Christopher Krebs, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), today unveiled his “strategic intent” for the agency, which include CISA’s guiding principles and goal of building a collaborative cybersecurity environment in America.
Speaking at Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, Krebs explained that CISA’s five guiding principles are to prioritize risk, uphold and respect national values, foster leadership and collaboration, focus on results, and drive a common mission.
Those principles help fuel CISA’s two core goals that Krebs underscored: “Defend today. Secure tomorrow.”
“Defending today, we’re working with state and local governments to help protect themselves, to help defend their networks so they’re not tomorrow’s headline,” Krebs explained. “The secure tomorrow piece is a little bit different. Securing tomorrow is about, what does the next generation of technology look like, and have we baked in the appropriate security concepts, appropriate safety concepts?”
Krebs said that to accomplish these goals, CISA will “conduct collaborative risk management” and risk analysis, share information, and reach out to local communities to help manage risk.
“It’s helping folks deploy sensors – the actual technical piece of deploying sensors,” Krebs said. “It’s risk analysis. It’s conducting exercises. It’s conducting training – it’s providing training to state and local governments. It’s sharing information.”
More specifically, Krebs said that defending today has four components – cybersecurity, physical security, incident communications, and finally, tackling emerging risks, supply chain, and hybrid threats. These four require understanding risks, Krebs said, as well as building capacity and bringing people together in task forces and working groups to share their understanding.
Securing tomorrow, Krebs added, requires “securing and increasing the resilience in America’s critical infrastructure,” and “approaching risk management holistically.”
“It’s looking at the IT, it’s looking at the industrial control system, it’s looking at supply chain, it’s looking at insider threats,” Krebs said of the first component of securing tomorrow.
The second component is “working with the federal interagency to increase a defense posture across the civilian government agencies.” Rather than just helping each agency safeguard its cyber posture in a siloed manner, Krebs said that he wants to share cybersecurity information across agencies to create a common understanding of risk and risk management across the entirety of the Federal government.
Krebs’ third pillar to securing tomorrow is creating interoperable emergency communications, and the fourth is long-term risk management.
“Longer term risk management risks are what the gaps are going to be” many years down the road, he said, along with “ensuring that we have the tools, capabilities, and the workforce to manage those risks.” On the workforce front, he added, “We have to figure out a better way to bring the talent across higher education, K through 12, into the cybersecurity ecosystem.”
Krebs concluded his strategic intent by emphasizing the need for collaboration across Federal, state, and local governments, as well as industry and academia.
“Whatever we do has to be done together, and in cybersecurity, that is the only way we’re going to get it done. It has to be a collective defense approach,” Krebs said.