Departing top CISA official reflects on nearly four years in the cyber hot seat
The Cybersecurity and Infrastructure Security Agency has made important progress on understanding cyber risks, collaborating with industry and encouraging tech companies to make their products more secure, according to a departing top official at the agency, Eric Goldstein, who also believes the agency has more work to do on things like implementing a rule for gathering cyber incident data.
Goldstein is set to leave his job next month as executive assistant director for cybersecurity at CISA, where he’s worked since the beginning of the Biden administration. He spoke with CyberScoop on Thursday about his work at the agency and what’s next.
“I think the agency has some really great momentum and wind behind its sails,” he said.
On the personal front, Goldstein said he’d soon be joining the private sector in “a cybersecurity leadership role in industry,” but that role isn’t public yet.
There are three areas where he’s “particularly proud” of CISA’s progress.
One is “our ability to actually understand cybersecurity risks and use that understanding to drive change,” citing initiatives like CyberSentry, a threat detection program where CISA partners with critical infrastructure owners and operators. “A few years ago, we couldn’t credibly say that we had an understanding of risk and relative risk within government and across sectors,” he said.
Another is working with industry on collaboration that has more operational value, he said, such as the Joint Cyber Defense Collaborative. Sometimes a source of criticism for CISA, the program is one “I’d be the first to say publicly … is an emergent one and one that will continue maturing,” Goldstein said, adding that he believes it has made meaningful advancements.
And the third is the secure-by-design initiative, which seeks to put more of the cybersecurity onus on product developers rather than on the organizations that use them. “I think that we really have shifted the perspective of the community in a way that’s driving real and lasting change,” Goldstein said.
Once CISA fully implements the rules that Congress tasked the agency with writing under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, the agency will be on even stronger footing, he said.
“For the first time having a generalizable set of cyber incident data, not just to help victims but also share more effectively and understand trends to drive investment, is going to be a game changer for the industry and for global cybersecurity,” he said of a program that some in industry and Congress are concerned will place an excessive burden on critical infrastructure owners and operators. “CIRCIA implementation is going to be so important, because the expectations are sky high.”
Other important work the agency has to complete includes focusing on secure development and deployment of artificial intelligence, he said.
One key lesson that he leaves the agency with is the “need to maintain the humility in our ability to project and forecast changes in the technology and threat environment,” pointing to the unpredictability of the threats stemming from Russia’s conflict with Ukraine.
Others include the need for collaboration, and the “criticality of the people,” he said. While cyber is often thought of as tech-centric, Goldstein said, “ultimately it’s about the people who make the decisions and design the systems and implement the systems and make the choices about where to invest.”
