Since her remarks at Blackhat 2021 – announcing the creation of the CISA JCDC (Joint Cyber Defense Collaborative) we have been vocal in our support of the leadership of Jen Easterly over at the Cybersecurity and Infrastructure Security Agency (CISA) and many of the agency-wide outcomes related to innovative public/private partnerships to bolster cybersecurity threat intelligence and incidence response – with a focus on critical infrastructure and federal systems – as well as many of their managerial and operational innovations.

How would a recently proposed 25% cut in CISA’s budget impact CISA and national security?  U.S. House Members and cybersecurity industry leaders have chimed weighed in heavily on the subject. 

Tech, cyber leaders sound off on CISA budget cut proposals

If it is not on your tracking list, WP’s Cybersecurity 202 is a great daily blast. Earlier this month, the WP Cybersecurity 202 team provided a report on the growing tensions between the feds and the cybersecurity private sector companies on the proposed CISA budget cut: 

“A coalition of CEOs and CISOs from major technology and cybersecurity companies are asking lawmakers to prioritize funding the Cybersecurity and Infrastructure Security Agency, amid recent attempts from GOP lawmakers to cut the agency’s budget by as much as 25 percent, according to a letter first shared with [The Washinton Post’s Cybersecurity 202.

• The missive was signed by nearly two dozen executives including Tenable chairman and CEO Amit Yoran, Cisco’s senior vice president and chief security and trust officer Brad Arkin, CrowdStrike CEO and cofounder George Kurtz, NightDragon founder and CEO Dave Dewalt, Palo Alto Networks CEO and chairman Nikesh Arora, Trellix CEO Bryan Palma and VMware chief security officer Alex Tosheff.
• Cuts to the agency’s 2024 funding “would weaken the agency’s important network defense efforts and critical infrastructure coordinator responsibilities,” the letter argues. House Republicans have broadly pushed for cuts to the security agency in recent homeland security spending votes.
• It later continues: “The U.S. is a cyber target and we must not stymie the progress that has been made to secure our most critical national assets. Proposed reductions would slow, if not halt, CISA’s efforts to deploy new cyber defense capabilities to keep pace with our adversaries, limit essential information sharing between CISA and the public, and stall efforts to grow the cybersecurity talent pipeline.”
• The letter echoes recent concerns from senior CISA leadership. The agency’s executive assistant director for cybersecurity, Eric Goldstein, said last month that potential budget cuts would be “catastrophic.” 
• As your newsletter host reported last month, Sen. Rand Paul (R-Ky.), has been blocking rounds of cybersecurity bills — including measures aimed at improving the federal government’s cyber safeguards and establishing a cyber workforce apprenticeship program — arguing that the agency is working to censor free speech while it works to respond to misinformation and disinformation online.

As Congress weighs budget priorities, top cyber execs urge CISA funding support

Cybersecurity Dive provided some additional context in their coverage of the CISA budget debate: 

CISA has faced rising backlash from Republican House members in recent months related to the agency’s work to combat disinformation related to election security.   A failed amendment to the House Homeland Security Appropriations bill included language to slash the CISA budget by 25% and was supported by 108 Republican House members. 

Eric Goldstein, CISA’s executive assistant director for cybersecurity, told a House Homeland Security Committee hearing that the proposed cuts would greatly harm CISA’s ability to monitor threats against federal networks. “We would not be able to sustain that visibility with that significant of a budget cut, and our adversaries would unequivocally exploit those gaps,” Goldstein said. 

Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, told Cybersecurity Dive that such proposed cuts could increase the risk of attacks linked to software vulnerabilities — and put national security at risk. “Cuts to CISA are counterproductive,” Montgomery said via email. “CISA has been authorized and resourced very carefully by Congress over the past five years, on a bipartisan basis, to establish its pivotal role as the nation’s civilian cyber defense agency.” 

Additional OODA Loop Resources

Cyber Risks

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic in its reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised, without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

Recommendations for Action

Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the responsibility of the IT department or the CISO – it’s a collective effort that involves the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses

The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance