Congress Establishes Cybersecurity and Information Security Agency, Heightening National Focus on Critical Infrastructure Protection

December 6, 2018

The Cybersecurity and Infrastructure Security Agency (CISA)

On November 16, 2018 President Trump signed the Cybersecurity and Information Security Agency Act (H.R. 3359) into law, amending the Homeland Security Act of 2002. The law reorganizes the National Protection and Programs Directorate (NPPD), a DHS office created by executive authority in 2007, to create the Cybersecurity and Information Security Agency

The legislation established CISA as a full-fledged, Congressionally authorized office, analogous to the Secret Service within the Department of the Treasury.

CISA's mandate includes: facilitating information sharing between state and federal agencies and critical infrastructure operators; establishing robust pathways for regular state-federal cooperation; and providing technical assistance to states to increase their capacity for protecting critical infrastructure by developing local cybersecurity programs. The CISA’s mission will be deployed through three divisions focused on Cybersecurity, Emergency Communications, and Infrastructure Security.

The promotion of NPPD from a directorate to a federal agency sends a strong, bipartisan signal that cybersecurity for critical infrastructure protection is a national priority. A broader mandate will reinforce CISA’s role as a hub of technical support for states, municipalities, and private industries. With Congressional support, CISA will be able to launch new efforts to respond to evolving cyber threats.

We applaud the new reorganization, especially the mandate "to provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators."  As part of this mission, we urge CISA to provide not only guidance on technical upgrades, but also social engineering and management assistance.

Helping agencies respond to and recover from cyber-attacks is essential to safeguarding vital systems. As noted by experts - including Massachusetts CISO, Dennis McDermitt- eliminating all risk of cyberattack is impossible. CISA should focus on helping states and utilities identify their most essential assets and build the capacity to bring cyber assets back online when they are eventually compromised.

We also encourage CISA to focus facilitating cooperation between private utilities, states, and federal regulators. The interlinkage of smart grids across state and municipal boundaries multiplies the cyber risk to these systems and makes collaboration essential. Since 2014, DHS has operated the Critical Infrastructure Cyber Community (C³) Voluntary Program to support local and state governments, as well as private utilities, in implementing the National Institute of Standards and Technology (NIST) framework, a framework that onsists of standards, guidelines, and best practices to manage cybersecurity-related risk. We hope such efforts will be continued and expanded under CISA’s new mandate.

One effective strategy that CISA might want to consider is organizing informal "technical meetings” on cybersecurity between regulators and private utilities. Connecticut used this strategy to great effect in developing its Cybersecurity Strategy and Action Plan. By promoting informal interaction outside formal rulemaking contexts, CISA can improve relationships and enhance trust, both keys to long term improvements in cybersecurity.