CISA Looks to Future With First-Ever Strategic Plan

The Cybersecurity and Infrastructure Security Agency (CISA) released a strategic plan — a first in CISA’s four-year history. The 2023-2025 road map outlines four goals to guide the young organization as it works to grow and to push the nation into a higher level of cybersecurity.

CISA’s objectives call for it to “spearhead the national effort to ensure the defense and resilience of cyberspace,” help partners protect critical infrastructure and support stronger “whole-of-nation operational collaboration and information sharing.” Its final goal looks inward and calls on the agency to become more unified and efficient.

The agency is charting its future with an eye to retaining and building trust with private-sector partners, who often own and operate the infrastructure it’s charged with defending. That will be a difficult balancing act as CISA strives to present itself as a partner to the private sector while also advising regulators about cyber issues, said CISA Chief Strategy Officer Val Cofield during a Center for Strategic and International Studies (CSIS) discussion yesterday.

The agency also has been trying to promote industry collaboration as it works to hammer out the details of a passed-but-unimplemented cyber reporting law.

“We really do want to work together with industry to strengthen cybersecurity, as well as with our regulators to rationalize and harmonize whatever regulation might be coming down the pipe,” Cofield said.

NEW CYBER LANDSCAPE

When Russia invaded Ukraine in February 2022, CISA urged U.S. organizations to put their “shields up” and heighten vigilance against potential cyber threats from Russia. Nine months later finds CISA Director Jen Easterly saying threats remain high, and this elevated cyber posture should become the new baseline.

“Given what’s happening in Russia, what’s happening in Ukraine, some of the rhetoric coming out of Russia, it’s not the time to put our shields down,” Easterly said during a CSIS interview, later concluding, “We’ll never be able to put our shields down — that has to be the new normal.”



Making this possible — without burning out the cyber workforce — could take a whole-of-nation approach. Easterly said cybersecurity needs to be on everyone’s minds: government, private sector and the U.S. public.

In part, this takes collaborations, and Easterly pointed to the Joint Cyber Defense Collaborative, which brings together public- and private-sector partners in sharing information and feedback.

This also takes a new mindset around security. One of Easterly’s goals for the coming year is pushing technology companies to design hardware and software with security considerations baked in. National Cyber Director Chris Inglis also previously voiced support for this “security by design” approach.

Her other goal: getting major companies to see cybersecurity not just as a technology topic, but as a business necessity. She hopes they’d in turn help the smaller businesses in their supply chains boost cybersecurity.

CISA is also trying to make cybersecurity improvements simpler, especially for small organizations that find the National Institute of Standards and Technology’s (NIST) well-regarded Cybersecurity Framework challenging to adopt. CISA recently released a set of “40-ish” voluntary Cybersecurity Performance Goals intended to help critical infrastructure entities determine what steps to prioritize to meaningfully reduce their risk, Easterly explained.

DESIGNING INCIDENT REPORTING OBLIGATIONS

Easterly and Inglis both testified last year that voluntary incident reporting alone is insufficient to give CISA the insights it needs. That picture is slated to change, and the March 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) will mandate reporting once enacted. Implementation is on pause until CISA develops specific regulations determining when and how covered entities will need to report.

More reporting can help CISA warn potential other victims, Easterly said, and Cofield said the new information garnered under CIRCIA will help CISA assess the impact of its threat mitigations.

Developing reporting regulations will take about two years, Easterly said, and CISA is working to get feedback from those who’ll be affected.

Mastercard Chief Security Officer Ron Green, also a member of CISA’s Cybersecurity Advisory Committee, said he hopes CISA’s forthcoming rules harmonize with other state, federal — and, ideally, international — regulations, to reduce the work of managing various compliance obligations. Easterly also said harmonization is a priority but did not specify how deeply this would go.

CISA will also have to determine which incidents will trigger the reporting requirements. What’s important to report shouldn’t be determined based on the material damages to the victim organization — which, after all, may reflect more about the size and nature of the business than about the danger posed by attackers — but instead based on whether it’s unusual, Green said. CISA’s broader perspective could let it connect the dots to see patterns invisible to individual entities.

“It may mean nothing; it’s just a thing that happened to us and it’s not that big of a deal,” Green said. “But if [CISA] sees it, perhaps it is something that’s more systemic, more large-scale.”
Industry is sensitive to other ways the new rules could impact them. Grant Schneider, senior director of cybersecurity services at legal and regulatory advisory firm Venable, said CIRCIA addresses a major business concern by providing some protection to reported information. Companies victimized by cyber attacks often fear informing federal government in case details in the reports can be obtained and used against them, such as by legal parties to hold them liable for the incident, he said.

CISA officials stressed that they want industry to feel comfortable sharing with them.

“I have no interest in being a regulatory agency,” Easterly said. “Building trust for partnerships is incredibly important.”

CISA currently has one regulatory role, over “high-risk” chemical facilities, where it instructs them to take steps to detect, deter and respond to physical and cyber attacks, per CISA’s strategic plan.

“What we’ve learned with that very small authority — and the relationships that we’ve developed with the chemical sector — I think are instructive for what we’re doing as we build the Cyber Incident Reporting rulemaking process,” Easterly said.

MATURING CISA

As CISA grows, it needed to ensure there was a plan in place to guide it.

“It was really important to me with the plan to make it simple, so that everyone in the agency can see themselves in it,” and to make it easy to memorize with four key goals, Cofield said.

As CISA looks forward, Schneider encouraged building trust by being transparent about its processes and focusing on outlining and then meeting clear deliverables.

Green, who chairs the cyber workforce committee for CISA’s Cybersecurity Advisory Committee, also advised CISA to revise its lengthy hiring processes, which can take 18 months from application to onboarding. That can be unsustainable for candidates with family and other life responsibilities.