CISA unveils plan to measure cybersecurity success

da-kuk/Getty Images

The Cybersecurity and Infrastructure Security Agency's 2024-2026 cybersecurity roadmap  focuses on public-private partnerships and using metrics to gauge the effectiveness of cybersecurity measures.

The Cybersecurity and Infrastructure Security Agency is prioritizing addressing immediate threats, hardening digital terrain and implementing security at scale among nine other objectives as outlined in the agency’s new Cybersecurity Strategic Plan.

Released on Friday, the plan marks CISA’s roadmap for the next three years as the agency works with the larger Biden administration to safeguard America’s digital networks from the increased onslaught of malicious cyber attacks. 

“Now is the moment where our country has a choice: to invest in a future where collaboration is a default rather than an exception; where innovation in defense and resilience dramatically outpaces that of those seeking to do us harm; and where the burden of cybersecurity is allocated toward those who are most able to bear it,” the executive summary of the report reads. “Cyber incidents have caused too much harm to too many American organizations. Working together, we can change this course.”

The nine objectives underpinning the strategy and its three overarching goals include prioritizing coordinated threat disclosure, proactive vulnerability analyses and implementing cybersecurity investments, among other tenants. 

The plan will focus on outcome-based measures for institutions working to reduce their cybersecurity risk. Some of these metrics are centered around reducing incident response time, particularly for federal agencies and critical infrastructure partners.

Other metrics focus on strategic increases. In measuring the efficacy of agency collaborations, CISA is focused on analyzing the increases in the volume of relevant information, in addition to more specific actionable plans and post-incident reports. 

Notably, the strategy  also focuses on implementing the federally-backed secure-by-design concept. 

“As a society, we can no longer accept a model where every technology product is vulnerable the moment it is released and where the overwhelming burden for security lies with individual organizations and users,” the report reads. “Technology should be designed, developed, and tested to minimize the number of exploitable flaws before they are introduced to the market.”

Absent federal mandates and legislation, tech companies still operate under a voluntary and trust-based model of collaboration. CISA said it “will strive to ensure that regulators and other government entities with compulsory authorities leverage technically sound and effective practices developed together with our partners across the private sector, ideally enabling harmonization across both U.S. and global regulatory regimes.”

The report also notes that CISA will produce and regularly update criteria to develop and maintain secure-by-design products and ensure cooperation from manufacturers. 

Artificial intelligence software and quantum computing are highlighted as potentially risky technologies that threaten current cybersecurity protocol, particularly with the coming of an operational quantum computer.  

CISA’s strategy to mitigate these emerging threats is to work with the developers of these more nascent technologies and prepare digital systems, namely through post-quantum cryptographic migrations.