An advisory committee to the Cybersecurity and Infrastructure Security Agency on Friday approved a series of reports to be delivered to the agency aimed at boosting national cyber resilience, increasing public awareness of CISA efforts, and better securing the world’s digital ecosystem.
Members of CISA’s Cybersecurity Advisory Committee approved the four draft reports and multiple recommendations in response to looming threats by Chinese hackers to critical infrastructure. The reports were drafted by subcommittees and focused on building up the nation’s critical infrastructure resilience, ensuring widespread adoption of the agency’s secure-by-design initiative, increasing public awareness, and solving the messy issue around securing the open-source software supply chain.
CISA Director Jen Easterly praised the committee’s work during Friday’s meeting and commented on the “continued attacks on our most sensitive critical infrastructure by Chinese state-sponsored cyber actors, and of course, we’re less than a month away from the presidential election with a threat environment that is more complex than it has ever been.”
Easterly noted that during a recent trip to Omaha, she met with election officials from Nebraska, Iowa, Kansas, Missouri, and South Dakota, and with the CEO and chief information security officer at the voting software company Election Systems & Software.
“The reality is that election infrastructure has never been more secure and the election stakeholder community has never been better prepared,” Easterly said.
The report written by the building resilience subcommittee found that critical infrastructure and federal agencies are “not prepared” for the hostile actions likely to result from nation-state conflicts. The report also noted that China’s methods of “living off the land” techniques, which use already found software on targeted systems, challenge usual threat detection methods.
The report on building resilience included recommendations for CISA’s Joint Cyber Defense Collaborative to assist federal agencies working with critical infrastructure, specifically around resilience and contingency planning in preparation for a successful cyberattack.
CISA is also pushed in the report to help fill in resource gaps for smaller critical organizations and agencies. The report said the agency should measure the potential impact of federal advisories around Chinese hackers, particularly Volt Typhoon-related threats.
The secure-by-design subcommittee encouraged wider adoption of the agency’s software development initiative. Additionally, that group found that representatives from the public and private sector challenged some of the “fundamental thinking in this space,” such that “there is often no empirical evidence to substantiate some of its long-held security beliefs.” For example, the report challenged ideas that major hacks will impact customer loyalty to the victim company or the “commonly held belief that fixing vulnerabilities earlier is more cost effective.”
The report recommended the commissioning of a study that clearly quantifies the financial and customer impacts from major breaches and addresses ways to fix vulnerabilities in the design process.
A report from the strategic communications subcommittee focused on answering how the agency can spread messages more effectively with the American people and industry. The subcommittee noted that CISA’s communications budget falls well below other public-driven federal agencies, particularly when it comes to crisis communications. Additionally, CISA should look to performance indicators and incorporate successful strategies by corporate and agency leaders.
“CISA should continue its consistent cadence of media outreach, including, but not limited to, quarterly background briefings with cybersecurity journalists at major media publications, and cybersecurity trade publications, to provide a regular dialogue with them on CISA’s top mission and communications priorities,” the report stated.
The technical advisory subcommittee report on open-source software, meanwhile, said the increasingly complex supply chain and the maze of dependencies are seen by hackers as easy targets with high-end rewards. Open-source software and components are found in the bulk of modern applications and the “status quo of willful ignorance of security in software dependencies” will only lead to more attacks by nation-backed hackers, the report noted.
One recommendation said an “accountable intermediary” can mitigate “as is” risk presented by open-source programs, moving some accountability from the consumer and producer to those with more resources.