A new federal advisory committee has the chance to “reframe” the evolving U.S. approach to cybersecurity, as the Cybersecurity and Infrastructure Security Agency turns to the panel for recommendations on workforce, improving “cyber hygiene” in the United States and more.
The Cybersecurity Advisory Committee’s 23 members met for the first time Dec. 9. The committee’s chairman is Thomas Fanning, president and CEO of Southern Company. The vice chairman is Ron Green, chief security officer for Mastercard.
CISA Director Jen Easterly said she doesn’t want a “20-page white paper” from the group. Instead, she is looking for actionable recommendations, ideally in the form of “short info papers.”
“This is really just not about being a talking club,” Easterly said at the beginning of the meeting. “This is about leveraging your expertise, your perspective, to make the nation safer. At the end of the day, this is really about implementing those things that will help CISA truly be the nation’s cyber defense agency.”
One of the first major tasks for the committee is looking at how CISA can transform its cybersecurity workforce. The agency is already harnessing a new hiring and retention program, the Cyber Talent Management System.
CTMS launched in November, and is exempt from many of the government’s traditional competitive hiring, classification and compensation practices. CISA says it offers a streamlined hiring process and salaries that are more on par with the private sector.
Nitin Natarajan, deputy director of CISA, told the committee that the agency could use some advice on how to take advantage of the new system to recruit top cyber talent.
“There’s a lot of flexibilities in the system compared to the traditional hiring process,” he said. “And we’re really looking forward to hearing from the expertise around the table on how we can build that pipeline, how we can make sure we’re tapping into the right talent, the right diversity of talent, diversity of thought that are going to come into becoming the next generation of not just CISA cyber talent, but it’s ultimately a nation cyber talent.”
Committee members said it will be tough for CISA to outcompete the private sector on salaries and benefits alone. But they agreed the agency could offer benefits like student loan relief and strong professional development tracks.
Nicole Wong, a consultant and former deputy chief technology officer in the Obama administration, said CISA should have flat workplace culture, where even junior members have access to leadership.
She also pointed out many technology workers who have gone from the private sector to the government are often most frustrated by the slow pace of tech delivery at many agencies.
“So as you think about how you scope, your projects, and your milestones, the folks who work in tech like to be able to deliver quickly,” Wong said. “So the sprint process that you’re in is really important from a cultural standpoint. But it’s important for them as a professional standpoint and speeding that up.”
Members said a successful workforce development initiative will result in the private sector poaching talent from CISA, rather than vice versa.
“I think a metric if you come up with what’s the metric of success here is anyone in the private sector should covet seeing ‘CISA’ on the resume of somebody,” Ted Schlein, general partner at venture capital firm Kleiner Perkins, said.
CISA is also looking to the advisory committee to help boost “cyber hygiene” in both the private and public sectors. The agency wants help in ensuring companies are adopting best standards for security, like multifactor authentication.
Eric Goldstein, CISA’s executive assistant director for cybersecurity, said he doesn’t think most companies are guilty of gross negligence when they get breached.
“The fact the matter is today, it is too hard for both network defenders and business executives to make the right decision, because we’re not giving them the easy path,” Goldstein said. And the easy path needs to be the pro security path. And the more that we can both design that and then make it crystal clear and tell that story about how you know, take the easy path. And here’s the best stories you can avoid. And here’s the brighter future, we’ll all see, I think that’s the way to drive some some real impact.”
Easterly tasked George Stathakopoulos, head of the enterprise information security program at Apple, with leading the cyber hygiene effort. He suggested getting CISA, the United States and even the world focused on key big-picture goals, like eliminating single-factor authentication by 2025.
“It should be a common goal, should be a national goal,” Stathakopoulos said. “It should be supported by money should be supported by companies who are willing to put money around it. Tax breaks, incentives, whatever it is, but it should just be one single unifying goal. And nobody can argue that it’s their own thing, right and make it happen.”
The committee’s third big mandate is to “ignite the hacker community,” as Easterly puts it. She said CISA needs to leverage their talent, expertise and capabilities to re-imagine cybersecurity.
Easterly asked Jeff Moss, an American hacker and the founder of Black Hat and DEF CON, to lead the effort.
Moss said CISA will need to avoid using overly militaristic language if the agency wants security researchers on their side. And he said the agency could provide the community with an avenue into the often opaque world of policymaking. He suggested CISA also help strengthen the ability of ethical hackers and security researchers to safely report flaws in products without fear of reprisal. DHS recently announced a permanent “bug bounty” program.
Ultimately, Moss said “trust” in people, not institutions, will be key to getting hackers, researchers and academics to contribute to CISA’s mission.
“If CISA is trying to be this institution, you have to identify trustworthy, outward facing champions, empower them, and have them become the people through which these communities build personal, trusted relationships,” Moss said. “And over the years, the reputation will be like, ‘oh, all these great, trusted people are at CISA, you can trust CISA.’ But they’re not going to just say, ‘I trust CISA.’ It’s always that personal connection.”
Easterly also tasked the committee with tackling mis- and dis-information, and efforts to build resilience in national critical infrastructure.
The broad mandate gives the panel to “reframe” what is possible in the cybersecurity space, according to National Cyber Director Chris Inglis.
“What we’ve been doing collectively as a nation has not been working,” Inglis said at the close of the meeting. “There are so many issues that we have identified that we must take on. I think this group can make a serious dent in all of that.”