At a glance.
- CISA’s new strategic plan focuses on unity.
- Survey shows IT firms prioritize data sovereignty.
- Twitter whistleblower testifies at US Senate hearing.
CISA’s new strategic plan focuses on unity.
The US Cybersecurity and Infrastructure Security Agency (CISA) today released its much-awaited 2023-2025 strategic plan, the first comprehensive plan the agency has released since its creation in 2018. As the Federal News Network notes, Congress recently increased funding to CISA in the aftermath of major cyberattacks impacting the nation’s critical infrastructure, and the strategic plan indicates how the agency plans to put those funds to use. Chris Cummiskey, former Department of Homeland Security undersecretary for management, explains that “having a document like this in place will help project a clear message to Congress that if you’re going to make investments, these are the kinds of places that makes the most sense, and then it’s really a question of execution within CISA to get the job done.” The document highlights four main strategic goals: defending cyberspace, minimizing risk and increasing resilience of critical infrastructure, bolstering operational collaboration and information sharing, and agency unification through a concept called “One CISA.” At last week’s Billington Cybersecurity Summit, CISA Director Jen Easterly alluded to the One CISA concept: “We’re built off the back of a staff element. We’re now a full grown operational component. And we absolutely need to build a unified agency that is grounded in the culture that we are building, the core principles and our core values of collaboration, innovation, service to the nation, and accountability to the American people.” The plan also indicates that CISA will continue to prioritize a “defense forward” approach, first introduced in a Department of Defense’s (DoD) 2018 Cyber Strategy summary. As CSO Online explains, the strategy requires DoD agencies to “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.”
Survey shows IT firms prioritize data sovereignty.
Software storage firm Scality conducted a survey asking IT decision makers in France, Germany, the UK, and the US about their data sovereignty strategies, and 98% of respondents said their organizations already have sovereignty policies in place or are planning to implement them. Of those, half rely on hybrid cloud or regional cloud service providers as opposed to the public cloud, which is not suitable for highly sensitive data and usually requires vendor lock-in and charges high data access or egress fees. More than a third of respondents prefer a hybrid approach combining on-premises or private clouds with public clouds, which PR Newswire explains allow for more flexibility and control. Scality chief marketing officer Paul Speciale commented, "It's extremely encouraging to see that such a high number of organizations in the U.S. as well as Europe are taking data sovereignty seriously and have plans in place, including a significant shift toward hybrid-cloud strategies. This can certainly help organizations prevent cloud lock-in and provide safety in having data stored locally or in multiple locations. The surprisingly high results in the U.S. could be due to growing concerns regarding China's strength in technology development."
Twitter whistleblower testifies at US Senate hearing.
The revelations about Twitter’s “ticking bomb of security vulnerabilities” published by the social media platform’s security chief Peiter “Mudge” Zatko earlier this month have rattled the cyber community, and yesterday Zatko testified before the US Senate. Bloomberg reports that Zatko took the stand for over two hours, describing Twitter’s weak security measures in detail. Zatko stated, “Twitter’s unsafe handling of the data of its users and its inability or unwillingness to truthfully represent issues to its board of directors and regulators have created real risk to tens of millions of Americans, the American democratic process, and America’s national security.” Zatko also emphasized the need for stricter enforcement from the Federal Trade Commission, which he said has been allowing companies like Twitter to “grade their own homework.” His testimony had senators from both parties reaching across the aisle to make plans for tighter federal regulation of social media. Republican senator Lindsey Graham said to Zatko, “It’s now time to look at social media platforms anew. What you did today will not be in vain.” Graham told reporters that he and Democrat senator Elizabeth Warren are working on a bill that would establish a new federal regulator tasked with overseeing big tech. He also suggested that instead of penalizing violators with fines, which tech giants like Twitter typically have no problem paying, a licensing system could better provide the consequences and incentives to motivate social media platforms to fall in line.
Gary Barlet, Illumio’s Federal Field CTO, commented on the new strategy:
“CISA’s new plan – the first since its inception — can be evaluated against how well it addresses the federal government’s top three security hurdles: mindset, accountability, and funding.
"One challenge that continues to plague CISA (and the industry at large) is convincing people to shift their mindset from “prevent breach” to “assume breach.” Only by understanding that cyberattacks are inevitable can we effectively limit their impact.
"That’s why Objective 1.1 is so significant. The fact that CISA puts federal agencies’ “ability … to withstand cyberattacks” as its top objective, above “ability to actively detect cyber threats” speaks volumes about this shift in mindset. CISA’s top objective is helping agencies recover from an attack as opposed to preventing it entirely— embodying the mindset that today, “assuming breach” is just as important as detecting it.
"Second, the federal government continues to dance around accountability. Accountability exists by default in the private sector because a company could go out of business in the event of a cyberattack—but when was the last time you heard of a federal agency head losing their job because they didn’t follow a cybersecurity directive?
"CISA’s plan, which outlines accountability as one of its core values, takes a step in the right direction by reaffirming processes that improve management structures: e.g., cross-Mission Enabling Office (MEO) meetings. But baking accountability into security mandates is easier said than done, and history has shown that to be true: for example, HSPD-12, issued in 2004, was a step toward encouraging the adoption of multi-factor authentication (MFA) across agencies. Fast forward to 2022, almost two decades later, and the federal government is still educating departments on MFA. Why? Because change happens slowly in the federal government.
"Which brings us to funding. Without sufficient resources (money and personnel), agencies don’t have the bandwidth to act upon their goals, let alone be held accountable. CISA’s goals of Agency Unification will be impactful in strengthening information and resource sharing, but without a clear outline of funding priorities, cyber attackers will always be steps ahead while the government runs with weights on its ankles.
"CISA is still a new agency and issuing this strategic plan signposts their commitment to driving change in a huge way. I’m excited to see the federal government begin to shift to a resilience-based cybersecurity strategy, which aligns closely with what we practice and preach at Illumio.”