While the Cybersecurity and Infrastructure Security Agency (CISA) is working to make progress on numerous discrete security policy directives and projects that it has been handed in recent years, a top agency official explained today that the higher-level goals uniting most of those tasks boil down to the government and the private sector achieving much greater visibility into cyber threats and how to defend against them, and not leaving organizations to defend against threats on their own.
Eric Goldstein, CISA’s executive assistant director for cybersecurity, acknowledged during a discussion at the Information Technology Industry Council’s (ITI) Cyber Summit 2022 event that the agency has a lot on its plate with a variety of executive orders and other mandates to improve Federal agency and critical infrastructure security, but also that Congress has provided the agency with the means to undertake the big influx of work.
“The nice thing is that we’ve been able to really categorize and bucket the various mandates put upon us by Congress, executive orders, and other sources, and the work that we perceive we need to do to support our stakeholders across government and the private sector into very straightforward and a small number of priorities that allow us to work these strategic efforts incorporating all the granular deadlines and tasks that we’ve been set,” he said.
From a top-level perspective, Goldstein said, many of those efforts are united under the banner of broadening CISA’s “operational visibility.”
These include technology measures like the agency’s endpoint detection and response pilots, and its Continuous Diagnostics and Mitigation (CDM) program that started several years ago to help agencies improve their security.
Beyond the tech programs, however, the quest for better visibility is more wide-ranging across government and private sector ecosystems, he explained. Central to the larger strategy is broadening “our efforts across the private sector to benefit from third-party visibility – all of those activities to get insight into agency networks at every level of the environment and then extend that visibility where possible out to state and local networks and the private sector – that is all under our operational visibility umbrella.”
Goldstein equated that desired level of visibility to “table stakes for us – if we cannot say what adversaries are actually doing across the country at a given point in time, as well as how they are doing it, what vulnerabilities they are exploiting, what weaknesses they’re seeing and using, we can’t actually do our job in promulgating data-informed guidance and direction that we can expect to reduce incidents over time.”
“It’s also frankly, why incident reporting is so important,” he said, referring to the government’s long-running effort to collect more and better information about attacks.
CISA is in the early stages of what will likely be a multi-year effort to implement legislation approved by Congress earlier this year to require critical infrastructure owners and operators to report certain cyber incidents to CISA within 72 hours, and to report ransomware payments they made to attackers within 24 hours.
“The sample of incident information that we as a community are relying upon to figure out what adversaries are doing and how do we stop them, to put it very simply, is likely not a replicable or a sufficient sample for us to have full confidence that we’re actually identifying the most effective controls and the next dollar invested as we get more operational visibility,” Goldstein said.
“As we get more incident reporting coming in, we’ll be able to use that to actually say, based upon a reliable data set, here’s what adversaries are actually doing, and here are the controls that are most value added,” he said. “So operational visibility is really one key point that pulls in a lot of the requirements and deliverables” that flow from recent directives that CISA is working to implement, he said.
“Another key point is really how do we get an organization to adopt the right controls and security measures at the right time for their maturity and their environments,” Goldstein said.
Efforts to do that come through public-facing campaigns such as CISA’s “Shields Up” advisory issued about possible Russian cyberattacks, he said. But it also includes “our work with technology providers to figure out how can we make security easier for small and medium businesses, for state, local, tribal, and territorial governments, so that they don’t have to do everything themselves, and they are getting more security when they purchase technology products by design.”
He also emphasized the importance of CISA’s role as a provider of shared cybersecurity services to civilian Federal agencies, which he said is aimed at “providing value-added shared services that often are leveraging commercial technology to ensure that in the first instance, Federal agencies and then more broadly, are able to do less.”
The bottom line of that effort, he said, is to figure out “how can we help organizations do less security themselves and rely more on CISA or more on the private sector to do it for them.”
Pursuing that goal, Goldstein said, “is probably going to be a more enduring model of success, versus, for example, relying on each of the 101 Federal civilian executive branch agencies to mandate a full-stack security program themselves.