After President Trump signed the Cybersecurity Infrastructure Security Act of 2018 into law, the Cybersecurity and Infrastructure Security Agency (CISA) was born. CISA aims to build upon the previous mission of the National Protections Program Directorate (NPPD), which was also housed within the Department of Homeland Security (DHS). As cyber threats continue to emerge and advance, the new agency is looking to champion its mantra, “Defend Today, Secure Tomorrow”. Officials at CISA hope to inspire partners to act on known threats while incorporating a strategic approach to risk management. This is how we build national capacity to grow into risk partners.
What is CISA?
CISA wants to serve as the nation’s risk advisor. It creates a collaboration zone between the public and private sectors, which allows communications to flow freely between and within agencies. Local governments will benefit from the analysis the agency provides. Thus, allowing local officials more refined data to make better decisions.
A shared understanding of cybersecurity risk is important. All partners are continuously making different risk calculations, and this creates gaps in cyber adversaries can exploit. We must be aligned to create a force multiplier. As an example of what happens when you work independently, just look across local government. There are counties with bookkeepers serving as IT security professionals. Their county needs and limited tax-base means they can’t meet all requirements like large municipalities. This output from CISA should enable those counties to better protect their constituents.
Just as it is important to understand the physical output of cyber activity, we must understand the potential cascading effects of cyber-physical events. In order to do that, CISA says they will extend the question “What can I do to help?” to all. The leaders at CISA say the organization will also encourage both the private sector and state/local governments to share their input, concerns or needs if the disaster were to strike. Essentially, they are going to take the Whole of Community Approach.
For planning, the agency says it will also ask partners how they can help if all mission essential functions are disrupted. Simply put, it is a “help me – help you” approach. After all, the agency’s goal is to act as an advocate on behalf of the private sector’s interests and provide them with federal government resources to further their risk management capabilities. The only way to ensure safety is to be on the same page, speak the same language, and share the same concerns in regard to cyber and physical threats.
National Critical Functions
CISA’s national cyber strategy emphasizes the need for a set of national critical functions (NCF) that guide critical infrastructure risk management. A set of official NCF has yet to be released by the agency. It is important that it occurs quickly. The NCF would set the stage for a number of things: national security plans, incident management (regional and local), resiliency plans, risk management prioritization, and intelligence collection.
How Can We Utilize NCF?
NCFs can be used to identify national risks. The identification of risks will allow us to build early warning capabilities to better prepare us for future emergencies or attacks. Because if you don’t know by now, it is not a matter of IF disaster strikes, but WHEN disaster strikes. It is crucial to be well prepared and practiced, to assure critical functions are maintained. This might ensure the safety of our citizens but will lower the potential of catastrophic events.
NCFs can also be used to drive innovation in risk management. Having a “collaboration zone” provides accessibility to data outlining risks and threats. The good, the bad, the ugly all have a place. Within CISA, we also have the National Risk Management Center (NRMC), that focuses on providing strategic planning and analysis in identifying risks to our nation’s critical infrastructure. Though we are successful in mitigating and preventing many catastrophes, we simply cannot stop all of them. Thus, the NRMC sets a few priorities that are most important to follow when disaster does strike. First, it is vital to restoring lifeline services. Since everything is dependent on electricity, we must bring infrastructure resilience into the heart of emergency management. This is why strong public-private partnership will remain prudent. And second, there must be cross-sector support. This is not a one-man job, and there is no need for anyone to play the hero. National critical functions will help identify what tools are most important in aiding various sectors in times of need.
The creations of CISA signals that the government realizes the serious risk, threats, and consequences cybersecurity poses on the nation’s critical infrastructure and mission essential capabilities. Nefarious actors are consistently looking to breach networks, both small and large, through vulnerabilities that are left unpatched or unmitigated. Partnership and understanding between the public and private sector are essential. The Secretary of Homeland Security, Kirstjen Nielsen, warns us that we are no longer solely fighting hurricanes and terrorists. We must prepare for nation-state threats as well as the lone-wolf. Hybrid warfare is being conducted daily and we must realize that “the homeland” may no longer be a sanctuary.