COMMENTARY: There were recent layoffs at the U.S. Cybersecurity Infrastructure Security Agency (CISA) as part of the new administration’s transition plans. I am not in a position to decide if the existing job cuts made sense or not, but I do want to argue that we need a far larger CISA than we have today.
CISA was created in 2018 under the Department of Homeland Security (DHS) to gather together over 16 previously separate agencies that worked on cybersecurity. Since its creation, it has succeeded in becoming the best U.S. government agency in history tasked with protecting our cyber infrastructure, both within the government and private industry.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Within the government, it has some legal weight and can create and enforce cybersecurity directives by law. However, CISA does not have any legal weight with the private sector, and it relies on good faith friendships and private-public partnerships to accomplish its goals. It has succeeded in convincing many talented, extremely capable, and experienced individuals to leave their higher-paying jobs in the private sector for a career with a greater mission.
It's now a part of the Five Eyes Intelligence Oversight and Review Council (FEORC), along with our friendly allies, Australia, Canada, New Zealand, and the UK. They share threat intel with each other and publish joint awareness and cyber defense documents on a regular basis.
Notable CISA programs
In just a handful of years, CISA has created many notable cybersecurity programs that have provided significantly useful cybersecurity tools and services that have benefited the U.S. and the world. Here are some notable ones:
Over the last year, there were more than 40,000 publicly announced software and firmware vulnerabilities. Organizations need to patch them if they exist in their environments. The reason: barely 1% of those vulnerabilities were ever used by a real-world criminal hacker to attack a real-world company. These are really the top vulnerabilities that need to be patched by everyone and it's easier to patch 1% of something than 100%. Anyone can subscribe to the KEV and receive daily updates when a particular vulnerability is being used by attackers to harm companies. It has changed the way the world patches.
More than one-third of successful compromises involve software and firmware vulnerabilities. CISA took on the onus of trying to get all development vendors to take a bigger responsibility in decreasing the number of vulnerabilities, and also in trying to eliminate whole classes of errors that lead to the most vulnerabilities. For example, CISA found that something known as memory-type mismatches, accounted for more than 50% of the vulnerabilities from some major developers and using a “memory-type safe” programming language, such as RUST, could eliminate large numbers of vulnerabilities.
CISA created a public-private taskforce to address the threat of ransomware and sends out frequent Five Eye warnings about emerging ransomware threats. CISA has been instrumental in decreasing the flow of money to financially strangle ransomware groups out of existence. When CISA started, more than 70% of ransomware victims paid the ransom. Now that figure has dropped below one-third and getting smaller each year. Ransomware is still a huge global threat, but less of one thanks to CISA, and if we ever one day get rid of ransomware, it’s because CISA got involved.
I do not have the room in this column to mention the dozens of other great programs that CISA has, but they are involved in securing our industrial control systems, supply chains, encouraging the use of MFA, gathering robust threat intelligence, publishing cyber threat advisories, and helping to get our world more resistant against forthcoming quantum threats.
Bottom line: There’s not a part of the cybersecurity world that CISA did not help improve.
We need a far larger CISA
Ignoring the recent staffing cuts, it’s very easy to make the argument that CISA needs to be far larger in terms of resources, staffing, and capability. We are in the middle of a global cyberwar where our adversaries regularly cause business disruption and steal our most valuable secrets — and we are losing badly. The nation’s adversaries can shut our companies down at will, and most of our critical infrastructure is rife with unauthorized foreign access. It’s a pretty bad situation.
Today, CISA has over 3,000 employees and a $3 billion budget, not chump change, but not nearly enough to effectively fight the threat we face. Cybercrime gets measured in the tens of billions of dollars annually. Our hospitals and pharmacies have been shut down. The Change Healthcare ransomware attack resulted in over a billion dollars in damages alone. When hospitals are hit by an attack, it literally can kill people. There’s not a business or CISO that thinks their organization cannot be successfully taken down by a cyberattack if their adversary simply tries. Something has to change.
In any war, nations need to respond by putting the necessary resources in the right places. We need to increase our national cybersecurity defenses by an order of magnitude and act and respond like the war we are in.
For decades, we ignored the threat and acted as if all the foreign attackers were more of a nuisance than an attack on our way of life. Now, our adversaries take down our critical infrastructure, our oil pipelines, and our supply chains at will. The results would be far worse if we were also engaged in a real-world kinetic battle at the same time.
Our adversaries have shown that they swiftly and aggressively use cyberattacks to take out critical infrastructure during times of war. We are, as a nation, wholly unprepared.
We need a far larger national cybersecurity agency with more capability, perhaps even the ability to enforce cybersecurity requirements in the private sector — at least as it applies to our critical infrastructure, and that will take new laws from Congress, resources, and funding.
CISA has already proven its incredible value, given the limited resources it already had. It was able to lure some of the cybersecurity world’s best minds to tackle its important mission. We need more of them.
We are already in a cyber war: we need to act and respond accordingly.
Roger Grimes, data-driven defense evangelist, KnowBe4
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
