ArchiveOODA Original

A Call to Action from CISA’s Jen Easterly and Def Con’s Jeff Moss at Inaugural CISA Advisory Committee Mtg.

In the first meeting of the Cybersecurity and Infrastructure Security Agency’s (CISA) new Cybersecurity Advisory Committee, CISA Director Jen Easterly made clear to the committee members their working model would be action-based, not the usual passive mode assumed by an advisory body.  As government IT website MeriTalk first reported, Easterly was leaning on the new advisory committee for actionable recommendations, telling the group:

“I welcome this group creating action. This is really just not about being a talking club. This is about leveraging your expertise, your perspective, to make the nation safer. At the end of the day, this is really about implementing those things that will help CISA truly be the nation’s cyber defense agency. That is what the American people need. And that is what the American people deserve.  And so I am not looking for a 20-page white paper, I am looking for short info papers from each of the subcommittees that gives a series of recommendations that we can go ahead and implement.” (1)

John Tien, Deputy Secretary of Homeland Security, in his keynote speech at the meeting, echoed Easterly’s sentiment:  “Your voices, your thoughts, your brainpower are going to have to help us identify the gaps, the vulnerabilities, and also provide us with some thoughts on solutions,” Tien told the committee members. “Those are voices, those are ideas, those are thoughts, but then it’s going to have to step into action… we need to act.”

Igniting the Hacker Community

The main output of the meeting, according to CISA, was the establishment of “subcommittees that will focus on key objectives and provide tangible deliverables ahead of the next committee meeting.” The Cybersecurity Advisory Committee subcommittees include:

Transforming the Cyber Workforce Subcommittee:  This subcommittee will focus on building a comprehensive strategy to identify – and develop – the best pipelines for talent, expand all forms of diversity, and develop retention efforts to keep our best people. We will also aim to find creative ways to educate communities “K through Gray” to develop a better-informed digital workforce and to inspire the next generation of cyber talent.

Turning the Corner on Cyber Hygiene Subcommittee:  A core objective of CISA’s cybersecurity strategy is to raise the baseline of security throughout the cyber ecosystem to advance an environment that favors the defender. This subcommittee will help us think through a holistic, scaled approach to ensure that technology is maximally secure out-of-the-box and that all organizations – public or private, large or small – have the information and resources needed to implement necessary security controls.

Igniting the Hacker Community Subcommittee:  The security of our nation depends in part on our ability to leverage the imagination and talents of the global white-hat hacker and research community. This subcommittee will spearhead the development of a Technical Advisory Council, comprised of hackers, vulnerability researchers, and threat intelligence experts to get direct feedback from front-line practitioners whose work is vital to the security of our nation.

Protecting Critical Infrastructure from Mis- Dis- and Mal-information Subcommittee:  The core of CISA’s mission is to safeguard American’s critical infrastructure. Unfortunately, the nation has seen the corrosive effects of mis-, dis-, and mal-information (MDM) across a host of critical infrastructure in recent years impacting our election systems, telecommunications infrastructure, and our public health infrastructure. This subcommittee will evaluate and provide recommendations on CISA’s role in this space and ensure that the agency is providing value that fits within its unique capabilities and mission.

Building Resilience and Reducing Systemic Risk to Critical Infrastructure Subcommittee:  At our core, CISA aims to reduce systemic risk to our nation’s cyber and physical infrastructure. When the government is faced with requests for support from many entities, understanding which ones are the most important to our national security, economic prosperity, and public health and safety will allow CISA to optimize risk reduction in two ways: collaborative operational support to major players on the frontline of cyber warfare, and responsive technical support to those small organizations that the Nation needs, but are not ready for battle. This subcommittee will help us determine how to best drive national risk management and determine the criteria for a scalable, analytic model to guide risk prioritization.

