The inaugural meeting of the CISA Cybersecurity Advisory Committee (CSAC) was held in December 2021. For highlights and our analysis of the meeting, see A Call to Action from CISA’s Jen Easterly and Def Con’s Jeff Moss at Inaugural CISA Advisory Committee Mtg.

The second meeting of the committee was held in March 2022. For highlights from the 2nd meeting, see Takeaways from the Second Meeting of the CISA Cybersecurity Advisory Committee.

The third meeting of the committee was held in June 2022 in Austin, TX. For highlights from the 3nd meeting, see Takeaways from the Third Meeting of the CISA Cybersecurity Advisory Committee.

OODA Loop Sponsor

The fourth meeting of the committee was held in September 2022. Opening remarks were addressed to the committee by:

Ms. Megan Tsuyi, Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Advisory Committee (CSAC) Designated Federal Officer
The Honorable Jen Easterly, Director, CISA
Mr. Tom Fanning, CSAC Chair
Mr. Ron Green, CSAC Vice Chair

CISA Cybersecurity Advisory Committee, September 13, 2022: Meeting Summary

Call to Order and Welcoming Remarks

Opening remarks were addressed to the committee by Ms. Megan Tsuyi, Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Advisory Committee (CSAC) Designated Federal Officer.
The Hon. Jen Easterly, CISA Director, welcomed the attendees and briefly reviewed the background and intent of the CSAC.
The Director announced the completion and distribution of CISA’s Strategic Plan for 2023 – 2025.
She then asked Mr. Brandon Wales, Executive Director, CISA, to introduce the four pillars of the plan:

“The Cybersecurity and Infrastructure Security Agency’s (CISA) 2023-2025 Strategic Plan is the agency’s first, comprehensive strategic plan since CISA was established in 2018. This is a major milestone for the agency: The CISA Strategic Plan will focus and guide the agency’s efforts over the next three years.

The Strategic Plan builds on the foundation created through the CISA Strategic Intent published in August 2019 to guide the agency’s work and create unity of effort. In our role as the nation’s cyber defense agency and the national coordinator for critical infrastructure security, CISA works with critical infrastructure partners every day to address the evolving threat landscape.” (1)

Mr. Wales provided a high-level overview of the CISA Strategic Plan. He reflected on the overall mission focusing on the resiliency and security of the Nation’s critical infrastructure. He highlighted the four pillars approach of the CISA Strategic Plan.

1) Spearhead efforts to make a more resilient cyberspace;

2) Determine how to reduce risks and strengthen the Nation’s critical infrastructure;

3) Ensure close operational coordination and information sharing; and

4) Determine how to make CISA a more effective and efficient organization.

Mr. Wales reiterated that the CISA Strategic Plan is a starting point for CISA moving forward over the next three years.

Operational Updates

Director Easterly described CISA’s effort to align Agency goals and objectives with specific measurements that help reduce risk. She pointed out that the Strategic Plan highlights many of the undertakings CISA accomplished since its establishment, including the launch of the Shields Up campaign.

Director Easterly then asked Mr. Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA, to provide an operational update:

CISA remains vigilant against threats, even though the Nation has not suffered a major cyber-attack. He cited the recent major cyber intrusions across the globe, including the recent attack in the Albanian government, Great Britain, and the prevalence of ransomware attacks across the globe.
He provided an overview of CISA objectives, including promoting steps entities may take to bolster their own security and readiness. He emphasized the recent cross-sector discussion to share information to establish best mitigation practices to secure networks independently.
Mr. Goldstein announced the launch of the Joint Ransomware Task Force, established by Congress and co-chaired by CISA and the Federal Bureau of Investigation (FBI), and its goal to reduce the impact of ransomware by cross-sector collaboration to determine best practices of tackling the emergent threat of ransomware intrusion.
He continued with a review of CISA’s Cybersecurity Awareness Month.

Subcommittee Updates

Director Easterly introduced Mr. Tom Fanning, CSAC Chair, Southern Company to provide opening remarks and lead the discussion through the seven Subcommittee updates:

Mr. Fanning welcomed CSAC Members and expressed his gratitude for their work on the CSAC. He emphasized the importance of CSAC’s recommendations to the Nation’s future, and the significant value produced by the discussions surrounding these issues.
He clarified the schedule of the session and opened the floor for opening comments to Mr. Ron Green, CSAC Vice Chair, Mastercard.
Mr. Green reflected that CSAC has made tremendous strides over the past year in collaborating between the public and private sectors.
He shared his enthusiasm for CSAC’s continued achievements and recommendations to bolster the efficiency and resiliency of the Nation’s cybersecurity.

The following subcommittee chairs provided updates:

Mr. Ron Green, Transforming the Cyber Workforce
Mr. George Stathakopoulos, Turning the Corner on Cyber Hygiene
Mr. Jeff Moss, Technical Advisory Council
Dr. Kate Starbird, Protecting Critical Infrastructure from Misinformation and Disinformation
Mr. Tom Fanning, Building Resilience and Reducing Systemic Risk to Critical Infrastructure
Ms. Niloo Howe, Strategic Communication

Protecting Critical Infrastructure from Mis- Dis- and Mal-information (MDM) Subcommittee – Dr. Kate Starbird, Associate Professor, Human-Centered Design & Engineering, University of Washington: Ms. Suzanne Spaulding, Center for Strategic and International Studies, thanked Protecting Critical Infrastructure from Misinformation and Disinformation (MDM) Subcommittee Chair Dr. Kate Starbird, University of Washington, for her leadership and reviewed that she would lead the Subcommittee’s update in Dr. Starbird’s absence.

