A Federal advisory committee this week approved a set of recommendations to help the Cybersecurity and Infrastructure Security Agency (CISA) protect critical infrastructure, even as the panel criticized some of the government’s current efforts to do so as unfocused and lacking clear national goals.
At its fourth meeting on Sept. 13, CISA’s Cybersecurity Advisory Committee released a draft report primarily from its Building Resilience and Reducing Systemic Risk to Critical Infrastructure subcommittee.
The nine-page document says the subcommittee identified “barriers” to managing cyber risks, including “varying levels of maturity across critical infrastructure sectors, insufficient scope for national resiliency outcomes, and underutilization of existing policy and regulatory approaches that address risk management.”
The Department of Homeland Security established the advisory committee last year to aid CISA’s cybersecurity mission, and CISA had given the critical infrastructure subcommittee a set of questions to guide its work. But the subcommittee “repeatedly struggled to address the questions CISA provided without a clear understanding of the desired end state for national risk management,” its members wrote in the report.
As an example, the document said, the Department of Defense has a set of continuity of government performance goals. The subcommittee “is unaware of a similar set of national resiliency goals in support of CISA’s critical infrastructure mission,” the report says.
“Clear national-level goals in the areas of national security, economic continuity, and health and human safety would help organize public and private critical infrastructure stakeholders,” it adds.
To help improve critical infrastructure protection, the full advisory committee unanimously approved subcommittee recommendations to CISA that call on the agency to identify the entities responsible for operating “national critical functions” and to establish “national resiliency goals.”
It is unclear if the agency will take action on the recommendations. CISA Director Jen Easterly attended the meeting and offered praise and thanks for the subcommittee’s “comprehensive work.”
“Advice, as good as it is, can be ignored,” she added. “So what we really want to do is work together to collaborate to reduce risk, which is why I’m very interested in how we flesh out those goals and outcomes.”
The cyber advisory committee also approved recommendations from its Protecting Critical Infrastructure from Misinformation and Disinformation subcommittee, which expand on earlier recommendations from June.
In its three-page section of the report released on Sept. 13, the disinformation panel said “there are reasons to anticipate” that elections this year and in 2024 may again attract efforts at interference from adversaries such as Russia and China. The subcommittee recommended that CISA work with the intelligence community and the FBI to share threat information with state and local election officials.
The CISA advisory committee, which advises and provides recommendations to Easterly on cyber policies, programs, planning, and training, includes leaders from numerous tech and cybersecurity services providers.
The panel’s other subcommittees provided updates on their work at the meeting, with representatives from the Transforming the Cyber Workforce Subcommittee saying its focus is building a comprehensive strategy to identify and develop high-quality pipelines for cyber talent.
The Turning the Corner on Cyber Hygiene Subcommittee, meanwhile, focused on its efforts to help small and medium-size businesses develop good cyber practices, while the Technical Advisory Council said it is meeting with state and local critical infrastructure stakeholders to discuss how to share information.
The Strategic Communications subcommittee also made a presentation at the meeting, saying it is focused on aiding the redesign of CISA’s website.
In his presentation, Tom Fanning, the advisory committee’s chair, walked members through the recommendations outlined in the critical infrastructure subcommittee’s report to CISA.
The recommendations encompass three pillars, the first being the support of “systemic risk identification to determine systemically important entities” in protecting critical infrastructure. The subcommittee outlined steps for how CISA can identify and partner with entities responsible for operating national critical functions.
For its second pillar, the subcommittee recommended that CISA “establish outcome-based national resiliency goals,” while the third pillar covered ways in which the agency can “create or enhance enabling structures and programs to advance national resiliency goals.”
“This is a really beefy set of recommendations,” said Fanning, the chairman and CEO of Southern Company. He said the subcommittee had sought to identify “gaps in maturity” around critical infrastructure protection in the event of cyberattacks and to propose “national goals” to plug those gaps.