CISA Begins Program to Identify Critical InfrastructureAgency's Jen Easterly, Rep. John Katko Discuss Protection of U.S. Networks
The U.S. Cybersecurity and Infrastructure Security Agency and a congressional committee leader agree that officials must take precautionary steps to identify "systemically important critical infrastructure" to reduce risks of pervasive supply chain cyberattacks.
See Also: Case Study: The Road to Zero Trust
Speaking at a Center for Strategic and International Studies event on Friday to close out Cybersecurity Awareness Month, CISA Director Jen Easterly and Rep. John Katko, R-N.Y., the ranking member of the House Homeland Security Committee, outlined the importance - and progress behind - classifying critical infrastructure.
This follows a wave of cyberattacks over the past 12 months, including the SolarWinds attack, in which threat actors pushed out a malicious software update and breached some 100 organizations globally, and nine U.S. federal agencies; the Colonial Pipeline ransomware attack, which temporarily halted operations of a pipeline supplying nearly half of the East Coast's fuel supply; and the Kaseya attack, in which hackers crypto-locked as many as 1,500 downstream organizations of the remote IT management software provider.
Easterly said on Friday that the agency has begun an effort to identify what she calls "primary systemically important entities," or "Pisces," to protect their systems from global cyberthreats.
"Whether this ends up in legislation or not - and I certainly hope it does - we are already thinking through the model," Easterly said. "So we're prototyping a variety of different approaches … to try and start identifying those entities that are in fact systemically important. We're doing it based on economic centrality, network centrality, and logical dominance in national critical functions.
"We're looking at sectors, but all sectors are connected. So we have to look at these from a national critical function perspective," Easterly continued, noting her agency prefers the "Pisces" acronym over "SICI" - an acronym for "systemically important critical infrastructure" - which was proposed in legislation last month by Katko and Rep. Abigail Spanberger, D-Va.
Commenting on CISA's classification process, former U.S. Air Force network and security technical manager Tim Wade tells ISMG, "Understanding the magnitude and likelihood of impact are two foundational factors of risk assessment. And insomuch as risk is expected to be systematically managed, these factors must be systematically measured.
"I'm very pleased to see steps in this direction at the highest levels, and see this as yet another example of the strategic progress coming out of CISA with Jen [Easterly] at the helm," says Wade, who is currently technical director and CTO for the firm Vectra AI.
Action on the Hill
The Katko and Spanberger-backed Securing Systemically Important Critical Infrastructure Act would formally authorize CISA to establish a similar program to identify critical groups.
"With input from the private sector, [we will] drill down in a collaborative manner to identify what's truly critical, and then dedicate additional resources to those sectors. [Then,] we can … be as [sure as possible] that those sectors are … secure from ransomware attacks and cyber intrusions," the New York congressman said.
Easterly replied: "I think that … ending up in law will be very helpful in continuing to bring the private sector to the table. I think we're in a state now where critical infrastructure is much more vulnerable than it should be. And frankly, that's what I worry about most every day."
NDAA and Incident Reporting
Katko's proposed legislation takes on increased importance as lawmakers consider cyber incident reporting provisions, one of which - introduced by leaders of the Senate Intelligence Committee - would require certain organizations to report incidents to CISA within 24 hours of discovery. Another bill, put forward by leaders of the Senate Homeland Security and Governmental Affairs Committee, would make that window 72 hours. The latter has received private sector support; Senate leaders have said they expect to reconcile the two bills and consider the National Defense Authorization Act as a vehicle to passage.
"We strongly support [incident reporting measures]," Easterly said. "We all ride on very similar technology backbones. And so if you are seeing an attack that can be traced back to other places in our critical infrastructure, it can have a real impact on the nation.
"It's important for us to get information to allow us to share that in an anonymized, useful, relevant, timely, actionable way, to enable other network defenders to protect themselves from that threat. … We're not here to shame, to blame, to stab the wounded. We are here to help; we are here to share that information to prevent others from being hacked."
CISA Executive Director Brandon Wales, formerly acting director prior to Easterly's confirmation in July, said during a recent event, "I think the U.S. government has argued that we think 24 hours is the right amount of time. That brings it in early enough for us to use the information, but does give the company some time to determine whether this is a real incident or not" (see: CISA Leader Backs 24-Hour Timeline for Incident Reporting).
More Consequences Needed?
Asked on Friday about consequences imposed on foreign nations in response to cyberspace activity, Katko stated, "The U.S. needs to continue attributing and punishing, to the most severe extent possible, nation-state-sponsored cyber intrusions.
"I think that we need to do more than we're doing, at a minimum. We can't have China acting with impunity, attacking our systems, and malign actors within Russia - acting under the imprimatur of Putin - to go unchecked.
"We [shouldn't do anything] that is going to start World War III, but we do need something that's going to make them feel the pain. And I think sanctions are a big thing."
Halting Ransomware Attacks?
Ransomware continues to challenge both agency leaders and policymakers. The Biden administration levied economic sanctions against Russia in retaliation against the SolarWinds incident in April, and Biden convened a bilateral summit with Russian President Vladimir Putin in June to discuss off-limits critical infrastructure.
In October the White House National Security Council facilitated a 30-nation, two-day "counter-ransomware" event, without Russia. Afterwards, the White House claimed that progress had been made, saying in a statement, "[The nations gathered at the event] recognize that ransomware is an escalating global security threat."