An advisory committee to the Cybersecurity and Infrastructure Security Agency delivered a long list of recommendations on Wednesday that encourage the agency to take measures to increase the cybersecurity expertise on corporate boards of directors, develop a national cybersecurity alert mechanism and better protect high-risk communities from surveillance.
These policy measures were just a few of more than 100 recommendations made to CISA Director Jen Easterly, who called the findings “transformative.”
The recommendations of CISA’s Cybersecurity Advisory Committee will need to be made into policy by Easterly, but in the past she has mostly embraced the recommendations of the committee, which is made up of former top ranking officials, executives and lawmakers, such as former National Cyber Director Chris Inglis, former Rep. Jim Langevin and Southern Company CEO Tom Fanning, who chairs the panel.
Wednesday’s report includes recommendations from six subcommittees that cover corporate cyber responsibility, cyber hygiene, the creation of a national cybersecurity alert system, reducing systemic risk to critical infrastructure, protecting high-risk communities and the cybersecurity workforce.
The subcommittee on corporate cyber responsibility recommended that corporate board members be educated and trained on cybersecurity issues, especially with new rules from the Securities and Exchange Commission coming into effect requiring publicly traded companies to report significant breaches of their computer systems and data. The subcommittee also encouraged CISA to explore performance goals to measure what would amount to a “cyber responsible” board.
“We haven’t come a long way in adding expertise to the board,” said Dave DeWalt, founder and CEO of investment firm NightDragon.
Another recommendation calls for a national cybersecurity alert system to be administered by CISA. While there are multiple avenues of information flows like advisories, bulletins and so on, “they’re not authoritative; they’re not coherent,” Inglis said.
“These have to be actionable alerts,” Inglis said.
The technical advisory council subcommittee, led by Black Hat and DEF CON founder Jeff Moss delivered more than two dozen recommendations detailing how CISA can better protect high-risk communities, such as non-government organizations, activist, and journalists that may be under threat of surveillance and hacking. The subcommittee recommended that CISA provide high-risk communities better guidance and access to tools to protect themselves.
The cyber workforce committee recommended CISA develop benchmarks and metrics to track progress in growing the cybersecurity workforce, create programs to address burnout and create upskilling and cross-training programs to help workers.
The building resilience and reducing systemic risk to critical infrastructure subcommittee cautioned that the forthcoming rewrite of Presidential Policy Directive 21 — the document declaring which sectors are considered critical infrastructure and which agencies oversee those sectors — needs to be aligned with CISA’s determinations of so-called systemically important entities. The subcommittee added that CISA should also clearly define its role as a national coordinator and update the national cyber incident response plan.