The Cybersecurity Advisory Committee (CSAC) of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has approved four draft reports designed to enhance national cyber resilience, elevate public awareness of the agency’s initiatives, and strengthen the security of the global digital ecosystem. Developed by various subcommittees, these reports address critical issues such as enhancing infrastructure resilience, promoting secure-by-design software development, raising public awareness, and safeguarding the open-source software supply chain.
Held last week, the CSAC meeting was called to order and opening remarks were given by Megan Tsuyi, CSAC designated federal officer at CISA; Ron Green, CSAC chair; Dave DeWalt, CSAC vice chair, and Jen Easterly, CISA director. The subcommittee updates/deliberations and vote was executed by Lori Beer, Building Resilience for Critical Infrastructure subcommittee chair; George Stathakopoulos, Secure by Design subcommittee chair; Dave DeWalt, Strategic Communications subcommittee chair; Jeff Moss, Technical Advisory Council subcommittee chair, and committee members.
The CSAC report disclosed that its ‘Building Resilience for Critical Infrastructure’ subcommittee captured that with limited exception, critical infrastructure and government agencies have not prepared for a contested environment as a result of nation-state conflict. Also, ‘living off the land’ challenges traditional methods of threat detection; risk mitigation solutions are as important as threat intelligence in this context; tailored strategies are required to consider each sector’s unique context, technology, and threat profiles.
The subcommittee also outlined that third-party risk from dependencies outside of designated critical infrastructure (e.g., Microsoft CrowdStrike incident) has the potential to amplify the scale and severity of attacks. It also identified that improving cyber defense can help shrink attack surfaces and reduce risk, but focusing on the resilience of critical entities and functions is ultimately necessary, sectors are deeply interconnected, and a handful of sectors are critical dependencies during resilience planning.
In January this year, the building resilience subcommittee was tasked with providing recommendations for full Committee deliberation and vote to help CISA prioritize and align cybersecurity and resilience efforts for the greatest impact, in the context of threats posed by the People’s Republic of China. The subcommittee tasking document also included tasking questions to guide the work of the subcommittee. This involved considering the PRC’s objectives and targets, determining the optimal alignment of CISA’s cybersecurity and resilience initiatives to maximize impact, and identifying key metrics to assess improvements in resilience.
The subcommittee recommended that to increase national resilience, CISA’s Joint Cyber Defense Collaborative (JCDC) should work with Sector Risk Management Agencies (SRMAs) to ensure resilience, contingency planning, and planning for nation-state conflict are considered in the execution of NSM-22 responsibilities. This should include Sector Risk Assessments and Sector Risk Management Plans.
To strengthen the national cyber defense, JCDC should continue to provide robust threat intelligence that includes risk mitigation solutions, along with threat actor attributions and technical threat indicators. To increase the engagement of the vendor community and smaller Systemically Important Entities (SIEs) in CISA advisories and cyber defense efforts, CISA should consider identifying critical third parties in the cross-sector risk assessment and designate them as SIEs; investing in security and resilience outcomes at smaller SIEs through federal grant-funded cyber-in-a-box services; building a mentorship program to tap more mature, resourced SIEs to work with smaller SIEs on cybersecurity uplift; and exploring ways to cut the noise around advisories and make them more accessible.
In its ‘Secure by Design’ subcommittee report, the agency was called upon to study the economic roadblocks that may hinder the adoption of Secure by Design principles. The subcommittee was tasked with providing recommendations for full Committee deliberation and vote to examine how CISA can encourage lasting, systemic action to reduce the nation’s risk, study and maneuver the economic factors that have led to the current state of risk, and examine demand and supply factors that have historically limited secure software and hardware manufacturing.
The subcommittee was tasked with addressing the incentives and economic forces that encourage or discourage software manufacturers from adopting secure by design practices, and exploring how CISA can tilt the balance towards safer software. If every enterprise and consumer made cybersecurity a top criterion for software purchases, the problem of unsafe software would start to work itself out. CISA should work to generate a norm of ‘secure by demand’ in the procurement process. Relatedly, such a norm can help customers ask for security features that increase the cost for attackers, rather than settling for security features that are merely ineffective checkbox items.
For critical infrastructure, CISA can play a role in testing these security checks and reporting on results. Many currently available security checks aim to discover instances of defects in source code but are by nature unable to find all (or even most) instances of a class of vulnerabilities. CISA could foster research and development of automated metrics of whether software conforms to Secure by Design practices and principles, such as ‘measuring goodness’ vs ‘measuring badness.’
The subcommittee met with the CISA legal team and the CISA assessments team and found that there are existing mechanisms that CISA can use to assess critical infrastructure and publish results. The identified limitations are that CISA cannot mandate that a critical infrastructure entity undergo a cyber impact assessment. CISA may be able to assess a critical infrastructure entity’s cyber impact if the entity voluntarily opts in. Also, CISA generally would not be able to publish assessment results without the entity’s permission. Most importantly, there are limited paths for CISA to influence budgetary decisions for entities managing critical infrastructure. CISA should be empowered to influence.
