The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published its 2024 Year in Review, showcasing significant achievements across its missions in cybersecurity, infrastructure security, and emergency communications. The document underscores the agency’s success in mitigating risks and enhancing resilience across cybersecurity and critical infrastructure security. It also highlights a year marked by growth and transformation as America’s cyber defense agency and the national coordinator for critical infrastructure security and resilience.
“I’m proud of what we’ve accomplished this year,” Jen Easterly, CISA director, said in a Monday statement. “The risk environment continues to change, and CISA continues to grow and rise to the occasion. It’s been a great honor to lead CISA for the past three and a half years. I’d like to thank our incredible staff as well as our government, private sector, and international partners for helping us build resilience, reduce risk, and make our country more secure.”
Initiated in 2023, CISA intended to shift cybersecurity responsibility from consumers to technology producers. Its Secure by Design program promotes the idea that manufacturers should ensure customer security, embrace transparency, and lead with accountability. In FY 2024, CISA advanced safer technology by updating guidance and expanding international partnerships. It focused on reducing risks to critical infrastructure and building trust with industry, state and local officials, and election stakeholders.
The CISA, along with 17 U.S. and international partners, published updated guidance emphasizing three core principles – taking ownership of customer security outcomes, embracing radical transparency and accountability, and leading from the top. CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and 14 international partners provided the recommendations in this guide as a roadmap for software manufacturers to ensure the security of their products. More than 250 software manufacturers have committed to the Secure by Design Pledge, which includes pledging to increase the usage of multi-factor authentication (MFA), reduce vulnerabilities, and increase the installation of security patches.
CISA provided actionable recommendations to technology manufacturers and guidance on adopting memory safety roadmaps. It also developed a new alert series linking breaches to product defects. A recent alert highlighted SQL injection vulnerabilities which continue to be exploited despite known prevention methods. Additionally, CISA also released the Secure by Design guide for those purchasing software. This guide lists questions customers can ask of their vendors and discusses why each security element matters to their organization.
Looking to 2025 and beyond, the 2024 Year in Review document identified that the CISA will continue to expand its efforts to drive awareness and action among software manufacturers and technology users; explore how educational communities can incorporate security into computer science and coding programs to build a future workforce that prioritizes secure design; and gain insight into the economic forces impacting software security to better understand and address the root causes of vulnerabilities.
As the nation’s cyber defense agency and National Coordinator for the security and resilience of critical infrastructure, the 2024 Year in Review document detailed that the CISA has addressed the opportunities and risks AI presents at the intersection of cybersecurity and critical infrastructure.
Since releasing CISA’s AI Roadmap in late 2023, CISA has achieved key milestones, including completing its initial annual AI risk assessments for critical infrastructure sectors in January. These assessments evaluated AI’s potential to increase vulnerabilities to critical failures, physical attacks, and cyber-attacks. Following this, DHS issued new safety and security guidelines based on these findings, offering recommendations to mitigate AI risks across sectors.
In June, CISA conducted the federal government’s inaugural tabletop exercise on AI cybersecurity incidents, gathering over 100 AI experts from government, industry, and international partners to boost operational collaboration. A second exercise followed in September, aiding the development of the upcoming AI Cybersecurity Collaboration Playbook, which will guide the AI community on voluntarily sharing cybersecurity incident information.
In July, DHS presented a report to the White House summarizing CISA’s findings from a pilot project using AI to detect software vulnerabilities in U.S. government systems.
In August, CISA appointed a Chief AI Officer, formalizing efforts to leverage AI for cybersecurity and ensure critical infrastructure partners design, develop, and adopt AI safely and securely. The agency is also strengthening its AI expertise by upskilling internally and hiring externally.
In November, CISA joined interagency partners as a founding member of the Testing Risks of AI for National Security (TRAINS) taskforce, focused on testing advanced AI models in national security domains. CISA will provide cybersecurity expertise to support the task force’s initiatives, part of the agency’s expanding work on AI security evaluations. CISA has also developed several products to promote Secure by Design practices in AI system development.
The 2024 Year in Review document highlighted the critical nature of infrastructure, noting that impacts from a cyber incident can rapidly affect dependent and interdependent systems, as well as the public. Extensive collaboration with government and industry partners is undertaken to provide tools, information, and resources to enhance cybersecurity proactively.
In the event of an incident, critical infrastructure organizations must report to CISA. This enables CISA to develop a comprehensive understanding of the situation, deploy resources, assist affected infrastructure as needed, and importantly, share anonymized information with other network defenders, allowing them to take immediate protective measures. In FY24, CISA has made significant strides in increasing cyber incident reporting.
Through the Joint Cyber Defense Collaborative (JCDC), CISA coordinates with operational cybersecurity partners in the industry to develop technical information and materials with practical guidance that helps the industry prepare for, mitigate, and respond to cyber incidents.
