Look out, America. There’s a new agency in town. Last November, the Cybersecurity and Infrastructure Security Agency (CISA) was established as a part of the Department of Homeland Security (DHS). The agency evolved out of DHS’ National Protection and Programs Directorate (NPPD), but became its own agency when President Trump signed the Cybersecurity and Infrastructure Security Agency Act last fall.
Why does america need a cybersecurity agency?
As agency representatives explained on Monday at an event held by the National Security Institute (NSI) and the Intelligence and National Security Alliance (INSA), “CISA’s enduring mission is to lead the nation’s efforts to understand and manage risk to our critical infrastructure.”
For those of us in the security field, the need for such an agency is self-evident. The biggest threats against America have largely shifted from terrorism to state actors like China, Russia, and Iran. Unable to compete with the U.S. using conventional weapons, America’s enemies have instead invested their resources in their cyber capabilities. America’s defense and intelligence apparatus – as well as American private companies – are fending off thousands of cyber threats every day. And with a few exceptions, those threats have been largely blocked. But a cyber hit to America’s critical infrastructure could cause ripple effects that few American citizens consider.
As CISA explains:
“Americans enjoy and expect reliable, secure, and efficient critical infrastructure. Most people can turn on the tap, take public transit, make a call, and place a financial transaction without wondering whether it will be safe or thinking about the technology working in the background to make these things happen…Critical infrastructure is increasingly interdependent and connected. A threat to one part of this infrastructure can impact other sectors quickly.”
CISA: What Does America’s New Cybersecurity Agency Do?
So with this host of threats only increasing, establishing the Cybersecurity and Infrastructure Security Agency seems a prudent move. It seeks to be the nation’s risk advisor, working closely with industry partners to defend against threats today and prepare for those of tomorrow. A large part of their task will be risk management, incorporating wisdom from both the public and private sectors to understand the risk environment and needs of the people and organizations CISA serves.
CISA breaks down their work into five categories:
- National Infrastructure Risk Management
Monitoring, assessing and prioritizing national risk across critical infrastructure sectors; developing strategies for risk management with public and private sector partners.
- Infrastructure and Cybersecurity Operations
Rapidly alerting stakeholders of elevated risk exposure; conducting incident management operations and providing vulnerability assessments; deploying the information, tools, and services necessary to mitigate risk – including regulatory enforcement where necessary.
- Critical Infrastructure Capacity-Building
Building and enhancing the nation’s critical infrastructure security and resilience by advising, training, development of best practices, and evaluation for public and private sector partners.
- Federal Information Security
Ensuring the security of federal civilian enterprise networks and the “.gov” domain by monitoring, providing defensive technologies, and helping partner departments and agencies build their resilience and respond to cyber incidents effectively.
- Interoperable Emergency Communications
Enhancing public safety interoperable communications at all levels of government; conducting outreach nationwide to bolster and support emergency response providers and government officials to communicate in the event of natural disasters, acts of terrorism, and other hazards.
So why should you care?
If you work in the security field, CISA is a resource you can call on to boost your company, agency, or organization’s cybersecurity efforts. Particularly if you work in a small organization whose resources are limited, CISA could offer wisdom and help at a much larger scale than you’re capable of alone. On the flip side, if you have inconsistent or loosey-goosey security standards, CISA could use oversight or regulations to force you to shape up your act.
And if you’re just an average American, hopefully it means that your electrical grid, water supply, internet, and other essential services stay secure. Here’s hoping…