Start your day with intelligence. Get The OODA Daily Pulse.

Takeaways from the Fifth and Sixth Meeting of the CISA Cybersecurity Advisory Committee Quarterly Meeting (which also meets today, 6/22/23)

The CISA Cybersecurity Advisory Committee Quarterly Meeting is meeting today. Included here are summaries of the 5th and 6th meetings of the Committee, held in December 2022 and March 2023, respectively. 

The meeting will take place at: 

Mastercard’s Arlington Technology Hub
4250 Fairfax Dr
Arlington, VA 22203

MEETING AGENDA:  Thursday, June 22, 2023

OPEN SESSION

2:00 p.m. – 3:00 p.m. EDT

2:00 p.m. Call to Order and Opening Remarks
• Megan Tsuyi, Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Advisory
Committee (CSAC) Designated Federal Officer
• Tom Fanning, CSAC Chair
• Ron Green, CSAC Vice Chair
• Jen Easterly, Director, CISA

2:10 p.m. Public Comment Period

2:20 p.m. Subcommittee Updates & Next Steps
• Committee members

2:55 p.m. Closing Remarks & Adjournment
• Jen Easterly, Director, CISA
• Tom Fanning, CSAC Chair
• Ron Green, CSAC Vice Chair

Takeaways from the Sixth Meeting of the CISA Cybersecurity Advisory Committee (March 2023) 

On March 21, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) held its sixth Cybersecurity Advisory Committee meeting, the first quarterly meeting of 2023.  

Swearing in the new members announced yesterday, Director Easterly highlighted how their background and expertise will provide additional insight into how CISA can protect the nation’s critical infrastructure from increasing cyber threats, including informing our work to help ‘target-rich, cyber-poor’ sectors. She discussed how bringing on leaders with rich backgrounds in government, including two former Congressmen, the recently retired National Cyber Director, and leaders from the State of New Hampshire and the UK’s former CEO of the National Cyber Security Centre is critical to our efforts to collaborate across all levels of government and across the globe. She also spoke to the collective insight of the group from leading technology manufacturers, including several new members, that will inform our work to encourage technology manufacturers to build products that are both secure by default and secure by design. 

Director Easterly then led a discussion on CISA’s response to the recommendations submitted at the September 2022 meeting and the subcommittees’ path forward.  Chairs of each subcommittee, including Transforming the Cyber Workforce, Turning the Corner on Cyber Hygiene, Technical Advisory Council, Building Resilience and Reducing Systemic Risk to Critical Infrastructure, National Cybersecurity Alert System, and Corporate Cyber Responsibility, discussed the path forward and work to come based on this feedback. 

“I am thrilled to welcome our newest members, who bring a wealth of experience from across government and industry, and look forward to their added perspectives in making recommendations to build a more cyber resilient nation to confront the cybersecurity challenges we face,” said CISA Director Jen Easterly. The insightful recommendations the Committee has already developed, and their continuous work are instrumental in helping CISA become the Nation’s Cyber Defense Agency our nation needs and deserves.” 

CSAC Subcommittee Updates – March 2023

Director Easterly led subcommittee chairs in a discussion on top priorities for 2023.

The Building Resilience & Reducing Systemic Risk to Critical Infrastructure Subcommittee is focusing on collaboration to understand interdependencies within the private sector and government. The subcommittee aims to bolster the nation’s defense system by guiding CISA’s work on SIEs, CISA’s development of a national cyber risk register, and how CISA can work with SRMAs. CISA leadership stressed the importance of persistent collaboration and reviewed CISA’s actions to create a Joint Collaborative Environment (JCE). The JCE would serve as a unique information-sharing platform for partners across the federal government and industry leaders to conduct analysis to build national security resilience.

The National Cybersecurity Alert System Subcommittee highlighted the success of CISA’s Shields Up campaign, with the accepted reality of the nation’s inability to put shields down. The subcommittee is leveraging the successes of CISA’s Shields Up campaign and the success of other models in the US to create an actionable alert system.