Ms. Spaulding briefly summarized the Subcommittee’s focus on addressing the urgent risk facing U.S. elections and election officials. She upheld that elections have a critical national function to faithfully reflect the will of the people and secure a peaceful transition of power.

Ms. Spaulding reviewed that the recommendations emphasize the need for CISA to focus on threats to U.S. elections and election officials. Such threats manifest in two ways:

Cyber-enabled threats designed to reduce public trust in the legitimacy of the elections process; and
Broader mis- and dis-information operations the public continues to see.

The recommendations aim to help CISA better support state and local election officials dealing with both types of threats.

Details of the report delivered to the CSAC by the MDM can be found at The CISA CSAC: Cognitive Infrastructure Research and Election Public Messaging.

For the full MDM recommendations made to the CSAC, see:

Building Resilience and Reducing Systemic Risk to Critical Infrastructure (SR) Subcommittee – Thomas Fanning, Chairman, President and CEO, Southern Company: Mr. Fanning summarized the three pillars in the SR report:

The “who” pillar identifies systemically important entities (SIEs);
The “what” pillar specifies resiliency goals for orderly and efficient action; and
The “how” pillar details programs and structures that enable resiliency goals. He reviewed key findings from the SR Subcommittee’s research, including the significant disparity in maturity levels of SIEs, the importance of shared national goals, the need to avoid economic calamity, and the value in harmonizing cyber regulations.

He encouraged CISA to consider replacing Executive Order 13636 Improving Critical Infrastructure Cybersecurity Section 9 entities with the SIEs. Mr. Fanning reviewed the SR recommendations within each pillar:
- Identify SIEs. Collaborate with the private sector on shared obligations. Engage SIEs to identify risk derivatives, coordinate cross-sector risks, and prioritize responses to emerging risks based on impact. Prepare SIEs for triage capabilities.
- Develop a common framework with shared language and goals. Create a culture that unifies CISA, sector risk management agencies, the intelligence community, the private sector, and other national stakeholders.
- Establish goals. Construct an analytic framework with baseline risk management. Provide a forum for business partners to identify their assets and practices. Build an integrated approach to resilience and a maturity model that evaluates performance. Address the perspectives of system owners and operators in addition to their Chief Executive Officers and Chief Information Security Officers. Leverage existing regulations and avoid duplication. Focus on outcomes rather than processes. Demonstrate the value of participation

For the full SR recommendations made to the CSAC, see September 2022 CSAC Recommendations – Building Resilience and Reducing Systemic Risk to Critical Infrastructure (pdf, 148KB)

Strategic Communications (SC) Subcommittee: Presented by Ms. Niloofar Razi Howe, Board Member, Tenable: Ms. Howe thanked the Strategic Communications (SC) Subcommittee members. Ms. Howe commended CISA on their various outreach and newly released Strategic Plan that imparts unity of effort, unity of message, and practical details that support cybersecurity practitioners. Ms. Howe reviewed the SC Subcommittee’s contributions to several CISA initiatives, including the CISA.gov website redesign. Ms. Howe elaborated that the website must reflect the mission and goals of CISA, starting with a complete redesign. She addressed CISA’s unique challenge to serve myriad stakeholders with a broad range of perspectives. She affirmed the SC Subcommittee’s support for future iterations of the website. Ms. Howe also offered the SC Subcommittee’s support for any approved CSAC recommendations. Ms. Nicole Perlroth, Cybersecurity Journalist, added that the SC Subcommittee sees itself as a partner to the other CSAC Subcommittees and that it is prepared to support in any way possible.

For the full SC recommendations made to the CSAC, see June 2022 CSAC Recommendations – Strategic Communications Subcommittee

Transforming the Cyber Workforce (TCW) Subcommittee – Mr. Ron Green, Chief Security Officer, MasterCard: Mr. Green thanked the Transforming the Cyber Workforce (TCW) Subcommittee members and reviewed the TCW Subcommittee’s ongoing assessment of curricula, candidate qualifications, and service requirements for people who participate in the government’s cybersecurity programs. He discussed efforts to attract cybersecurity talent, to identify pipelines that match talent with opportunities at CISA, to research cyber skills, and to evaluate the availability of apprenticeships and mentorships. Mr. Green addressed upcoming efforts to study the decentralized workforce and propose recommendations at the CSAC December Quarterly Meeting. Mr. Chris Young, Microsoft, commented on the relationship between the TCW Subcommittee’s work and other CSAC Subcommittee’s initiatives. He identified the cyber skillset as a common denominator, and he noted the potential for collaboration.

