BY: MAGGIE MILLER | 01/30/2023 06:00 AM EST
A top priority for the Cybersecurity and Infrastructure Security Agency in 2023: cajoling corporations into better safeguarding their networks — including a potential laundry list of what that should include.
Companies need to embrace the idea of “corporate cyber responsibility,” CISA Chief of Staff Kiersten Todt told POLITICO in an interview Friday at the agency’s headquarters in Arlington, VA.
“The innovation of the car was a great asset, and with that though came this responsibility to take care of the car, to make sure it was safe and secure,” Todt said. “Similarly, cyber represents technology, represents innovation that every company benefits from.”
Todt’s comments come after a bruising few years in which companies have been pummeled by ransomware attacks and the war in Ukraine has increased worries about Russia launching cyberattacks against U.S. companies.
Todt stressed that she’s talking about voluntary actions by companies and said CISA is exploring putting out guidelines to help them do that. That could include CISA creating a “series of best practices” on cybersecurity for boards and senior officials, she said.
“What we’re doing right now is exploring and examining and researching what makes the most sense to be able to put it in a straightforward, accessible way and that is something off of which we can build,” Todt said. She stressed that “this isn’t intended to be ‘thou shalt,’ it’s much more of the ‘we’ve got to work together.’”
The Biden administration has issued some cybersecurity mandates over the past two years, such as cybersecurity directives for the pipeline sector following the ransomware attack on Colonial Pipeline in 2021 that crippled the East Coast’s fuel supply. President Joe Biden also signed into law legislation last year that requires certain critical infrastructure groups to report cyber incidents and ransomware payments to the federal government.
But CISA’s upcoming guidelines follow a long held practice of trying to work with industry first, and encourage the private sector to implement cybersecurity improvements on its own accord. As ransomware and other types of cyberattacks increasingly target the bottom line and reputations of businesses, the private sector has more incentive to comply.
Todt said CISA would involve industry in any crafting of guidelines, and that there are no specific deadlines at the moment for the initiative.
CISA could work with other agencies in prioritizing corporate cybersecurity, such as with the Small Business Administration to help get smaller organizations involved, Todt said. More formally, the Internet Security Alliance and the National Association of Corporate Directors will be jointly involved in the program alongside CISA.
NACD CEO and President Peter Gleason said in a statement that the company plans to release a new version of its Cyber-Risk Oversight Handbook in partnership with ISA at an event in March, which he said will include a “contribution from CISA and other agencies focused on cybersecurity.” He noted that more than 80 percent of directors surveyed by the NACD reported that the understanding of cybersecurity at the board level had increased in the last two years, a positive trend.
“Our collaboration with CISA helps communicate critical U.S. government guidance on urgent cyber matters to the board community,” Gleason said.
ISA President Larry Clinton said Friday that the program will help to “reorient the understanding of cybersecurity as a top-down strategic concern as opposed to simply a bottom up operational concern.”
“Working with CISA to help broaden the adoption of these proven successful principles and practices could lead to a substantially improved cyber ecosystem and demonstrate that the most effective way for us to pursue cybersecurity is through the industry-government partnership model,” Clinton said.
Todt said that CISA leaders would likely be discussing the initiative during appearances this year, and stressed that the products created will not be presented as a “fait accompli” by CISA.
“It’s, hey, here’s where we think there’s an opportunity for CISA to work with industry in helping create these cultures of security, helping to prioritize and learn from different entities,” Todt said. Getting the right messaging is key: “We have to talk about it in business language,” she said.
Companies have been more fixated on cybersecurity after a year in which CISA worked to ensure critical infrastructure groups were alert to potential threats from Russia as part of its “Shields Up” campaign. Todt noted that this effort served as a “catalyst” for boards to invest more in cybersecurity, and that industry has made clear to CISA that they don’t want to go “shields down,” particularly due to ongoing ransomware attacks that have made cybersecurity a major concern for Americans.
“People now accept this heightened level of vigilance without real fatigue because this is what’s part of what we need to do,” Todt said. “That is an element of this corporate cyber responsibility, and being able to work more collaboratively with industry to help them demystify what we know.”