- The Cybersecurity and Infrastructure Security Agency (CISA) named the first 23 members to its Cybersecurity Advisory Committee (CSAC) Wednesday, including Johnson & Johnson CISO Marene Allison and AWS CISO Stephen Schmidt.
- The CSAC was established in June, with seats for 35 members, to facilitate subcommittees for information exchange, critical infrastructure, risk management, and public and private partnerships.
- The members — who range from industry and government technology and security leaders — will advise CISA Director Jen Easterly on the agency's policies and programs.
CISA is on a path to improve its public-private partnerships. One of the agency's first private sector super groups, the Joint Cyber Defense Collaborative (JCDC), was established in August and was first tasked with combating ransomware and crafting cyberattack response for cloud providers.
Now CISA has a team across industries, whereas JCDC's members are focused in IT and cybersecurity.
With more regulations and mandates looming over critical infrastructure industries — including pipeline, and railroad and airport owners and operators — the government needs input from private sector stakeholders to shape policies. The stakeholders could also influence the government's approach to compliance.
The FY2021 National Defense Authorization Act (NDAA) established the committee, one of the original recommendations of the Cyberspace Solarium Commission (CSC).
The CSC asked the DHS secretary to establish an advisory committee to "advise, consult, and make recommendations to CISA on policies, programs, and rulemakings, among other items, to account for non-federal interests," the report said.
The CSAC's Federal Advisory Committee Act (FAC) membership balance plans allow Easterly to "select members with a background in cybersecurity issues relevant to CISA policies, plans, and programs." For the CSAC to work, it is required to have members "professionally, technically, and culturally diverse."
Members will serve two years or until CISA's director or the committee's designated federal officer appoint their successor, according to the plans. "They may be reappointed for an unlimited number of terms."
Members are chosen based on their background or expertise, industry, current position, and their organization's service offerings, according to the FAC membership plan.
Members are initially contacted by stakeholder outreach via the director of CISA or the committee's designated federal officer, who then reviews members annually to ensure their membership is still beneficial to the CSAC.
Easterly is allowed to appoint at least one but a maximum of three representatives per critical industry, including defense, education, information technology, finance, and healthcare.
Of the 23 initial members, at least 10 are representatives of critical infrastructure in the private sector, but notably the members are not frontline security personnel, pointed out by security professional Robert Graham on Twitter.
The initial members include:
- Steve Adler, mayor of Austin, Texas
- Marene Allison, CISO of J&J
- Lori Beer, global CIO of JPMorgan Chase
- Roberto Chesney, associate dean for academic affairs at the University of Texas School of Law
- Thomas Fanning, chair, president and CEO of Southern Company
- Vijaya Gadde, lead of legal, public policy and trust at Twitter
- Patrick Gallagher, chancellor of the University of Pittsburgh
- Ron Green, CSO of Mastercard
- Niloofar Razi Howe, senior operating partner at Energy Impact Partners
- Kevin Mandia, CEO of Mandiant
- Jeff Moss, founder and president of DEF CON Communications
- Nuala O'Connor, SVP and chief counsel, digital citizenship at Walmart
- Nicole Perloth, cybersecurity reporter, The New York Times
- Matthew Prince, co-founder and CEO of Cloudflare
- Ted Schlein, general partner at Kleiner Perkins
- Stephen Schmidt, VP and CISO for AWS
- Suzanne Spaulding, senior advisor for homeland security and director of the Defending Democratic Institutions project at the Center for Strategic and International Studies
- Alex Stamos, founding partner of the Krebs Stamos Group and director of the Stanford Internet Observatory
- Kate Starbird, associate professor in the Department of Human Centered Design and Engineering
- George Stathakopoulos, enterprise information security lead at Apple
- Alicia Tate-Nadeau, Illinois Homeland Security advisor and director of the Illinois Emergency Management Agency
- Nicole Wong, principal at NWong Strategies
- Christopher Young, EVP of business development, strategy, and ventures at Microsoft