Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Established in June 2021, the CISA Cybersecurity Advisory Committee (CSAC) is comprised of experts on cybersecurity, technology, risk management, privacy, and resilience, who advise the Director on policies and programs related to CISA’s mission. This post leads with summaries from the most recent CISA CSAC Quarterly Meetings, followed by an archive from all previous CSAC Quarterly meeting summaries.
Note: The most recent CSAC quarterly meeting for Q423 was held in December 2023. The meeting agenda is avaliable below, but the meeting summary is not yet available.
The Q323 Meeting of the CISA CSAC was held on September 13, 2023.
Mr. Tom Fanning, CSAC Chair, Southern Company, reflected on the impact of CSAC’s contributions and explained that the main focus of the meeting was to discuss CSAC’s recommendations to CISA. He thanked the CSAC members and CISA partners for their work. Mr. Ron Green, Mastercard, thanked all the Committee members for their contributions. The Honorable Jen Easterly, CISA, thanked attendees and reviewed that the Committee would deliberate and vote on recommendations to CISA during the meeting.
Subcommittee Updates / Deliberation and Vote
Mr. Fanning invited all subcommittee chairs to provide an overview of their actions to date and noted that draft recommendations were made available to all meeting participants and the public.
Corporate Cyber Responsibility
Mr. Dave DeWalt, NightDragon, provided an overview of the Corporate Cyber Responsibility (CCR) subcommittee’s actions to date. He reviewed the recommendations to CISA to include:
(1) CISA should work with relevant stakeholders to expand training programs;
(2) CISA should identify what data is needed for engagement on cybersecurity, including a framework for effective board oversight;
(3) CISA should create materials that explain risk for cybersecurity events, given that cyber breaches can have massive negative ramifications; and
(4) CISA should sustain leadership and cooperation to create a culture of corporate cyber responsibility.
Turning the Corner on Cyber Hygiene
Mr. George Stathakopoulos, Apple, provided an overview of the Turning the Corner on Cyber Hygiene (CH) subcommittee’s actions to date. He reviewed the recommendations to include:
(1) CISA should serve as an authoritative source of guidance for cybersecurity practices;
2) CISA should provide guidance for cybersecurity funding for organizations; and
(3) CISA should provide expertise on how to implement best cybersecurity practices.
National Cybersecurity Alert System
Mr. Chris Inglis, Former Office of the National Cyber Director, provided an overview of the National Cybersecurity Alert System (NCAS) subcommittee’s actions to date. He presented the recommendations to include:
(1) CISA should proceed as the organization providing cybersecurity expertise;
(2) CISA should work with stakeholders to better understand and identify respective outcomes;
(3) implement those aforementioned outcomes as a federal framework, with CISA serving as the primary, but not sole, organization for cybersecurity information;
(4) CISA should implement a tiered risk model;
(5) CISA should build on the existing monitoring alert system and guidance processes; and
(6) CISA General Counsel, in collaboration with other federal legal entities, should examine and recommend a legal framework, incentives, and protections connected to sharing and acting on cyber threat information.
National Cybersecurity Alert System
Mr. Chris Inglis, Former Office of the National Cyber Director, provided an overview of the National Cybersecurity Alert System (NCAS) subcommittee’s actions to date. He presented the recommendations to include:
(1) CISA should proceed as the organization providing cybersecurity expertise;
(2) CISA should work with stakeholders to better understand and identify respective outcomes;
(3) implement those aforementioned outcomes as a federal framework, with CISA serving as the primary, but not sole, organization for cybersecurity information;
(4) CISA should implement a tiered risk model;
(5) CISA should build on the existing monitoring alert system and guidance processes; and
(6) CISA General Counsel, in collaboration with other federal legal entities, should examine and recommend a legal framework, incentives, and protections connected to sharing and acting on cyber threat information.
National Cybersecurity Alert System
Mr. Chris Inglis, Former Office of the National Cyber Director, provided an overview of the National Cybersecurity Alert System (NCAS) subcommittee’s actions to date. He presented the recommendations to include:
(1) CISA should proceed as the organization providing cybersecurity expertise;
(2) CISA should work with stakeholders to better understand and identify respective outcomes;
(3) implement those aforementioned outcomes as a federal framework, with CISA serving as the primary, but not sole, organization for cybersecurity information;
(4) CISA should implement a tiered risk model;
(5) CISA should build on the existing monitoring alert system and guidance processes; and
(6) CISA General Counsel, in collaboration with other federal legal entities, should examine and recommend a legal framework, incentives, and protections connected to sharing and acting on cyber threat information.
