The Cybersecurity and Infrastructure Security Agency’s (CISA) strategic plan, released on August 4, 2023, outlines several goals that work together to reduce cyberattacks in the U.S. and limit any damage they may cause.
Why does CISA want to “embody the hacker spirit”?
In addition to requesting more collaboration (between federal and state agencies, industries, researchers and more), CISA also feels that “the hacker spirit”, or “thinking creatively and innovating in every aspect of our work” is necessary to achieve those goals - addressing immediate threats, hardening the terrain, and driving security at scale.
Goal 1: “Address Immediate Threats”
CISA aims to improve their insight into ongoing cyberattacks, by using their own advanced tools, large data sources, and by collaborating with “the private sector, government agencies, and international allies.” This data would then be well analyzed and shared across the different partnerships – an effort that would be streamlined, ensuring everyone has accurate information and the threats can be mitigated promptly. CISA has been increasingly active in publishing advisories on vulnerabilities, exploits, and threat actor groups; it will be interesting to see how this is further developed.
To counter vulnerabilities, CISA will push for technology that is “secure by design”, as well as quickly identifying vulnerabilities in domestic networks for the security research community to fix.
The Joint Cyber Defense Collaborative (JCDC) will help create cyber defense plans that will be used across partnerships. Coordination across these separate groups will help generate better data analysis and play a part in the upkeep and updating of the National Cyber Incident Response Plan. CISA also plans on building up and supporting cyber defense groups to combat shared threats, so the whole nation is best-armed against cyber incidents.
Goal 2: “Harden the Terrain”
CISA’s strategy is highly research-based; it wants to act as an information hub for entities of all sizes hoping to raise their defenses against cyber attackers.
CISA will study government computer systems, critical infrastructure systems, cyber incident reports (which will be required due to CIRCIA), and the research of security experts. They are also investigating what makes an organization successful against an attack, so that the groups involved in the previously mentioned partnerships can make better cybersecurity decisions.
The Agency will provide consistently relevant advice to organizations so they can use their resources most effectively when dealing with cyberattacks. A large part of this will be the Cybersecurity Performance Goals (CPGs), which would be crucial to organizations managing infrastructure making decisions on managing risk and national security.
CISA is particularly interested in providing cybersecurity support to learn about cybersecurity trends, federal civilian executive branch agencies, and organizations that have much to protect but limited resources—industries that are “target rich, resource poor”, like the education sector. For those industries with limited resources, CISA will provide cybersecurity assessments and also guide them to alternate security providers when needed. The Cyber Analytics and Data System (CADS) will also be important here for relating the work of the regional cybersecurity workforces to other partners across the government and private sector.
Goal 3: “Drive Security at Scale”
Recognizing that weak software security can increase the risk of cyber issues, CISA is working to push toward a future where a technology product has to be safe before it can be sold. Jen Easterly, the head of CISA, has previously made comments on the lack of safety prioritization from technology companies, and the plan addresses these concerns.
CISA will define safety and security standards, and identify practices that technology manufacturers can take to reduce the risk of attacks. Transparency from these manufacturers will come from Software Bills of Materials and “rigorous vulnerability disclosure practices”.
As technology advances with stronger computers and more sophisticated AI, CISA will make sure they use these technologies responsibly in their own projects and that those who develop the new technologies have safeguards that prevent them from being used irresponsibly.
Part of this preparation for the future also includes making sure organizations are protected from cyber attacks that use these tools. Working closely with the Office of the National Cyber Director (ONCD), CISA plans to create a strategy for cybersecurity workforce and education. This strategy has two main objectives: improving the skills of the current workforce to adapt to new risks and threats, and expanding opportunities for future workers of all ages.
Bonus #FederalFriday: Department of Education
Assisting “target rich, resource poor” entities is a major focus of CISA’s Strategic Plan. The education sector is a good example: lots of sensitive student data, without adequate budgets to keep it secure. At Digital Asset Redemption, we’ve seen our share of cyberattacks targeting this vulnerable field, and K-12 schools generally are unequipped to fight them off.
On August 8, 2023, the White House hosted a Cybersecurity Summit for K-12 Schools, which marked new commitments to improve the cybersecurity in U.S. K-12 schools. According to a statement from the White House, cyberattacks have had a serious impact on education: “[i]n the 2022-23 academic year alone, at least eight K-12 school districts throughout the country were impacted by significant cyberattacks – four of which left schools having to cancel classes or close completely.”
CISA has collaborated with the Department of Education to put out a K-12 Digital Infrastructure Brief, which should assist educational leaders in building more resilient digital infrastructure. As described in the strategic plan, the Agency also has committed to training, exercises, and assessments for 300 new K-12 entities in the school year.
The brief explains that CISA is not the only federal agency involved in the new cybersecurity focus in education. The Federal Communications Commission (FCC) is proposing a $200-million pilot program over three years to enhance cyber defenses in K-12 schools and libraries, and the Department of Education plans to establish a Government Coordinating Council (GCC) to coordinate and improve cyber defenses in K-12 schools across all government levels.
The FBI and National Guard Bureau are releasing updated resource guides for reporting cybersecurity incidents and leveraging federal cyber defense capabilities. Even several education technology providers, like Amazon Web Services, Cloudflare, PowerSchool, Google, and D2L, commit to providing free and low-cost cybersecurity resources, grants, training, and services for K-12 schools.
With the advancement of technology and increased reliance on digital infrastructure, the importance of robust cybersecurity cannot be understated. CISA's strategic plan and the recent focus on K-12 schools' cyber defenses demonstrate that both the federal government and private sector players are working together to tackle this complex issue. By embracing the "hacker spirit" and fostering collaboration across multiple sectors, these initiatives aim to create a more secure digital landscape for everyone, starting with the most vulnerable industries such as education.
This post is part of DAR's "Federal Fridays" series. Be sure to follow DAR on LinkedIn for the latest updates!