Considering CISA’s aforementioned limitations, CISA should take the first steps of a multi-year effort to secure critical infrastructure. Design a framework and standardized ‘security impact study’ that is lightweight, based on existing standards (such as National Institute of Standards and Technology or CISA’s Secure By Design principles), and is consumable and executable by technical and non-technical people.
The study needs to be able to be conducted cost-effectively. These impact studies should then be conducted on a volunteer basis, or an opt-in basis, and offered to any organization that is part of national critical infrastructure. The results of the studies should be provided only to the organization. Aggregated/anonymized data should be published publicly by CISA regularly.
The Strategic Communications (SC) subcommittee report identified that the U.S. critical infrastructure has increasingly come under threat from adversaries due to various factors, including the critical sectors’ increased reliance on communications technology, the strategic value of critical infrastructure targets, and the growing sophistication of cyber-attacks. Cyberattackers have discovered increasingly novel ways to target and monetize infrastructure such as power grids, water systems, health delivery organizations, and transportation systems. CISA has improved the efficacy of delivering this guidance, support, and resources to the critical sectors. The agency’s campaigns designed to explain policy, convey warnings (e.g. Shields Up), provide context around emergency or binding operational directives, and educate have been especially impactful.
Further, through CISA, the U.S. government has, for the first time, delivered programming aimed at informing and changing the behavior of the U.S. public to help build a more cyber-resilient society. CISA is not a traditional regulatory agency. It cannot require stakeholders to do things the way regulatory agencies can. Therefore, CISA must rely on its ability to convince its stakeholders to take recommended actions, and it can only do this if its messages are heard and trusted. CISA needs more capacity to reach stakeholders and must employ different strategies to reach different stakeholder groups. The subcommittee also noted that trust and confidence in CISA’s brand will be critical to the agency’s ability to recruit top talent.
The CSAC subcommittee heard from subject matter experts leading communications and branding strategies at the National Aeronautics and Space Administration (NASA), the American Association of Retired Persons (AARP), Blackbird.AI (a firm specializing in combating disinformation and narrative attacks), and former representatives from the Federal Bureau of Investigations (FBI).
The draft CSAC report recommended right-sizing CISA’s strategic communications function to meet growing demand, develop key performance indicators for its strategic communications efforts and measure achievement of these, incorporate communications strategies implemented by other U.S. agencies that have effectively cultivated stakeholder trust, evaluate the technology platforms it uses to connect with stakeholder groups to identify new ways to connect with them and explore the use of additional technological capabilities to measure the effectiveness of CISA’s strategic communications strategy and identify and counteract damaging counter-narratives.
The fourth draft CSAC report from the Technical Advisory Council (TAC) subcommittee highlighted continued high-impact and high-profile security incidents related to software vulnerabilities in commercial and open source software (OSS) has drawn the attention of news media and governments worldwide. Increasingly complex software supply chains and product dependencies have become frequent targets for organized crime and nation-states, seen as legitimate targets with a low barrier to entry and high reward.
“The US Government, NGOs, and commercial providers have been identifying gaps in the OSS ecosystem for as long as it has existed. The difference now is the consequences of software defects and vulnerabilities are much greater than in the past and supply chain attacks are growing in frequency and scope,” according to the draft CSAC report. “Shared software, tooling, supply chains, and manufacturers means a defect in one piece of code can have wide and unforeseen impacts. Software development builds complex systems by interlocking thousands of small, rigid pieces together, such that the failure of any one piece can propagate cracks throughout the entire system.”
CISA should push for the adoption of Software Bill of Materials (SBOMs) and Supply-chain Levels for Software Artifacts (SLSA), and establish recommended formats for both kinds of attestations that enable interoperability and especially composition. Ideally, artifacts like packages should not only come with authenticated SBOM and SLSA information but such metadata should be delivered in a way that can be combined with that of other ingredients to build the correct SBOM and attestations at the next level up. This is not an easy goal, but it is fundamental to safe consumption given the deeply nested nature of consumption.
“Curators, the accountable intermediaries discussed above, can play an important role in driving towards effective composition by ensuring that their packages produce high-quality metadata, including interoperable SBOMs and signed SLSA provenance information,” the CSAC report said. “They will need to solve these problems for the packages they import and thus can help drive towards better consistency across OSS packages. Longer term, package metadata can provide transparency for many different kinds of security practices, such as what kind of security testing has been done, use of multi-factor authentication, and other indicators of security best practice maturity.”
The CSAC draft added, “We believe the long-term solution for safe consumption requires a structural change in the mechanisms around the consumption of open-source software. This is driven by the fundamental disconnect between the ‘as is’ disclaimer used in open source, which is necessary for the developers, and the desire for top-down accountability. This gap can be bridged by curation, where an accountable intermediary takes responsibility for a subset of OSS packages.”
Although the curation model has existed for many years in various forms, it is not widely used above the level of OS distributions, which only cover a fraction of the important OSS in use today.
The other findings are also critically important and will provide needed transparency and automation tools that will help CISA promote safe OSS consumption. When combined with the curation model, these will help provide the structural changes necessary for developers and other OSS consumers to manage and mitigate their risks.