Two of the Federal government’s top cybersecurity officials praised a new White House report this week that offers four recommendations to fortify the resilience of the nation’s critical infrastructure – including establishing performance goals and ramping up funding for agencies that oversee the sectors.
National Cyber Director (NCD) Harry Coker and Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said during a March 13 Foundation for Defense of Democracies event featuring the report’s findings that they welcome the recommendations on how to further protect critical infrastructure.
The President’s Council of Advisors on Science and Technology (PCAST) report – “Strategy for Cyber-Physical Resilience: Fortifying Our Critical Infrastructure for a Digital World” – was released last month and lays out several recommendations for CISA and other cabinet level agencies to “achieve resilience in the critical services” by:
- Establishing performance goals;
- Bolstering and coordinating research and development;
- Breaking down silos and strengthening government cyber-physical resilience capacity; and
- Developing greater industry, board, CEO, and executive accountability and flexibility.
NCD Coker said he believes all four recommendations are important, but that his team is currently hyper-focused on the third one, as budget season has officially commenced on Capitol Hill.
In the third recommendation – breaking down silos and strengthening government cyber-physical resilience capacity – PCAST calls on cabinet secretaries of the agencies responsible for national critical infrastructure to fully resource their Sector Risk Management Agencies (SRMAs) with greater capabilities to support the cyber-physical resilience goals of critical infrastructure sectors.
Coker said during the panel discussion that if you look at the budget, it’s clear that his office has recognized the importance of SMRAs and key partnerships in cybersecurity.
“If you look at the President’s budget, you will see that SRMAs are a priority for us,” Coker said. “It should be clear, not just to the SRMAs, not just to the segment owner-operators, but to the American public, that we do recognize the importance of SRMAs. We have their back, and they are key to the public-private partnership that we talk about regularly.”
“Again, can’t just talk about it, we have to demonstrate it,” he continued, adding, “Look at the budget. You’ll see that we are demonstrating it, so we do have their back.”
Easterly said that CISA has prioritized working with SRMAs who may be more under resourced than others to “help drive down risk.”
“I think we can all agree there are certain sector risk management agencies in certain sectors that have invested more significantly in security and resilience,” Easterly said. “And frankly, it’s why we prioritized over the last year and a half working with SRMAs like [the Department of Health and Human Services (HHS), the Environmental Protection Agency, and the Department of Education] so we can work with those sectors to provide free services and capabilities.”
CISA’s lead also keyed on the importance of the cyber agency’s work to identify systemically important entities (SIEs), noting that CISA’s SIE list has now grown to just under 500.
CISA defines SIEs as those “with primary responsibility for operating National Critical Functions (NCFs), whereby an impact on those entities would create systemic risk for the associated NCF.”
“These are organizations that the disruption or the malfunction of which could be extremely damaging to national security, to economic security, to public health and safety,” Easterly said. “The list that we have been working on for several years now is less than 500.”
“That list is shared with the sector risk management agencies because of course, we need their expertise to be able to validate those lists and then past that, needs to be shared with industry,” Easterly said.
She keyed on future work CISA plans to do with the SIE list, particularly in light of the recent cyberattack on Change Healthcare – a subsidiary of the UnitedHealth Group. HHS is currently monitoring the situation with Change Healthcare after a ransomware attack on the UnitedHealth subsidiary disrupted health care services across the country.
UnitedHealth Group was a part of the SIE list, but Change Healthcare was not, Easterly explained.
She said CISA is currently working on decomposing 55 of the NCFs into subsections. For example, she shared that healthcare has been decomposed into134 subsections – one of which is to provide payments for healthcare. Easterly said this will cause the list to grow from 500 to thousands of SIEs.
“We have to sit down with the sector and with HHS and really look at what we can do to better highlight those companies that are much more critical than we actually were expecting,” Easterly concluded. “So that work is continuing. I think we will be doubling down on that work with the new authorities that we’ll get coming out of the [national security memorandum], but it just illuminates the fact that we have to have an understanding of global supply chains and where impacts can be felt most seriously to the American people.”
Separately, the CISA lead teased that the agency is planning to publish a set of sector-specific cybersecurity performance goals for the finance, IT, and energy sectors in “a couple of months.”
