In case you missed it, November is Critical Infrastructure Security and Resilience Month. What better way to recognize the occasion than to sign a landmark cybersecurity bill? On Friday President Trump signed the Cybersecurity and Infrastructure Security Agency Act of 2018 to cement the process of restructuring and operationalizing the U.S. Department of Homeland Security to protect America’s critical infrastructure footprint -- one that is primarily owned and operated by the private sector. CISA replaces the National Programs and Protectorate Directorate and will now enjoy institutional parity with other agencies of similar clout and import in Washington. The measure drew praise from current and former government officials, as well as industry. Claroty supports this long overdue but critically important new law for a few reasons.
First, industry has long demanded greater clarity (no pun intended) for who to call in Washington in the event of a cybersecurity event or incident. Prior to the signing of this Act, there were multiple federal agencies claiming to be the primary interface with the private sector on matters of cybersecurity. Now, however, the law is explicitly clear that CISA is responsible for coordinating with non-federal entities. Having a single front door will simplify the process of reporting incidents, sharing information, and collaborating on research and analysis.
Second, CISA is now on par with other components of DHS like the Secret Service, making it a far more effective vehicle for advocating on behalf of industrial cybersecurity within the federal government. By elevating its status within DHS and across the interagency, the equities of the private sector will be better served. This extends to a variety of key issue areas such vulnerability disclosure, research and development, and the downgrading of classified intelligence for information sharing purposes.
While we at Claroty are excited about CISA, we understand the cynical point of view too. Some have compared the reorganization to “reshuffling the deck chairs of the Titanic” while others question, “If it took this long to change a name, how can we expect the federal government to protect our infrastructure?” We accept these views as fair, but take a more optimistic position.
The Department of Homeland Security is under no illusions that the federal government, by itself, can protect our critical infrastructure from cyber threats. To the contrary for many years I’ve observed widespread acknowledgment, from the top-down, that industry is on the front lines of this fight and therefore they must lead the way. But to do so they need a capable partner in the U.S. government -- not to mention state and local governments -- to play a supporting role. In this respect, CISA’s three divisions -- Cybersecurity, Infrastructure Security, and Emergency Communications -- will be better positioned than ever before to support the private sector.
CISA’s new mantra is “Defend Today, Secure Tomorrow”. At Claroty we embrace these words and believe that only if the public and private sectors coalesce around a common cybersecurity mission can we collectively defend and secure our critical infrastructure.