In FY24, JCDC released almost 1,300 cyber defense alerts, advisories, and products, including 58 joint-sealed cybersecurity advisories and co-sealed products. These included the first products that CISA had co-sealed with the Czech Republic, Poland, Ukraine, Estonia, Poland, Finland, and Sweden. In FY24, CISA coordinated 845 CVD cases and produced 427 vulnerability advisories. Coordinated Vulnerability Disclosure (CVD) is the process of coordinating mitigation or remediation and public disclosure of newly identified cybersecurity vulnerabilities in products and services with the affected vendors.
The 2024 Year in Review document noted that this year, the CISA achieved a significant milestone and advanced toward enhanced cybersecurity for the nation as part of its efforts to fulfill the requirements under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. On April 4, 2024, CISA published the CIRCIA Notice of Proposed Rulemaking (NPRM), which outlines CISA’s proposed regulations for implementing the CIRCIA regulatory program. In response to the NPRM, businesses and industries; state, local, tribal, and territorial entities; individuals; non-profits; law firms; information sharing and analysis centers (ISACs); and members of Congress provided hundreds of comments and recommendations.
CISA is considering this feedback while developing the CIRCIA Final Rule. Implementing CIRCIA will strengthen the cybersecurity of critical infrastructure in the United States and enable CISA to gain insights into the cyber threat landscape, driving cyber risk reduction nationwide and providing early warnings to other entities that may be at risk.
The 2024 Year in Review document recognized that APT (advanced persistent threat) hackers, particularly those backed by the governments of China, Russia, North Korea, and Iran, are well-resourced and engage in sophisticated malicious cyber activity that is targeted and aimed at prolonged network and system intrusion. CISA works to ensure the nation’s critical infrastructure is prepared for and resilient against potential interference from these nation-state adversaries and the agency has produced many cybersecurity alerts and advisories to help critical infrastructure partners understand what types of activities are occurring and what steps they should take to prevent and mitigate nation-state cyber intrusions.
The Office of the Director of National Intelligence (ODNI) has identified China as a top cyber threat to U.S. networks. CISA has worked on detecting and mitigating these threats, reducing vulnerabilities, and raising awareness. They launched a campaign to highlight the threat, with Easterly testifying alongside FBI, NSA, and ONCD leaders. CISA shared details on threats like the Volt Typhoon group, which targeted critical infrastructure installations. They also hosted events and engaged with the industry to boost cyber resilience.
Furthermore, the CISA issues cyber advisories and alerts to help critical infrastructure recognize and mitigate risks from nation-state actors. Russia conducts malicious cyber activities for espionage, suppression of social and political activities, intellectual property theft, and to harm adversaries. North Korea uses cyberattacks for intelligence gathering, system disruption, and revenue generation. Iran’s advancing cyber capabilities and aggressive operations pose a significant threat to U.S. and allied networks and data security.
The 2024 Year in Review document highlights that the risks encountered are intricate, widespread, and disregard borders. Ensuring the protection and security of cyber and physical infrastructure demands the unified efforts of both public and private partners worldwide. International allies and partners confront similar threats, and CISA’s initiatives bolster their resilience just as their efforts enhance CISA’s.
The agency’s mission is heavily dependent on effective partnerships and collaboration domestically and internationally, and these alliances, in turn, fortify the bonds between cooperative nations.
The CISA document also elaborated on Enhancing State and Local Cybersecurity Through Grants. Established by the Infrastructure Investment and Jobs Act of 2021 and implemented collaboratively by CISA and the Federal Emergency Management Agency, the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP) assist eligible entities in addressing cybersecurity risks and threats to information systems owned or operated by—or on behalf of—State, Local, and Territorial (SLT) governments and Tribal governments.
In July, the Department of Homeland Security (DHS) announced the allocation of over US$18.2 million in grants to more than 30 tribal governments. This marks the largest number of awards ever given by the Department to Tribal Nations within a single grant program. These grants are the inaugural awards under the Tribal Cybersecurity Grant Program (TCGP), which was officially launched in September 2023.
In September, the DHS announced the availability of $279.9 million in grant funding for the Fiscal Year 2024 State and Local Cybersecurity Grant Program (SLCGP). Now in its third year, this program aims to bolster the capabilities of state, local, and tribal (SLT) governments to detect, protect against, and respond to cyber threats.
The 2024 Year in Review highlighted CISA’s collaboration with government and industry to comprehend, manage, and mitigate risks to the nation’s cyber and critical infrastructure. Given that this infrastructure is predominantly owned and operated by the private sector, risk management is a shared responsibility that requires joint efforts from both private and public sectors. As cyber threats continue to evolve, the demand for skilled cybersecurity professionals is higher than ever. CISA is dedicated to expanding the talent pipeline to address this increasing need.
On Monday, the CISA also issued a draft update of the National Cyber Incident Response Plan (NCIRP) for public review. CISA is seeking input from public and private sector stakeholders to evaluate the draft and offer suggestions. The NCIRP document presents a national approach for coordinating the detection and response to cyber incidents. Since its first release in 2016, CISA has worked closely with various organizations to improve the plan. The public can submit comments until Jan. 15, 2025, through the Federal Register.