The Transforming the Cyber Workforce Subcommittee is focusing on recommendations to enhance the full spectrum of CISA’s talent management ecosystem to build upon and sustain a people-first culture. The subcommittee will provide recommendations on how to effectively utilize CISA’s Chief People Officer and (Acting) Chief Human Capital Officer, assess the effectiveness of CISA’s hybrid work environment, and address burnout and workload concerns.

The Turning the Corner on Cyber Hygiene Subcommittee will focus heavily on product safety to ensure technology products are both secure-by-design and secure by default. The subcommittee will also provide support to target-rich, cyber-poor entities such as K-12 schools, hospitals, and the water and wastewater sector. CSAC members discussed ways CISA could best promote product safety and support target-rich, cyber-poor entities.

The Technical Advisory Council Subcommittee is focusing on memory safety and high-risk community protection. CISA leadership reflected on the need to mature technology products and shift toward a holistic response to advanced persistent threats.  CISA leadership referenced the Foreign Affairs article authored by Director Easterly and the CISA Executive Assistant Director for Cybersecurity, Mr. Eric Goldstein. 

The Corporate Cyber Responsibility Subcommittee stressed the need for CISA to better engage with corporate boards to improve national cyber resiliency.  CSAC members identified an overlap between the need to better engage both private and public sectors, such as K-12 school districts, to strengthen the nation’s cyber defense.

The next CISA Cybersecurity Advisory Committee meeting will be in-person in June [2023]. 

Further resources:

March 2023 CSAC Quarterly Meeting Summary

March 2023 CSAC Quarterly Meeting Agenda

Takeaways from the Fifth Meeting of the CISA Cybersecurity Advisory Committee (December 2022) 

On December 6, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) held its fifth Cybersecurity Advisory Committee (CSAC) meeting where Director Easterly led a discussion with committee members on the CSAC’s strategic focus for 2023.   

“I truly appreciate the caliber of experts who have taken the time to participate in this committee and, moreover, for their continuous work in helping CISA become the Cyber Defense Agency our nation needs and deserves,” said CISA Director Jen Easterly. “I look forward to working with the Committee in the new year to ensure we are continuing to build a more cyber resilient nation to confront the challenges we face in cyberspace.”   

“In a time of critical cybersecurity threats, CISA is in a unique position to make a meaningful impact on our Nation’s security,” said the CSAC Chair and Chairman, President & CEO of Southern Company, Tom Fanning. “The Committee members and I look forward to providing strategic recommendations to CISA’s Director Jen Easterly in the coming year to advance CISA’s mission, as they continue to strengthen the cybersecurity posture of the United States.” 

The Committee, which was established in 2021, consists of leading cybersecurity experts from diverse professions and communities nationwide. The Committee was created to provide recommendations on the development and refinement of CISA’s cybersecurity programs and policies, which will ultimately transform the agency as CISA works with its partners to defend against today’s threats while collaborating to build a more secure and resilient infrastructure for the future. 

CSAC Recommendations Discussion

Director Easterly reviewed the CSAC’s work advancing the taskings to date to include standing up six subcommittees in December 2021 and adding a seventh subcommittee following the June 2022 Quarterly Meeting. She added that the CSAC and its subcommittees have met 94 times over the course of the year. To date, CISA has received 48 recommendations from the CSAC which are posted on the CSAC website. (a)

Director Easterly reviewed that out of the first 24 recommendations submitted, CISA has fully or partially accepted nearly all of them. CISA has completed at least two recommendations to date, to include the hiring of a Chief People Officer, Dr. Elizabeth Kolmstetter, and holding a “What to Expect on Election Day” workshop with state and local election officials. Director Easterly applauded CSAC members for distilling the taskings to make specific, actionable recommendations.To refocus CSAC efforts in 2023, Director Easterly discussed the CSAC strategic plan for 2023:

(1) Transforming the Cyber Workforce Subcommittee will focus recommendations on CISA’s talent management and hiring practices;

