But big companies want to avoid agencies’ use of related performance goals in new regulation.
The Cybersecurity and Infrastructure Security Agency will spend the next three years measuring the success of the government’s effort to protect both publicly and privately controlled critical infrastructure from cyberattacks.
According to a national plan the agency just released to take it through 2025, CISA’s strategy will involve performance goals that were due at the end of July under a national security memorandum addressing cybersecurity for industrial control systems used in critical infrastructure. The agency is planning to issue them sometime in October—cybersecurity awareness month—CISA Executive Assistant Director for Cybersecurity Eric Goldstein said Thursday before lawmakers on the House Homeland Security Committee.
“Where appropriate within CISA authorities, we will set standards and recommendations to guide security decisions, much like our efforts to establish performance goals and increase the cross-sector cybersecurity baseline,” the CISA plan reads.
Measuring progress in cybersecurity has been a notorious sore point from the start of targeted policymaking efforts on the issue. Going back to 2013, when the National Institute of Standards and Technology started work on its landmark cybersecurity framework for critical infrastructure, there was a push to evaluate the state of an entity's cybersecurity based on outcomes, as opposed to the extent to which they implement specific controls to defend against attacks.
Industry has consistently relied on related arguments in trying to foil efforts—most recently an amendment Rep. Jim Langevin, D-R.I., has attached to the National Defense Authorization Act in the House—to hold them accountable to specific cybersecurity standards.
“For several years, federal, state and local governments and industry have embraced a partnership model to defend critical infrastructure—the majority of which is owned and operated by the private sector—from nation-state and criminal cyberattacks. This approach has been largely successful,” reads a letter the U.S. Chamber of Commerce and other representatives for major companies sent to Senate committee leaders Friday opposing the amendment. “Many focus on the unfortunate cyber incidents that occur, while too few focus on the countless cyberattacks that have been avoided.”
CISA Director Jen Easterly—for one—is no longer willing to take such declarations of success as a given. During a recent meeting of her Cybersecurity Advisory Council, she noted the significance of the project the agency is about to embark on.
“We're really going to be working hard to align our goals and objectives with specific measurements that help us reduce risk,” Easterly said, referencing the plan. “That is not a trivial endeavor. As we know, it's easy to count measures of performance. It's much more difficult to measure effectiveness and outcomes. But we think that's incredibly important given our mission, which is to lead the national effort to understand, manage and reduce risk to the critical infrastructure Americans rely on every hour of every day.”
Success of CISA’s plan is contingent on many external factors. Among those will be its ability to collect the necessary data, including through implementation of the Cyber Incident Reporting for Critical Infrastructure Act, which took effect in March.
Some in the cybersecurity community, including Sen. Mark Warner, D-Va., have noted the lack of an appropriate enforcement mechanism for incentivizing companies to report security breaches and related information to CISA. In September 2021, Easterly—along with National Cyber Director Chris Inglis and Federal Chief Information Security Officer Chris DeRusha—all advocated financial penalties for non-compliance be included in the budding legislation, which Warner said became “toothless” after such measures were removed from an original proposal he authored.
Since then, Easterly has more fulsomely embraced CISA's role as a place where industry can seek solace from regulatory enforcement and instead attract industry’s participation in the agency’s plan with carrots, such as access to government intelligence and resources to hunt for vulnerabilities and respond to incidents. Such exchanges are the goal for mechanisms like CISA’s Joint Cyber Defense Collaborative and other organizational structures, where the agency receives regular input from major companies across various industries.
But while last July’s national security memo calling for CISA’s performance goals says the initiative is for industry’s voluntary collaboration with government, Langevin’s amendment—along with comments from White House officials—suggest an effort to link the coming performance goals to potential regulatory efforts.
Speaking at a Center for New American Security event this summer, National Security Adviser for Cyber and Emerging Tech Anne Neuberger said the White House was working with lawmakers to embolden agencies to use their regulatory authority in managing the risks to cybersecurity in their sectors.
Langevin’s amendment mirrors the national security memo on industrial control systems. They both say that the Department of Homeland Security should work with related agencies to develop cross-sector and sector-specific cybersecurity performance goals.
“These performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services,” the documents both say, adding, “That effort may also include an examination of whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure, which is vital to the American people and the security of our nation.”
During Thursday’s House Homeland Security Committee hearing, Rep. Yvette Clarke, D-N.Y., who chairs the subcommittee on cybersecurity and innovation, asked Goldstein about the extent to which CISA had sought input on the performance goals from a range of stakeholders.
“We have gone through two rounds of robust stakeholder feedback, both of which included public review,” Goldstein said. “We received, remarkably, over 2000 comments on the cybersecurity performance goals and held a variety of workshops, including both for sectoral partners and the general public, as well as listening sessions across our stakeholder groups.”
He added that the agency wanted to broaden its scope of input beyond the stakeholders they talk to every day within CISA.
“And so we reached out uniquely to our international partners, to academia, to researchers, to owner-operators, device manufacturers, integrators, entities across the spectrum,” Goldstein said.
But only a few comments—those from the information and communications technology industry, which were critical of the draft performance goals—have been publicly reported, with other industry representatives saying CISA has been receptive about their feedback. A CISA spokesperson told Nextgov the agency does not intend to publicly release the comments they received. CISA did not provide a reason for the decision and also declined a request to provide earlier versions of the performance goals referenced on their website.
Engagements with agencies and industry on the performance goals are happening through the Critical Infrastructure Partnership Advisory Council—established in 2006 and consistently renewed, most recently in November, 2020—and are exempt from public transparency laws, under the Homeland Security Act. But the advisory committee meeting Tuesday provided insight into how the largest companies in the economy might be hoping to influence the form they take and their potential application by sector-specific risk management agencies.
Langevin’s amendment calls for an interagency council chaired by the directors of CISA and the Office of the National Cyber Director to identify a list of no more than 200 systemically important entities for which the performance goals will be relevant and to assign agencies for their regulation, where necessary. During Tuesday’s meeting, Chairman Tom Fanning, the CEO of the electric utility Southern Company, recommended the private sector be involved in the identification of such entities and the decision-making of sector-risk management agencies.
“We want to also engage the systemically important entities in identifying the first, second and third derivative of what creates and manifests itself as risk,” he said. And while the White House memo and the Langevin amendment both ask relevant agencies to actively explore the need for additional authorities and regulatory measures, Fanning committed to staying as close as possible to the status quo.
“We want to outline the obligations of the systemically important [entities] to meet national resiliency goals,” he said of recommendations the full committee later approved. “We commit … to optimize and make smart—based on good outcomes—existing regulation and perhaps simplify that … to harmonize regulation and to defer wherever possible to what exists already.”