Officials at the Cybersecurity and Infrastructure Security Agency are optimistic that U.S. companies will embrace its efforts to boost cooperation on raising cybersecurity performance goals, sharing intelligence and building resiliency.
CISA Director Jen Easterly, speaking at a Tuesday forum hosted by the Center for Strategic and International Studies, said the agency has received encouraging feedback on some of the key cybersecurity objectives.
CISA set priorities to get technology companies to develop more secure applications and hardware and to use the recently announced cybersecurity performance goals to strengthen the supply chain, which will help smaller companies with fewer resources become more aware of best cyber practices.
“We need to ensure that we’re coming together to really protect the technology ecosystem instead of putting the burden on those least able to defend themselves,” Easterly said during the forum. “So [I’m] very excited about what I’m seeing from the technology companies.”
Another objective is to get more large companies to embrace cybersecurity as a corporate governance, not just technology concern, Easterly said.
Easterly met with General Motors last week, where CEO Mary Barra is the chair of the Cybersecurity Management Board.
Officials at General Motors said they consider cybersecurity a key corporate responsibility.
“As a technology leader working across sectors including manufacturing, engineering, design and software development, General Motors recognizes the need for a comprehensive cybersecurity strategy that considers every aspect of the business and really the role of every employee,” spokesperson Stuart Fowle said via email. “We appreciate director Easterly’s time and feedback — collaboration is key to our ongoing work in this space.”
The underlying goal is to make sure organizations are secure by design and default.
“This is all about, how do we ... build collective cyber defense for the nation,” Easterly said during the forum. “We’re not in the business of naming or shaming or hurting anybody’s reputation or stabbing the wounded.”
The goal was to take that information, while protecting privacy, and share it with other organizations, to protect the cyber ecosystem, Easterly said. She likened the approach to a neighborhood watch system for the cybersecurity community.
Another important issue for CISA is to do a better job explaining cybersecurity, so that everybody understands why they need to engage in the process, Easterly said.
Suzanne Spaulding, senior advisor for homeland security at CSIS, who interviewed Easterly during the forum presentation, emphasized the need to raise the cost of putting out blatantly unsafe devices or software. The cost of doing so should be greater than the reward of being first to market with a new product, Spaulding said.
This incentive structure is part of the new secure by design effort, which is to get software developers and technology companies to build more cyber resilience into their products on the front end, so a customer does not begin to use a product with built-in vulnerabilities.