A new federal advisory board has the opportunity to ‘reframe’ the evolution of the U.S. approach to cybersecurity, as the Cybersecurity and Infrastructure Security Agency turns to the panel for recommendations on the workforce, the improved “cyberhygiene” in the United States and more.
The 23 members of the cybersecurity advisory committee met for the first time on December 9. The Chairman of the Committee is Thomas Fanning, President and CEO of Southern Company. The Vice President is Ron Green, Chief Security Officer of Mastercard.
CISA director Jen Easterly said she didn’t want a “20-page white paper” from the group. Instead, she looks for actionable recommendations, ideally in the form of “short briefing papers”.
“It’s really not about being a chat club,” Easterly said at the start of the meeting. “It’s about leveraging your expertise, your perspective, to make the nation a safer place. At the end of the day, it’s really about implementing those things that will help CISA truly be the country’s cyber defense agency. “
One of the committee’s first major tasks is to examine how CISA can transform its workforce into cybersecurity. The agency already operates a new hiring and retention program, the Cyber Talent Management System.
CTMS launched in November and is exempt from many of the government’s traditional competitive hiring, classification and compensation practices. CISA says it offers a streamlined hiring process and salaries more comparable to those in the private sector.
Nitin Natarajan, deputy director of CISA, told the committee that the agency could use advice on how to leverage the new system to recruit top cyber talent.
“There are a lot of flexibilities in the system compared to the traditional hiring process,” he said. “And we’re really looking forward to hearing the expertise around the table on how we can build that pipeline, how we can make sure we’re harnessing the right talent, the right diversity of talent, the diversity of thinking that goes. not only become the next generation of CISA cyber talent, but ultimately a national cyber talent.
Committee members said it would be difficult for CISA to compete with the private sector on wages and benefits alone. But they agreed the agency could offer benefits such as student loan relief and strong professional development avenues.
Nicole Wong, consultant and former deputy director of technology for the Obama administration, said CISA should have a flat work culture, where even the most junior members have access to leadership.
She also pointed out that many tech workers who have moved from the private sector to government are often the most frustrated with the slow delivery of technology to many agencies.
“So when you think about the scope of your projects, projects, and milestones, people who work in tech like to be able to deliver quickly,” Wong said. “So the sprint process you’re in is really important from a cultural standpoint. But it is important for them from a professional point of view and to accelerate that.
Members said a successful workforce development initiative would lead to the debauchery of private sector talent from CISA, rather than the other way around.
“I think one metric if you find what the metric of success here is that anyone in the private sector should covet to see ‘CISA’ on someone’s resume,” said Ted Schlein, partner general of venture capitalist Kleiner Perkins.
CISA is also looking to the Advisory Board to help boost “cyber hygiene” in the private and public sectors. The agency wants help to ensure companies adopt the best security standards, such as multi-factor authentication.
Eric Goldstein, CISA’s executive deputy director for cybersecurity, said he doesn’t think most companies are grossly negligent when they are breached.
“The point is, today it’s too hard for network advocates and business leaders to make the right decision because we’re not giving them the easy road,” Goldstein said. And the easy way must be the road to professional security. And the more we can both design that and then make it crystal clear and tell this story the way you know it, take the easy way out. And here are the best stories you can avoid. And here’s a brighter future we’ll all see, I think that’s the way to make a real impact. “
Easterly has tasked George Stathakopoulos, head of the corporate information security program at Apple, to lead the cyber hygiene effort. He suggested that the CISA, the United States and even the world focus on key large-scale goals, like eliminating single-factor authentication by 2025.
“It should be a common goal, should be a national goal,” Stathakopoulos said. “It should be backed by money should be backed by companies that are willing to invest money around it. Tax breaks, incentives, whatever, but that should only be one unifying goal. And no one can pretend it’s their own thing, and make it happen.
The committee’s third major mandate is to “ignite the pirate community,” as Easterly puts it. She said CISA needs to harness its talent, expertise and capabilities to reinvent cybersecurity.
Easterly asked Jeff Moss, an American hacker and founder of Black Hat and DEF CON, to lead the effort.
Moss said the CISA will have to avoid using overly militaristic language if the agency is to keep security researchers on its side. And he said the agency could provide the community with a voice into the often opaque world of policymaking. He suggested that CISA also helps build the ability of hackers and security researchers to safely report product defects without fear of retaliation. DHS recently announced an ongoing “bug bounty” program.
Ultimately, Moss said “trust” in people, not institutions, will be the key to getting hackers, researchers and academics to contribute to CISA’s mission.
“If CISA is trying to be that institution, you need to identify trustworthy and outward-looking champions, empower them and make them the people through whom these communities build personal and trusting relationships,” said Moss. . “And over the years the reputation will be like, ‘oh, all these great, trustworthy people are at CISA, you can trust CISA.’ But they’re not just going to say, “I trust CISA”. It’s still that personal connection.
Easterly also tasked the committee with tackling misinformation and disinformation, and efforts to build the resilience of critical national infrastructure.
The broad mandate gives the panel to “reframe” what is possible in the cybersecurity space, according to national cybersecurity director Chris Inglis.
“What we have done collectively as a nation has not worked,” said Inglis at the close of the meeting. “There are so many issues that we have identified that we need to tackle. I think this group can make a serious dent in all of this. “