The Cybersecurity and Infrastructure Security Agency outlined plans to more actively focus on responding to immediate threats Friday, part of its fiscal 2024-2026 strategic plan, which also calls for pushing the tech sector to embrace secure-by-design development methods.
The three-year plan comes just weeks after the release of the Biden administration’s implementation plan for the national cybersecurity strategy. The White House plan details a vision of to secure U.S. infrastructure against a surge in criminal and nation-state threat activity.
“We know that connected technologies underpin every aspect of our lives, our businesses, our communities, our families, often in ways that allow us to be more connected, productive, efficient than ever before,” Eric Goldstein, executive assistant director at CISA wrote in a blog post released Friday. “But malicious cyber actors recognize this dependence as well, and continuously work to exploit it for financial or strategic gain.”
The CISA plan revolves around three goals:
- Address immediate threats: Work with partners to gain greater visibility into cyber intrusions, disrupt those campaigns and evict the adversaries.
- Harden the terrain: Support measures to adopt strong security practices and boost resilience, using actionable guidance. Evaluate the progress made to harden potential targets, including critical infrastructure.
- Drive security at scale: Push industry to make security a priority, including the development of security that is embedded into products throughout the lifecycle. Products need to ship with secure defaults and technology companies must be transparent about the ongoing security of their products.
The plan follows and builds on the Biden administration’s national cybersecurity strategy, released in March, which offers a long-term vision regarding how the U.S. plans to secure the nation’s infrastructure against a surge in criminal and nation-state threat activity.
CISA is working closely with private sector stakeholders, critical infrastructure providers and others to get the industry to buy into key areas, including secure-by-design principles and more transparency in the sharing of threat information.
Officials praised CISA for its efforts to continually adjust its strategic priorities in the face of evolving threats.
“CISA is updating and adjusting its strategy on almost an annual basis – exactly what is needed in an emerging technology field,” Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies.
But Montgomery raised concerns about CISA’s inability to say what other federal agencies should be doing to address information security issues.
Brandon Pugh, director cybersecurity and emerging threats at R Street Institute, commended the CISA strategy for its focus on addressing new technologies like AI, saying it can have a beneficial impact on cyber defense, but pose a serious risk in the wrong hands.
Pugh also cited CISA’s emphasis on maximizing the limited amount of resources that many stakeholders can bring to the table.
“This is critical, because both CISA and nearly all entities, especially state and local governments and small businesses have limited security budgets and still face evolving cyber threats,” Pugh said via email.
Officials at Cisco, a networking, cloud and security solutions provider, praised the CISA strategic plan, citing its focus on public-private collaboration and the resilience and embedded security of critical technologies.
“Our shared goals include reducing the prevalence of vulnerabilities, cutting time to detection of vulnerabilities and decreasing the impact of incidents when they occur,” Eric Wenger, senior director of technology policy and government affairs at Cisco, said in a statement released Friday. “Network resilience is a key aspect of this problem.”