Global cyber capabilities are proliferating at an unprecedented rate and posing additional strategic risk to the United States and private industry alike. Recent reporting done by CrowdStrike highlights improved capabilities by Russia, among others, who have increased cyber proficiency to penetrate networks in under 20 minutes. Compounding this is an issue the government continues to struggle with—stovepiping information and lumping organizations into “sectors.”
Despite bureaucracy and a multi-jurisdictional quagmire, the federal government is moving in the right direction with the establishment of the Cybersecurity and Infrastructure Security Agency (CISA). As the newest agency within DHS, CISA was elevated from its previous incarnation as the National Protection and Programs Directorate (NPPD) to the status of a standalone agency in late 2018. CISA is tasked not only with coordinating the protection of the nation’s critical infrastructure and the .gov domain but also helping secure soft targets, crowded spaces, and schools. A major focus of its mission necessitates strong public-private sector cybersecurity partnerships that involve exchanging cyber threat intelligence and communicating about critical cybersecurity issues that affect national security.
To succeed, CISA must ensure this high degree of public-private collaboration because the private sector owns, operates, and maintains approximately 85 percent of our nation’s critical infrastructure. It should alarm us as a nation that this privately-owned critical infrastructure contains significant security vulnerabilities. As an example, according to security company CyberX, “[Industrial] control systems continue to be soft targets for adversaries, with […] security gaps in key areas such as plain-text passwords (69% [of networks]), direct connections to the internet (40%), weak anti-virus protections (57%), and [Wireless Application Protocols] WAPs (16%).” These security vulnerabilities increase the probability of cyberattacks that threaten our national security, economic prosperity, and public health and safety.
To ensure a high level of collaboration and build connections across industries, Congress has acted by introducing the Cybersecurity Advisory Committee Authorization Act of 2019. This act, which was introduced by Rep. John Katko (R-N.Y.) and endorsed by the National Technology Security Coalition (NTSC), will establish an advisory committee of 35 cybersecurity professionals across various industries to provide Director of CISA Christopher Krebs and the DHS Secretary guidance on cybersecurity policy and rulemaking. Having broad membership will ensure that CISA is not receiving stovepipe information and can make recommendations that will have the highest impact across all sectors.
As the only association solely representing the Chief Information Security Officer, the NTSC applauds Reps. Katko, Dan Lipinski (D-Ill.), Dan Newhouse (R-Wash.), and Brian Fitzpatrick (R-Pa.) for their bipartisan leadership to establish the Cybersecurity Advisory Committee. The 35 cybersecurity professionals on this committee will consist of those at the frontline of protecting enterprises from state and non-state actors around the globe. If asked, our CISO members are prepared to serve on the Cybersecurity Advisory Committee to help better protect the U.S. from cyberattacks.
With the Cybersecurity Advisory Committee Authorization Act of 2019, Katko continues to be a leader in bridging the cybersecurity gap between the public and private sectors. His work of protecting the U.S. from cyberattacks is critical to our national security, and we urge Congress to pass this important industry-agnostic, bipartisan bill.
Patrick D. Gaul is the Executive Director of the National Technology Security Coalition (NTSC), is a non-profit, non-partisan organization that serves as an advocacy voice for Chief Information Security Officers (CISOs) across the nation.