If there is one civilian agency in the United States whose mission is as important to our national defense — and possibly more difficult — as the Defense Department, it is the Cybersecurity and Infrastructure Security Agency. The brevity and clarity of CISA’s mission statement, “reduce risk to the nation’s cyber and physical infrastructure,” does an injustice to the breadth and complexity of the actual task. So I invited CISA’s Deputy Director Nitin Natarajan to the studio recently to tell folks how his agency is dealing with those challenges.
During the first part of the interview we discussed CISA’s mission and priorities (and I joked about how much easier it would be if they had the same type of enforcement powers as their Chinese counterpart, the Cyber Administration of China). During the second half, Nitin explained some of the things CISA is doing to attract and retain some of the most in-demand talent in the world to serve in critical positions at CISA.
While the term “critical infrastructure” may be somewhat self-explanatory, any discussion of how to defend it must start with a discussion of who actually controls critical infrastructure in the United States. A small (very critical) portion of that infrastructure is owned by the DoD, and an even smaller (less critical) portion is owned and operated by federal civilian agencies. However, unlike most of our potential adversaries, the overwhelming majority of the United States’ critical infrastructure is owned and controlled by private enterprise.
With notably few exceptions, the information systems relied upon by U.S. electrical generation plants and distribution networks, medical facilities, telecommunication networks, financial services, etc. are all selected, purchased, operated and maintained by corporations that are in no way bound to follow any federal guidance with respect to which systems they do or don’t buy, how they maintain them, or when they replace them. Additionally, even critical infrastructure that is subject to some minor level of oversight is generally part of a complex web of legal entities with multiagency oversight schemas that make anything other than levying fines after the fact almost impossible. Compared with the authority vested in the Cybersecurity Agency of China, who simply make a proclamation like “nobody will use memory chips from U.S. chip manufacturer Micron” and most of Micron’s Chinese based business evaporates overnight, CISA’s lack of direct regulatory authority places them at a huge disadvantage.
Nitin explained how CISA deals with the challenge of lacking direct control by creating strong partnerships with industry and other federal agencies, as well as state and local governments.
CISA’s primary tactic for overcoming its lack of direct control mimics the Pentagon’s approach to maintaining stability in challenging regions of the world. It relies on what I would call “economically incentivized coalitions and capacity building programs.” More specifically, CISA provides both commercial companies and state and local governments access to cybersecurity information, education and expertise they could either not afford or would be otherwise unwilling to invest in themselves. At its core, CISA’s efforts enable partners to buy, implement, operate and maintain systems in a secure manner at a much lower cost and in a far more effective manner than they could otherwise afford without CISA’s assistance. Like water buffalo circling the herd to defend their calves against lions, local governments and companies working with CISA are able to build a shared defense model that is stronger than any one of them could ever do alone.
Another key element of CISA’s strategy is a focus on developing a cybersecurity workforce not just for itself, but for the entire federal government, which in turn has positive impacts on both state and local governments as well as private industry. During the show, Nitin spoke at length about job opportunities within CISA and programs available for both college and high school students to develop not only fulfilling, but quite lucrative careers in cybersecurity.
CISA didn’t exist back when I wrote Cybernomic Warfare, but what I said then still applies: The most meaningful conflict of our time will not be fought by soldiers, sailors and Marines driving tanks, ships and airplanes off in some foreign land. It will be a cyber-enabled, economic battle fought by everyday Americans on the streets of every town in America. The work of CISA employees and support contractors plays a critical role in preparing our nation for that fight. They need, and we need them to have, the best and the brightest our country has to offer to ensure we win that war.
To learn more about what people at CISA do every day, why they find their jobs so rewarding, and how you can join their team, please listen to my interview with Nitin as we take A Deeper Look at CISA and visit the CISA Career Page.
Joe Paiva is a retired software industry executive best known for helping to start, grow, buy and sell tech companies. He also served as both an Army Reservist and a senior federal civilian leader in the departments of Defense, Veterans Affairs and Commerce.
CISA’s draft attestation form raises key questions about software security push