The Committee, comprised of leading voices on cybersecurity, technology, risk management, privacy, and resilience, held its inaugural meeting in December 2021. In the intervening six months, Committee members brought their unique experiences, perspectives and insights to bear and provided recommendations on the development and refinement of CISA’s cybersecurity programs and policies. During this third meeting, subcommittee chairs provided recommendations on key objectives outlined by the Director during the Committee’s inaugural meeting.
During today’s meeting, Committee members provided tangible updates on the work of their subcommittees:
Transforming the Cyber Workforce Subcommittee, Presented by Mr. Ron Green, Chief Security Officer, Mastercard: The subcommittee is focused on building a comprehensive strategy to identify and develop the best pipelines for talent, to expand all forms of diversity, and to develop retention efforts to keep our best people. During today’s meeting, the subcommittee recommended that CISA prioritize its strategic workforce development; dramatically improve its talent acquisition process to be more competitive with the private sector; radically expand recruitment efforts to identify candidates across their professional lifecycle; and leverage talent identification and hiring success through interagency collaboration. They also recommended creating a new position in CISA, a Chief People Officer.
Turning the Corner on Cyber Hygiene Subcommittee, Presented by Mr. George Stathakopoulos, Vice President of Corporate Information Security, Apple: The subcommittee is helping us think through and execute a holistic, scaled approach to ensure that all organizations – public or private, large or small – have the information and resources needed to implement essential security practices. During today’s meeting the subcommittee chair outlined its three key recommendations. The subcommittee recommended that CISA launch a “311” national campaign, to provide an emergency call line and clinics for assistance following cyber incidents for small and medium businesses. The subcommittee also recommended that CISA build out its current multi-factor authentication (MFA) campaign by identifying additional vehicles for publicizing its “More Than A Password” campaign, including reaching out to nonprofits, educational institutions, fellow government partners, and the extended cybersecurity community to amplify the importance of MFA. Lastly, they recommend CISA takes all available steps to ensure that companies are working with the federal government fully adopt MFA by 2025.
The Technical Advisory Council, Presented by Mr. Jeff Moss, Founder and President, DEFCON Communications: The subcommittee is helping further catalyze CISA’s relationship with the technical community to shift the balance in favor of network defenders. During today’s meeting, the subcommittee chair recommended that CISA develop incentives and access to information to aid security researchers who will submit vulnerabilities affecting critical systems; encourage an environment that works to enable frustration-free vulnerability research and reporting; invest in a central platform to facilitate the intake of suspect vulnerabilities and communication between security researchers, agencies, and vendors; and improve the notification processes after a disclosure has been verified and acted on. The subcommittee also recommended that CISA simplify the reporting process and provide feedback to those reporting vulnerabilities.
Protecting Critical Infrastructure from Mis- Dis- and Mal- (MDM) information Subcommittee, Presented by Dr. Kate Starbird, Associate Professor, Human Centered Design & Engineering, University of Washington: The subcommittee is evaluating and providing recommendations on CISA’s role in confronting MDM harmful to critical infrastructure, in particular election infrastructure. During today’s meeting, the subcommittee chair recommended that CISA focus on addressing MDM risks that undermine critical functions of American society. As part of this work, the subcommittee recommends that CISA should invest in external research to assess the impact of MDM threats and the efficacy of its MDM mitigation efforts.
Building Resilience and Reducing Systemic Risk to Critical Infrastructure Subcommittee, Presented by Mr. Tom Fanning, Chairman, President and CEO, Southern Company: The subcommittee is helping CISA determine how to best drive national risk management and identify the criteria for a scalable, analytic model to guide risk prioritization. During today’s meeting, the subcommittee chair discussed how they are scoping the best frameworks to collaborate with industry to identify systemic risks across National Critical Functions including the need to hold tabletop exercises with critical infrastructure partners. The subcommittee plans to provide their recommendations at a future meeting.
Strategic Communications Subcommittee, Presented by Ms. Niloofar Razi Howe, Board Member, Tenable: The subcommittee is focused on expanding CISA’s reach with critical partners to help build a national culture of cyber resilience. During today’s meeting, the subcommittee chair discussed its recommendations, which included an expansion of CISA’s “More Than A Password” MFA campaign to include a corporate partnership program with Fortune 500 companies. They also recommended CISA launch a “311” national campaign, to provide an emergency call line and clinics for assistance following a cyber incident.