously Shields Up started because of the concern of potential cyber attacks given the current conflict in Ukraine,” he states. “But frankly the actions that we’re looking for and the work that’s being done is not only going to benefit if something were going to happen in this space. These are things that are going to have both short- and long-term benefits for the nation as we continue to build out cyber resilience—well beyond this conflict.”

CISA’s main avenue for the Shields Up effort is its website, which provides a central location for updated threat information and reporting of incidents, Natarajan offers. The platform also provides detailed guidance for any type of organization to block cyber attacks or critical infrastructure intrusions, including how to reduce the likelihood of damaging digital warfare, how to conduct intrusion detection, ways to respond to a malicious event and steps to maximize an organization’s resiliency after a destructive incident. 

“Every organization—large and small—must be prepared to respond to disruptive cyber incidents,” CISA’s website indicates. “As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyber attacks. When cyber incidents are reported quickly, we can use this information to render assistance and as warning to prevent other organizations and entities from falling victim to a similar attack.”

In addition, for ransomware attacks—presently one of the most popular methods of cyber warfare—the agency supplies a checklist on the Shields Up website to guide victims through ransomware detection, containment and eradication. Information is presented for private sector companies and their senior executives, spelling out how to improve internal reporting and ways to support chief information security officers (CISOs). There is also instruction on how to test response plans and details on worst-case scenario actions, amongst other measures. Moreover, Shields Up provides cyber safeguard directions for individuals and family members.

For organizations involved in critical infrastructure in particular, the Shields Up effort is helping to better inform critical infrastructure owners and operators in the public and private sector through growing education and a dialogue, CISA’s deputy director notes.

“There are elements of Shields Up that are public facing that folks will see,” Natarajan says.

“We have a lot of efforts obviously on the website but Shields Up also has another element to it where we’ve been able to convene our critical infrastructure partners, provide classified briefings to understand the intelligence in a very proactive way, and frankly in ways that we’ve never done before. And this is why I think Shields Up is our most visited website right now.”

The scale at which CISA is reaching the private sector is impressive. More than 13,000 U.S. businesses participated in a recent video call with CISA Director Jen Easterly and other CISA officials to learn additional ways to safeguard their companies.

“[This accomplished scale] builds upon what has been months and months—even going back to last fall—of calls and meetings, unclassified and classified, with individual sectors and groups of sectors, with leadership teams, with corporate CEOs, with CISOs and CIOs [chief information officers],” Natarajan explains. “That was the first of many such [large] meetings. That was not the end of anything. It was another step along the way. And all those conversations help inform the information that we’re able to deliver [to the companies and other organizations], because we want to make sure what we’re delivering is useful and actionable.”

Shields Up also is designed to oscillate with the changing threat levels, CISA’s second in charge continues. The agency responds to the specific cyber atmosphere and acts accordingly, and not on a fabricated schedule. “The tempo changes as the situation changes and we are committed to making sure that our tempo is commensurate to the needs of our critical infrastructure partners,” he states. “We don’t create products because we had some extra time on a Thursday afternoon. We want companies and organizations to take the guidance, take the recommendations and take seriously what CISA folks are saying here.”

Natarajan stresses that no entity is exempt from possible cyber warfare. “The folks who need to take this seriously are companies, large and small, small and local governments, large and small cities. Nobody is immune. With ransomware for instance, we’re seeing that in small towns across America.”

Accordingly, the cyber agency’s efforts to protect the United States have taken on a regional focus, with scores of personnel placed in 10 offices around the nation. “It is meant to reach small towns and small businesses as much as it is for larger cities and companies,” Natarajan clarifies. “We do that in a ‘One CISA’ approach that incorporates all of our resources both here at CISA headquarters and throughout the states. We have over 500 folks located throughout the nation in all of your communities that are designed to help you locally.”

The Shields Up effort is not without its challenges, Natarajan acknowledges. Assessed costs or risks of cyber attacks are still not being incorporated into corporate or governmental thinking.

“We’ve been trying to emphasize a forward-leaning posture when it comes to cybersecurity across the nation for a while now,” he admits. “Partly it is sharing information that allows people to understand why acting is in their best interest.”  

The financial services sector, for example, has made investing in cybersecurity a priority because there is an immediate return on their protections and investments, Natarajan says.  

“There is a quantifiable monetary loss or impact to that organization,” he states. “Entities can look at this as a business perspective—and a lot of businesses can do that because they’re answering to boards or to CEOs that are asking these questions. But if you are in a school district in rural America, what do you weigh it against? Do you get new vehicles this year or invest in cybersecurity? There’s more education and information sharing that we need to do to say that the threat is not just in the large cities and in the large states, that we are seeing cyber, ransomware attacks and other events in small rural towns, making sure that we can arm people with the information to drive their decision-making. Their decision may be the same, but the decision is more informed.”

However, it is this risk acceptance part that most organizations ignore. “To me, it is a three-legged stool,” the deputy director illustrates. “We spend a lot of time on risk identification. We spend some time on risk mitigation. But we forget that third leg of the stool which is, if I identify a risk and I can’t mitigate it, I am accepting it. It is that risk acceptance leg of the stool that people forget about.” 

In addition, CISA must make sure that it is providing “clear entrances” for individuals, communities, companies and government entities to contact CISA. “What we really are trying to do is use the Shields Up effort to provide that one-stop-shop so people can manage their risk, can understand what the threats are, can understand what the vulnerabilities are and understand how to address that,” the deputy director asserts. “It is to help empower a lot of these organizations throughout the nation to build that resilience and to keep pace with the changes, as this is a landscape that’s changing very quickly. And if we can give people a place to go with all that information, and we are going to commit to it being updated in a very timely manner, we can help better empower and better inform the nation.”

The agency’s communications also need to be clear. In this regard, the deputy director favors active versus passive declarations. “Since I got here, my approach has been very clear,” Natarajan suggests. “I want to lean forward. So, even if I have nothing significant to report, I want to be able to have a meeting and say, ‘We don’t have anything new to share,’ because we want you to know proactively that it’s an active statement versus a passive assumption that we have information that we are not sharing.”

In addition, different communication styles are needed to reach many audiences, from cyber operators to citizens to CEOs. “What we’re trying to do is sharing that information in a timely manner and having it be in a way that speaks to multiple audiences,” Natarajan states. “We want to be able to share technical information with the operational folks that speak that language. We want to be able to speak strategically to your CEOs and boards and senior elected officials with similar information that’s connected but speaks in their language. We are continuing to mature and evolve a lot of our products to meet the needs of our stakeholders, from what we are hearing as feedback but also as a threat situation evolves.”

Another challenge is fatigue. “It is not easy to lean forward,” he says. “It’s not easy to be Shields Up for a long period of time. How do we maintain vigilance against complacency? How do we maintain vigilance against fatigue, because we are finding an adversary that has a very different clock than us.”
Organizations or entities can report threat or breach information easily via email to: report@CISA.gov.  

“We can then layer that combined with everything else that we’re seeing around the nation and around the globe,” he states.