(2) the Turning the Corner on Cyber Hygiene Subcommittee will focus on shaping the technology ecosystem to be secure by design, providing support to target-rich and cyber-poor entities, and leveraging the cyber performance goals to achieve this work;

(3) the Technical Advisory Council Subcommittee will strengthen partnerships with the hacker and research communities and source ideas on how CISA can promote memory-safe code to support the work of the Cyber Hygiene Subcommittee;

(4) the Building Resilience & Reducing Systemic Risk to Critical Infrastructure Subcommittee will provide guidance on CISA’s work on Systemically Important Entities, CISA’s development of a National Cyber Risk Register, and how CISA can work with Sector Risk Management Agencies to materially and measurably reduce risk;

(5) the National Cybersecurity Alert System Subcommittee will provide ideas for how CISA can calibrate responses to cyber threats based on risk severity to promote sustainable risk management;

(6) the Strategic Communications and Protecting Critical Infrastructure from Misinformation & Disinformation Subcommittees will stand down, as they have successfully answered their taskings and provided recommendations to CISA; and

(7) the CISA Director will establish a new subcommittee focused on Corporate Cyber Responsibility (CCR) which will work to establish and amplify best practices for technology ecosystems that are secure by design and promote persistent collaboration with partners, focusing on target-rich, cyber-poor entities.

Member Roundtable

Director Easterly confirmed that CSAC Chair, Mr. Fanning, would contact CSAC members to determine subcommittee assignments for the 2023 calendar year.

Committee members discussed the CSAC’s newest study addressing the topic of corporate cyber responsibility, and how it can encourage corporate boards to promote strong cyber hygiene. Members agreed that CCR initiatives
would better integrate cybersecurity best practices into the fabric of society. Ms. Nicole Wong, NWong Strategies, encouraged CISA to use this as an opportunity to build relationships at the state government level to strengthen the communication channels and relationships between sectors.

Mr. Ted Schlein, Kleiner Perkins, explained the need to define what successful cybersecurity practices look like and encouraged CISA to incentivize companies to achieve that success. Mr. Alex Stamos, Krebs Stamos Group, noted that the traditional role of a board in cybersecurity may be outdated. He suggested that providing guidance on how to proactively address cyber threats to corporate boards and C-suite executives might help them to stay engaged with the mission.

CSAC members discussed the root problems of the current technology ecosystem, such as the fact that two-thirds of vulnerabilities are due to memory unsafety, which is directly tied to programming languages. Members stressed that now is the time for CISA to raise awareness and for organizations to raise to act.

Annual Report Overview

Mr. Fanning highlighted the annual report requirement mandated in section 2216 of the National Defense Authorization Act of 2021. (b)  He presented key points from the CSAC 2022 Annual Report to CISA Director Easterly. CSAC convened during 4 quarterly meetings; CSAC and its subcommittees met 94 times; and CSAC presented 48 recommendations to CISA.

Further Resources: 

December 2022 CSAC Quarterly Meeting Summary

December 2022 CSAC Quarterly Meeting Agenda

Notes:

a –  https://www.cisa.gov/cisa-cybersecurity-advisory-committee-reports-and-recommendations

b – https://www.congress.gov/bill/116th-congress/house-bill/6395/text

https://oodaloop.com/archive/2023/04/15/new-members-of-cisa-cybersecurity-advisory-committee-announced/

https://oodaloop.com/archive/2022/11/23/strategic-plan-for-2023-2025-announced-at-4th-meeting-of-the-cisa-cybersecurity-advisory-committee/

https://oodaloop.com/archive/2022/07/14/takeaways-from-the-third-meeting-of-the-cisa-cybersecurity-advisory-committee/

https://oodaloop.com/archive/2022/04/08/takeaways-from-the-second-meeting-of-the-cisa-cybersecurity-advisory-committee/

https://oodaloop.com/archive/2021/12/13/a-call-to-action-from-cisas-jen-easterly-and-def-cons-jeff-moss-at-inaugural-cisa-advisory-committee-mtg/

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.