Technical Advisory Council (TAC)
Mr. Jeff Moss, DEF CON Communications, reviewed the Technical Advisory Council (TAC) subcommittee’s focus on supporting CISA’s high-risk community protection (HRCP) program. CISA defines high-risk communities as meeting the following criteria:
(1) demonstrated history of being targeted by advanced persistent threat (APT) actors;
(2) limited capacity to provide for their own defense; and
(3) limited cybersecurity assistance from the U.S. government.
Mr. Moss reviewed the subcommittee’s report to address the TAC scoping questions. He summarized the recommendations for CISA to partner with nonprofit organizations and non-government organizations performing security enhancement work in this space and amplify their work. He noted that CISA should prioritize the protection of life and minimize physical harm. He emphasized the serious need for high-risk communities to receive better guidance on how to mitigate threats. He noted CISA should prioritize developing and sharing information, resources, and tools to build on the successes of the Shields Up campaign.(1) The subcommittee acknowledged the significant gap of technical resources for communities to determine their risk and offered that CISA could provide threat modeling information to high-risk communities. To best support victims, the subcommittee upheld that the U.S. government could encourage secure-by-design requirements and promote collaboration to share threat intelligence. Ms. Nicole Wong, NWong Strategies, reflected that the Open Tech Fund advances similar work to protect high-risk communities. (2)
Transforming the Cyber Workforce
Mr. Green emphasized that the Transforming the Cyber Workforce (TCW) subcommittee’s focus to support CISA’s efforts to recruit, develop, and retain top talent, and manage the remote and hybrid workforce. He reviewed the recommendation for CISA to gain access to Office of Personnel Management’s annual employee survey data to include the Federal Employee Viewpoint Survey, and develop its own employee engagement survey. He suggested that CISA should create a focus group within the agency that includes the Chief People Officer and Chief Human Capital Officer and other key stakeholders within the agency.
Mr. Green reviewed three initiatives employed by the private sector from which CISA could benefit to include:
(1) programmatic enhancements to include affinity groups;
(2) cultural alignment efforts; and
(3) formalizing and educating employees on growth and development. He noted that CISA should create greater opportunities for team members to share feedback on managers in addition to conducting exit interviews.
Building Resilience and Reducing Systemic Risk to Critical Infrastructure
Mr. Fanning acknowledged that the subcommittee’s tasking centered around ways both the private sector and the government can collaborate to improve the nation’s security posture. He reviewed the group’s action to create the architecture of collaboration across specific sectors. He encouraged CISA’s National Risk Management Center to collaborate with the private sector as they advance work on the national risk register to evaluate the first, second, and third derivatives of risk across critical infrastructure. He noted that there is still work to be done to understand the criteria for systemically important entities (SIEs) and encouraged CISA to collaborate with the private sector to transparently advance this work. Mr. Fanning reviewed the subcommittee’s focus on defining the architecture of collaboration between the following sectors and government: energy, to include electricity, oil and natural gas, dams, and nuclear; finance; communications; transportation to include rail, airlines, shipping, and trucking; healthcare; and chemical.
Closing Remarks
Director Easterly thanked the Committee for the valuable work to date. She thanked Chair Fanning for his support to the Committee. She also thanked Mr. Green and Mr. DeWalt for their future work as the new chair and vice chair. She asked that all subcommittees, other than SR and TAC, take a strategic pause while CISA responds to the recommendations. SR and TAC will continue advancing their taskings prior to the December Quarterly Meeting.
Notes:
(1) https://www.cisa.gov/shields-up
(2) https://www.opentech.fund/
The Q223 Meeting of the CISA CSAC was held on June 22, 2023.
CSAC Updates and Next Steps Mr. Fanning facilitated a discussion on the CSAC’s work advancing the six taskings and noted the intent to deliver recommendations to Director Easterly during the CSAC September 2023 Quarterly Meeting.
