The inaugural meeting of the CISA Cybersecurity Advisory Committee (CSAC) was held in December 2021.  For highlights and our analysis of the meeting, see   A Call to Action from CISA’s Jen Easterly and Def Con’s Jeff Moss at Inaugural CISA Advisory Committee Mtg.

The second meeting of the committee was held in March 2022.  For highlights from the 2nd meeting, see Takeaways from the Second Meeting of the CISA Cybersecurity Advisory Committee.

The third meeting of the committee was held in June 2022 in Austin, TX.  Opening remarks were addressed to the committee by:

• Ms. Megan Tsuyi, Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Advisory Committee (CSAC) Designated Federal Officer
• The Honorable Jen Easterly, Director, CISA
• Mr. Tom Fanning, CSAC Chair
• Mr. Ron Green, CSAC Vice Chair

The following subcommittee chairs provided updates:

• Mr. Ron Green, Transforming the Cyber Workforce
• Mr. George Stathakopoulos, Turning the Corner on Cyber Hygiene
• Mr. Jeff Moss, Technical Advisory Council
• Dr. Kate Starbird, Protecting Critical Infrastructure from Misinformation and Disinformation
• Mr. Tom Fanning, Building Resilience and Reducing Systemic Risk to Critical Infrastructure
• Ms. Niloo Howe, Strategic Communications

Subcommittee Updates

After the opening remarks, there was a public comment period, followed by Subcommittee Updates/Deliberation and Vote:

Transforming the Cyber Workforce Subcommittee – Mr. Ron Green, Chief Security Officer, Master Card:  The subcommittee is focused on building a comprehensive strategy to identify and develop the best pipelines for talent, expand all forms of diversity, and develop retention efforts to keep our best people. During [the] meeting the subcommittee recommended that CISA prioritize its strategic workforce development; dramatically improve its talent acquisition process to be more competitive with the private sector; radically expand recruitment efforts to identify candidates across their professional lifecycle; and leverage talent identification and hiring success through interagency collaboration. They also recommended creating a new position in CISA, a Chief People Officer.

Turning the Corner on Cyber Hygiene Subcommittee – Mr. George Stathakopoulos, Vice President of Corporate Information Security, Apple:  The subcommittee is helping …think through and execute a holistic, scaled approach to ensure that all organizations – public or private, large or small – have the information and resources needed to implement essential security practices. During [the] meeting the subcommittee chair outlined its 3 key recommendations:

1. The subcommittee recommended that CISA launch a “311” national campaign, to provide an emergency call line and clinics for assistance following cyber incidents for small and medium businesses.
2. The subcommittee also recommended that CISA build out its current multi-factor authentication (MFA) campaign by identifying additional vehicles for publicizing its “More Than A Password” campaign including reaching out to nonprofits, educational institutions, fellow government partners, and the extended cybersecurity community to amplify the importance of MFA.
3. Lastly, they recommend CISA takes all available steps to ensure that companies are working with the Federal Government fully adopt MFA by 2025.

Technical Advisory Council – Jeff Moss, Founder and President, DEFCON Communications:  The subcommittee is helping further catalyze CISA’s relationship with the technical community to shift the balance in favor of network defenders. During [the] meeting, the subcommittee chair recommended that CISA

• develop incentives and access to information to aid security researchers who will submit vulnerabilities affecting critical systems; encourage an environment that works to enable frustration-free vulnerability research and reporting;
• invest in a central platform to facilitate the intake of suspect vulnerabilities and communication between security researchers, agencies, and vendors; and improve the notification processes after a disclosure has been verified and acted on.
• The subcommittee also recommended that CISA simplify the reporting process and provide feedback to those reporting vulnerabilities.

Protecting Critical Infrastructure from Mis- Dis- and Mal-information (MDM) Subcommittee – Dr. Kate Starbird, Associate Professor, Human-Centered Design & Engineering, University of Washington:  The subcommittee is evaluating and providing recommendations on CISA’s role in confronting MDM harmful to critical infrastructure, in particular election infrastructure. During [the] meeting the subcommittee chair recommended that CISA focus on addressing MDM risks that undermine critical functions of American society. As part of this work, the subcommittee recommends that CISA should invest in external research to assess the impact of MDM threats and the efficacy of its MDM mitigation efforts.

Building Resilience and Reducing Systemic Risk to Critical Infrastructure Subcommittee – Thomas Fanning, Chairman, President and CEO, Southern Company:  The subcommittee is helping CISA determine how to best drive national risk management and identify the criteria for a scalable, analytic model to guide risk prioritization. During today’s meeting, the subcommittee chair discussed how they are scoping the best frameworks to collaborate with industry to identify systemic risks across National Critical Functions including the need to hold tabletop exercises with critical infrastructure partners. The subcommittee plans to provide their recommendations at a future meeting.

Strategic Communications Subcommittee: Presented by Ms. Niloofar Razi Howe, Board Member, Tenable:  The subcommittee is focused on expanding CISA’s reach with critical partners to help build a national culture of cyber resilience. During [the] meeting, the subcommittee chair discussed their recommendations, which included an expansion of CISA’s “More Than A Password” MFA campaign to include a corporate partnership program with Fortune 500 companies. They also recommended CISA launch a “311” national campaign, to provide an emergency call line and clinics for assistance following a cyber incident.

CSAC New Topic:  Assessment of the Feasibility and Key Characteristics of a National Alert System for Cyber Risk

From the meeting readout:  “Director Easterly was also pleased to assign the Committee a new topic for their advice, specifically that they assess the feasibility and key characteristics of a national alert system for cyber risk. The goal of this capability would be to provide a clear and simple method to convey the current severity of national cybersecurity risk to America’s critical infrastructure owners and operators taking advantage of the unique insights from CISA’s analysis of evolving threat activity and our global partners. This system would complement CISA’s existing production of alerts and advisories on specific, actionable risks. Director Easterly looks forward to the Committee’s evaluation of the operational efficacy of a national cyber alert capability.”

Next CSAC Meeting

The next Cybersecurity Advisory Committee will be held virtually on September 13, 2022. Details and information on how to attend will be forthcoming.

Further CISA CSAC Resources

For the readout from the meeting, see CISA’s Third Cybersecurity Advisory Committee Meeting.

• June 2022 CSAC Quarterly Meeting Agenda
• March 2022 CSAC Quarterly Meeting Agenda
• March 2022 CSAC Quarterly Meeting Summary
• December 2021 CSAC Kickoff Meeting Agenda
• December 2021 CSAC Kickoff Meeting Summary

More information on CISA’s Cybersecurity Advisory Committee is available here.

https://oodaloop.com/archive/2021/12/13/a-call-to-action-from-cisas-jen-easterly-and-def-cons-jeff-moss-at-inaugural-cisa-advisory-committee-mtg/

Stay Informed

It should go without saying that tracking threats are critical to inform your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Strategies, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, and Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community.