US CISA reaches a new maturity level with its comprehensive strategic plan

The new plan aims to make the cybersecurity agency more efficient and to create a "whole of nation" approach to protecting the United States from cyberattacks.

On November 16, 2018, the awkwardly named National Protection and Programs Directorate (NPPD) at the US Department of Homeland Security (DHS) emerged as a full-fledged agency called the Cybersecurity and Infrastructure Security Agency (CISA). Since then, CISA has been the federal government agency for bolstering cybersecurity and infrastructure protection across the federal government and setting the example for the private sector to follow suit.

Under the auspices of its first director, Chris Krebs, and current director, Jen Easterly, CISA has tackled many serious cybersecurity problems, from supply chain infections to crippling ransomware attacks. Last month, CISA took a significant step forward to achieving its goals by releasing its first comprehensive strategic plan, an overarching agenda of priorities for 2023 to 2025. (CISA did release in 2019 a “strategic intent” document, upon which the strategic plan builds.)

CISA strategic plan goals

To achieve its desired outcome of reducing cybersecurity risk and increasing resilience, the plan seeks to drive change in four key areas:

  • Cyber defense by spearheading the national effort to ensure the defense and resilience of cyberspace by working with partners to help mitigate the most significant cyber risks to the country’s National Critical Functions, the disruption of which would have a debilitating impact on the country.
  • Risk reduction and resilience by reducing risks to and strengthening the resilience of America’s critical infrastructure through coordinating a national effort to secure and protect against critical infrastructure risks.
  • Operational collaboration by strengthening the whole-of-nation operational collaboration and information sharing through working with government, industry, academic, and international partners toward more forward-leaning, action-oriented collaboration.
  • Agency unification by unifying as One CISA through integrated functions, capabilities, and workforce and prizing “teamwork and collaboration, innovation and inclusion, ownership and empowerment, and transparency and trust.”

CISA’s 37-page strategic plan elaborates on these goals, with each goal spelling out four to six increasingly difficult objectives, each presented with desired outcomes. For example, under the cyber defense goal, the first objective is to “enhance the ability of federal systems to withstand cyberattacks and incidents,” while the fourth objective is “advance the cyberspace ecosystem to drive security-by-default.”

CISA’s evolution to adulthood

Krebs, now co-leader of the Krebs-Stamos Group, told CSO at Recorded Future’s Predict22 conference in Washington, DC, that he thinks CISA’s strategic plan is “great. It’s an extension of the strategic intent” document produced under his watch at the agency.

“It’s about the evolution of CISA from adolescence to adulthood,” Kiersten Todt, chief of staff at CISA, told the attendees of Predict22. “It’s a look at what our agency has to do, but it also lays an approach for strategy in cyber in general. It’s about creating a foundation and a culture that allows it to be unified and is critical to our success.”

Padraic O'Reilly, chief product officer and co-founder at CyberSaint, also evokes the maturity metaphor when describing CISA’s strategic plan. “I think they're trying to grow up a little bit as an agency,” he tells CSO. “This is one of the artifacts you really require. They're on a maturity journey.”

In keeping with the growth theme, Dr. Christopher Whyte, professor of cybersecurity and homeland security at Virginia Commonwealth University’s Homeland Security and Emergency Preparedness program, tells CSO that CISA’s strategy reflects “a maturation of CISA as an entity itself.”

CISA shifts toward operational realism

Whyte says that CISA’s strategic plan is important because it “codifies almost a change in the macro direction of DHS and system priorities away from what you might think of as the Fortress America approach and more toward a kind of operational realism. What we need to focus on is ensuring the availability and the continuance of services that are persistently under attack, particularly from things like ransomware and particularly for U.S. critical infrastructure,” he says. “It's more important to focus on minimizing risk and maximizing our resilience.”

O’Reilly thinks the strategic plan is a “really good document” and likewise focuses on its practical benefits, particularly regarding collaboration between the public and private sectors. “I was heartened to see in the document that they're looking to make that much more efficient and even faster,” he says. “As far as national critical infrastructure and the resiliency of it, it’s essential that the communication between the public and private sector should become efficient.”

Moreover, O’Reilly was impressed by the emphasis that CISA places on the value of personnel, “that people are central to that process. That's a message that's been coming around the last six months, how critical people are to cyber. I think it gets lost in the story. We tend to think more about technology, but technology doesn't really get it done unless the people properly understand and improve it.”

Public-private collaboration on cyber risks could be a challenge

CISA’s ambitious goals spelled out in the strategy will undoubtedly face challenges. Whyte points to “the really serious operational goal to streamline the collaborative processes” between the public and private sectors as both a benefit and a challenge. “The collaborative landscape is an age-old issue where the incentives to engage with the government have perpetually been somewhat lacking when it comes to cyber defense. Corporate entities have incentives to minimally comply with the regulation as they're required to but not voluntarily share information.”

“I think the problems lie in incentivizing good behavior among companies,” Whyte says. “Private operators have a series of incentives to only minimally engage with the federal government, largely to do with keeping their data private, keeping stakeholders, and keeping reputational costs down.”

O’Reilly echoes this concern. “One of the things that you see across the public sector and the private sector when they are collaborating on things is the complaint from the private sector that this is all just too mind-blowing,” he says. “When [certain players in the private sector] get advice and counsel, they don't always implement it. Then they fall back on kind of the knee-jerk ‘we don't necessarily trust the feds because if they know that we're doing something wrong, they may come after us’ kind of a thing.”

One solution, according to O’Reilly, is for CISA to promote its achievements in sector coordination, “maybe some messaging around some success stories in that area would put certain types of players at ease in the private sector.”

Copyright © 2022 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)