Mr. Dave DeWalt, NightDragon, reviewed the Corporate Cyber Responsibility (CCR) subcommittee’s actions to date, an effort focused on reducing risk through corporate governance of public and private companies. The group is currently examining a 360-degree view of the challenge to reduce risk. Director Easterly noted the connection between this work and her recent article in Foreign Affairs (1)
The Turning the Corner on Cyber Hygiene (CH) subcommittee will submit recommendations for full Committee deliberation and vote on CISA’s secure-by-design and secure-by-default work. Mr. George Stathakopoulos, Apple, noted that CH is meeting with education and healthcare sector representatives to discuss, refine, and advise the secure-by-design and secure-by-default principles.
The National Cybersecurity Alert System (NCAS) subcommittee is examining the benefits and operational efficacy of a national cybersecurity alert system. Mr. Chris Inglis, Former Office of the National Cyber Director, noted that while an alert system is currently in place, there is an opportunity to increase its coherence, fidelity, and transparency. Director Easterly referenced the op-ed she co-wrote with Mr. Inglis on the next steps for CISA’s Shields Up campaign and the nation’s cybersecurity posture. (2)
Dr. Kate Starbird, University of Washington, highlighted the Technical Advisory Council (TAC) subcommittee’s two work streams on high-risk community protection and memory safety. To secure high-risk communities, she underscored the need for a holistic approach that considers not just corporate assets, but also individual employees and the potential risks impacting them across digital, physical, emotional, and legal domains.
Mr. Green emphasized that the Transforming the Cyber Workforce (TCW) subcommittee will help CISA determine best practices to recruit, retain, and develop top talent. CISA has hired over 1,200 new staff in the last two years and has reduced the time from recruiting to onboarding. TCW will focus on how CISA can advance the cyber workforce and drive cohesion in the midst of a remote work posture.
Mr. Fanning underscored the need to promote collaboration between the private sector and the federal government to drive down risk. The Building Resilience and Reducing Systemic Risk to Critical Infrastructure (SR) subcommittee is engaging with each critical infrastructure sector to better understand its current structure for working with private sector and government partners in efforts to inform potential development of an enhanced architecture of collaboration with CISA’s National Risk Management Center and Joint Cyber Defense Collaborative (JCDC). SR will focus on
(1) the energy sector to include electricity, natural gas, oil, dams, and nuclear;
(2) the financial services sector;
(3) the communications sector;
(4) the transportation sector, to include rail, trucking, maritime, and air; and
(5) the healthcare sector. (3)
Closing Remarks
Director Easterly thanked the Committee for the valuable work to date and conveyed her excitement to receive the Committee’s recommendations in September. She gave a special thanks to Mr. Green and his team for hosting the meeting. Mr. Fanning emphasized the ongoing lethal threat to the United States’ critical infrastructure and the importance of the CSAC’s work. Mr. Fanning and Mr. Green thanked Director Easterly for her leadership. Mr. Fanning adjourned the June CSAC Quarterly Meeting.
Notes:
(1) https://www.foreignaffairs.com/united-states/stop-passing-buck-cybersecurity
(2) https://cyberscoop.com/shields-up-easterly-inglis-op-ed/
(3) The Building Resilience and Reducing Systemic Risk subcommittee is also focusing on the water and wastewater sector and the chemical sector.
Further Resources:
On March 21, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) held its sixth Cybersecurity Advisory Committee meeting, the first quarterly meeting of 2023.
On December 6, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) held its fifth Cybersecurity Advisory Committee (CSAC) meeting where Director Easterly led a discussion with committee members on the CSAC’s strategic focus for 2023.
The Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly announced the appointment of additional members to the CISA Cybersecurity Advisory Committee (CSAC), bringing onboard additional experts from the public and private sectors who will advise the Director on policies and initiatives to enhance the nation’s cyber defense.
“The Cybersecurity and Infrastructure Security Agency’s (CISA) 2023-2025 Strategic Plan is the agency’s first, comprehensive strategic plan since CISA was established in 2018. This is a major milestone for the agency: The CISA Strategic Plan will focus and guide the agency’s efforts over the next three years.
The third meeting of the committee was held in June 2022 in Austin, TX.
The second meeting of the committee was held in March 2022.
The inaugural meeting of the CISA Cybersecurity Advisory Committee (CSAC) was held in December 2021.
Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk
Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat
Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic in its reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.
Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised, without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat
Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the responsibility of the IT department or the CISO – it’s a collective effort that involves the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses
The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance
About the Author
Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.
Informing your decisions with actionable intelligence
Informing your decisions with actionable intelligence