The Cybersecurity Advisory Committee meets at a time when the cybersecurity threat landscape is increasingly varied and intense in its activity, including the type of private sector and individual responses to cyber incidents, as we discussed in our recent series:  The New Normal? New Responses to Massive, Global Cyber Theft, Data Breach, and Espionage Activities, in which we analyzed the Syniverse Hack, the BitMart Heist, and The Microsoft NICKEL Domain Seizures.  Microsoft’s increased legal activity, in particular, points to the increase in the legal efforts of high-tech companies in combatting cyber threats.

Easterly and CISA leadership are clearly collaborating with the IT sector through the recent establishment of the Joint Cyber Defense Collaborative (JCDC), which Easterly announced at the Black Hat security conference in August. Interestingly, Easterly and Def Con Founder Jeff Moss (a CISA Advisory Committee Member) at the Advisory Committee meeting on Friday were less concerned with collaboration with the business community and, instead, prioritized messaging and outreach to the hacker and research community.  The Record reports that “the director cited her attendance [at Black Hat] as part of an effort to ‘ignite’ the hacker community and noted the inclusion of Jeff Moss, the founder of that conference and DEF CON who is also known by the handle Dark Tangent, in the committee.”

“We should be very careful in using non-military language. You’re not a cyberwarrior, you’re not on the cyber kill chain, you’re not dropping digital bombs–you’re protecting civil society.”

Attendance at the Advisory Committee meeting was limited for public health reasons, including press access. The Record, however, has managed to garner a report of Def Con Founder Jeff Moss’ perspective on how best to reach out to the hacker community based on years of a leadership role in the white hat hacker community:

“During the meeting, Moss said the government needed to do a better job providing on-ramps for altruistic hackers who want to help contribute to global safety. But he also cautioned that there’s a lot of resistance within that community to being associated with the U.S. military or intelligence operations, so the group should be thoughtful in their outreach, he said.

“We should be very careful in using non-military language. You’re not a cyberwarrior, you’re not on the cyber kill chain, you’re not dropping digital bombs–you’re protecting civil society”, he said. “Many hackers still would be unlikely to trust CISA as an institution, but over time the agency could build its reputation by bringing in individuals who already have the trust of that community,’ Moss said.” (2)

In our earlier analysis, we suggested that the American high-tech industry could be a powerful, legal force in response to the growing number of cyber incidents by non-state actors’ attacks.   If Easterly and Moss can leverage the respect and credibility they have in the hacker community, that would open a new offensive and defensive front against cyber threats that would, arguably, be as powerful and sophisticated as anything the business community can muster through cyber law activities.  To a certain extent, the efforts of corporate IT and white-hat hacker activities are so apples and oranges (such a separation of church and state, to grasp further at the right analogy)  – the real potential exists for both communities to run parallel collaboration efforts with CISA to stem the ferocious tide of cyber threats directed at U.S. critical infrastructure.

Design of the Cyber Safety Review Board with Advisory Committee Inputs

MeriTalk also reported on a subject of keen interest here at OODA Loop, which are cybersecurity organizational design efforts for reportage and oversight of cyber incidents:  “In addition to the info papers from each of the subcommittees, Easterly said she is also hoping to gain insights from the committee on the Cyber Safety Review Board.  In a ‘preview of what’s to come next from CISA’, Easterly said her agency has been ‘spending a lot of time’ on the establishment of the board, which was required by President Biden’s cybersecurity executive order and will be comprised of public and private sector stakeholders.”

The Cyber Safety Review Board is one of many ongoing regulatory and ‘cyber norms’ efforts to formulate a standardized governmental response to cybersecurity incidents and subsequent mitigation efforts.   There is some concern about the nature of the seemingly disconnected design efforts across various agencies within the USG.  Easterly’s integration of the expertise of the CISA Cybersecurity Advisory Committee members into the early phases of ‘standing up’ the Cyber Safety Review Board’ is encouraging news.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real-world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along its journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this megatrend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for businesses and governments

From the very beginning of the pandemic, we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily intelligence as well as pointers to reputable information from other sites. See OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision-making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast.

Daniel Pereira

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.