A new advisory committee stood up to provide external advice to the Cybersecurity and Infrastructure Security Agency (CISA) received its initial tasks last Friday to include tackling workforce issues, reaching out and building trust with the hacker community, preaching cyber hygiene, strengthening the most important critical infrastructures and, combatting misinformation and disinformation.
The challenges were handed out by Jen Easterly, the director of the three-year-old Department of Homeland Security agency that is looking to move beyond being the nation’s risk advisers to becoming the “nation’s cyber defense agency.” Easterly said she is looking for “action” from the Cybersecurity Advisory Committee.
“I welcome this group creating action,” she said in her opening remarks during the committee’s first ever meeting, which was held in person in Northern Virginia. “This really is just not about being a talking club. This is about leveraging your expertise your perspective to make the nation safer. At the end of the day this is really about implementing those things that will help CISA truly be the nation’s cyber defense agency. That is what the American people need and that is what the American people deserve and so I am not looking for a 20-page white paper. I am looking for short info papers from each of the subcommittees that give a series of recommendations that we can go ahead and implement.”
Easterly also called for a council of chief information officers and chief information security officers from the public and private sectors to advise CISA. In addition to informing the agency on the threats they’re facing, this council would discuss how they are “promoting the investments needed in cybersecurity to their C-Suites and boards of directors,” CISA said.
The committee, which has 23 members initially and a charter for 35, is chaired by Tom Fanning, chairman, president and CEO of Southern Company [SO], the nation’s second largest utility. Ron Green, the chief security officer for Mastercard [MA], is the vice chair.
Fanning will also lead the subcommittee tasked with reducing risk and increasing resiliency to the nation’s systemically critical infrastructure, which refers to the most vital sectors of the economy where a cyber-attack or failure could lead to major consequences.
Green will oversee the group charged with “transforming” the cyber workforce. His point of contact at CISA will be Kiersten Todt, Easterly’s chief of staff.
The effort on “igniting the hacker community” will be led by information security expert Jeff Moss, the founder and president of DEF CON Communications, which runs the annual DEF CON information security conference.
A key ingredient in leveraging the hacker community is “trust,” Moss said. He put a focus on the outreach language, highlighting that many hackers and academics don’t want to be associated with military or intelligence activities.
“There’s a lot of resistance if you feel like you’re helping the military or the intelligence community, right,” Moss told the assembled group, which included the public and media who were able to listen in remotely via a conference line. “A lot of hacker ethos or even security researchers, academics, people around the world, they might want to help make the world a better place but they don’t necessarily want to help the American military? So, you have to come at it as how are you lifting all the boats in the world, not just specifically American companies…And the language we use I think we should be very careful in picking non-military language. You’re not a cyber warrior. You’re not on the cyber kill chain. You’re not dropping digital bombs. You are helping protect civil society. Because the language you use really informs your thought.”
Moss said CISA has to find the right people to build trusted relationships with the hacker community, which he pointed out has tremendous strengths in finding vulnerabilities in any organization’s networks and operational technology. CISA has to “consciously” earn this trust over years, he said.
Easterly, who will be Moss’s point of contact at CISA on the hacker subcommittee, replied that she “strongly agrees with everything you said.”
Cyber hygiene, which has been messaged constantly by CISA and its predecessor organization, the National Protection and Program Directorate, remains a focus area. Easterly tapped George Stathakopoulos, who leads the enterprise information security program at Apple [AAPL], to head the Turning the Corner on Cyber Hygiene subcommittee.
The full committee talked at length on cyber hygiene, including proselytizing widely for the adoption of multifactor authentication. Fanning also said that hygiene needs to be an accountability issue with top leaders of companies and organizations.
“At the end of the day, a lot of this is about the basics of cyber hygiene,” Easterly said.
Eric Goldstein, executive assistant director for cybersecurity at CISA, will be the agency’s lead on the cyber hygiene effort.
The Protecting Critical Infrastructure from Mis- Dis- and Mal-Information subcommittee will be led by Kate Starbird, associate professor in the Department of Human Centered Design & Engineering and faculty director of the Center for and Informed Public at the Univ. of Washington. Bob Kolasky, CISA’s assistant director of the National Risk management Center, and Kim Wyman, the agency’s senior election security lead, will help Starbird from the federal side.