Director Easterly announced that CISA’s new Chief People Officer (CPO) will join in October 2022. She asserted that the CPO would help to unify these efforts. Ms. Kiersten Todt, Chief of Staff, CISA, summarized an initiative between the Department of Commerce, the Department of Labor, the National Institute of Standards and Technology, and CISA to promote cyber apprenticeships and job retraining. Mr. Green indicated that the TCW Subcommittee would include that initiative in its research.

For the full TCW recommendations made to the CSAC, see June 2022 CSAC Recommendations – Technical Advisory Council Subcommittee (pdf, 332KB).

Turning the Corner on Cyber Hygiene (CH) Subcommittee – Mr. George Stathakopoulos, Vice President of Corporate Information Security, Apple, identified the Turning the Corner on Cyber Hygiene (CH) Subcommittee’s focus and security requirements. Mr. Stathakopoulos noted that the Subcommittee centered its original efforts on targeting small and medium organizations, places that cannot provide their own IT security and cyber hygiene. This idea has since expanded to include the entire spectrum of organizations.

Mr. Stathakopoulos reviewed the CH Subcommittee’s previous recommendation for CISA to focus on Multi-Factor Authentication (MFA). He encouraged CISA to saturate the cybersecurity landscape with this message as much as possible and partner with large companies to amplify this message. He suggested that large companies could also pledge their support to encourage other organizations to enable MFA. He detailed the Subcommittee’s earlier recommendation for CISA to support and expand upon the Austin 311 pilot program which has been tested already.

Mr. Bobby Chesney, University of Texas, described the current partnership University of Texas, Austin, and the City of Austin has with various private sector entities. He campaigned for the need to scale up the required talent to enact a national partnership and solicit inquiries on how that might be possible. He submitted that the goal was pioneering a direct intersection between various cities and CISA, to establish partnerships. Mr. Stathakopoulos added that CISA should use metrics gathered through the partnership in Austin, Texas to determine emergent CISA partnerships.

Mr. Stathakopoulos opened the floor to comments and questions from the attendees. Ms. Marene Allison, Johnson & Johnson, noted that it might be more effective to focus on messaging senior corporate (C-Suite) executives and resiliency forums, as opposed to only Chief Security Officers. Ms. Nuala O’Connor, Walmart, responded that the recommendations are pointed toward all C-Suite executives. Mr. Green added that it would be beneficial to push these recommendations to boards of directors as well. Director Easterly clarified the importance of a robust cyber ecosystem to all boards of directors, as cyber security is business security. Mr. Stathakopoulos added that the next step would be to find new potential targets and centralize partnerships.

Director Easterly stressed that cyber risk is business risk is national risk. She also expressed support for the idea of a cyber hotline.

For the full CH recommendations made to the CSAC, June 2022 CSAC Recommendations – Turning the Corner on Cyber Hygiene Subcommittee (pdf, 256KB)

Technical Advisory Council (TAC) – Jeff Moss, Founder, and President, DEFCON Communications: Mr. Eric Goldstein, CISA, briefed on the Technical Advisory Council (TAC) Subcommittee’s efforts in the absence of Subcommittee Chair Mr. Jeff Moss, DEF CON Communications.

He affirmed the Subcommittee’s support of the recommendations accepted by the full Committee during the CSAC June Quarterly Meeting regarding vulnerability discovery and disclosure and cyber threat intelligence sharing. He reviewed the Subcommittee’s actions to date including meeting with stakeholders across critical infrastructure and state, local, territorial, and tribal governments for additional context on how CISA interacts with key partners and to inform the group’s next set of recommendations. He thanked the Subcommittee members for their work reviewing CISA’s guidance to small businesses and reviewing challenges in reaching critical threat areas.

Director Easterly affirmed the significant level of support the TAC Subcommittee members have given CISA by providing feedback on ways to engage small businesses.

For the full TAC recommendations made to the CSAC, see June 2022 CSAC Recommendations – Technical Advisory Council Subcommittee (pdf, 332KB)

Next CSAC Meeting

Director Easterly thanked the CSAC Members for their attendance and contribution to the discussion. She announced that the next CSAC Quarterly Meeting will be on December 6, 2022.

Further CISA CSAC Resources

For the readout from the meeting, see CISA’s Fourth Cybersecurity Advisory Committee Meeting.

More information on CISA’s Cybersecurity Advisory Committee is available here.

Stay Informed

It should go without saying that tracking threats are critical to inform your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

CISA Cybersecurity Advisory Committee, September 13, 2022: Meeting Summary

Call to Order and Welcoming Remarks

Operational Updates

Subcommittee Updates

Next CSAC Meeting

Further CISA CSAC Resources

Stay Informed

Related Reading:

Explore OODA Research and Analysis

Decision Intelligence

Disruptive/Exponential Technology

Security and Resiliency

Community

CISA Cybersecurity Advisory Committee, September 13, 2022: Meeting Summary

Call to Order and Welcoming Remarks

Operational Updates

Subcommittee Updates

Next CSAC Meeting

Further CISA CSAC Resources

Stay Informed

Related Reading:

Explore OODA Research and Analysis

Decision Intelligence

Disruptive/Exponential Technology

Security and Resiliency

Community

Share this:

About Daniel Pereira