The Cybersecurity and Infrastructure Security Agency
Introduction
The Cybersecurity and Infrastructure Security Agency is an agency within the U.S. Department of Homeland Security (DHS). It was formed on November 16th, 2018 with the signing of the Cybersecurity and Infrastructure Security Agency Act of 2018.
What is CISA?
The Cybersecurity and Infrastructure Security Agency (CISA) was formerly the National Protection and Programs Directorate (NPPD). This new name for the DHS department better reflects its core function.
Like the National Security Agency (NSA) is tasked with protecting the .mil domains of the U.S. military, it’s the job of DHS (and more specifically CISA) to protect the .gov space of the civilian government. CISA’s name and mission both reflect its core mandate: to protect the U.S. critical infrastructure, especially against attacks performed via cyberspace.
The role of CISA in government
The job of CISA is to protect the government from being hacked. More specifically, this involves acting a lot like a third-party cybersecurity services provider to other government departments. CISA’s role includes:
- Providing cybersecurity tools
- Incident assessment and response
- Coordinating public/private sector partnerships for security and resilience
- Technical assistance and assessments
- Supporting emergency and natural disaster responders
- Risk assessment for critical infrastructure
With this list of capabilities, it appears likely that CISA will continue to fill a consulting or advisory role for other government departments instead of a controlling one. Other departments will likely have to decide (or be ordered) to enlist CISA’s help when preparing to deal with potential threats.
Potential impacts of CISA
As a whole, CISA seems to be designed to provide U.S. government departments with the tools and aid that they need to protect themselves. With the agency only a few months old, it’s difficult to predict what they will do; however, some potential impacts stand out, based on their mandate and mission statement.
Increased regulation and standardization
Increasingly stringent regulations have been in vogue lately, with the creation of the EU’s General Data Privacy Regulation (GDPR) and the many other privacy regulations that have followed it. While the United States does not currently have a national privacy regulation other than industry-specific ones like HIPAA, many states have adopted data privacy regulations. The creation of a national privacy standard (possibly mandatory for .gov) might be one of the impacts of CISA.
CISA is more likely to produce additional industry-specific standards. A large part of their mandate is protecting critical infrastructure, which includes Industrial Internet of Things (IIoT) devices. The Internet of Things (IoT) is notorious for its poor security, and, since the same devices are used for both personal and business purposes, new regulations and standards for devices to be sold to the government are likely to produce improvements in the security of devices available to the average consumer.
Improvements to SCADA/ICS security
SCADA and ICS security is one of the main focus areas of CISA as demonstrated by their choice of name and mission statement. The nation’s critical infrastructure is known to be in need of a cybersecurity upgrade since many systems are connected to the Internet but were never designed to be. Critical infrastructure also makes use of IoT devices, which are also known for their poor security.
One example that underscores the need for improvements to critical infrastructure cybersecurity is the recent DDoS attack against the power sector. While this attack did not cause a loss of power in any of the target systems, it did have an impact on other areas of the system. DDoS mitigation technology is readily available, so this type of attack should not have been possible against a properly secured system.
CISA has already demonstrated that they intend to make a serious effort toward improving the security of critical infrastructure. They have released a list of National Critical Functions, detailing the functions of the public and private sector that are necessary for national security and health and safety. This list is intended to be a starting point for a risk assessment of critical infrastructure that can be used to focus the agency’s efforts to improve the security of the nation’s critical assets.
Cybersecurity tool availability
Based on the CISA’s role description and recent governmental activity, it’s likely that one of the impacts of the creation of CISA will be increased availability of cybersecurity tools to government departments and, possibly, the private sector. The NSA recently released Ghidra, a reverse-engineering tool developed in-house to rival IDA Pro. This tool is extremely powerful, and there has been a lot of discussion in the industry about its functionality and usage since the release.
The CISA’s mission includes making cybersecurity tools available to government agencies, and the public release of Ghidra by the NSA (as well as other releases) may indicate a move by the government toward protecting the public sector by improving the security of the private sector. If this is the case, it seems possible that CISA will sponsor the development and release of cybersecurity tools, especially in their focus areas like critical infrastructure.
The future of CISA
The Department of Homeland Security is well-known for reshuffling and renaming its departments on a regular basis. As a result, it’s difficult to predict whether the repackaging of the NPPD as the CISA will have a significant impact on how the department operates and its mission statement.
However, CISA has already taken some significant strides toward fulfilling their new mission statement. The creation of the list of National Critical Functions is an important first step in generating a risk assessment for critical infrastructure, which would allow them to focus their energies on the components of the national critical infrastructure where they would be most effective. Demonstrating actual action toward achieving organizational objectives within a few months of a major restructuring is a pretty good start, especially for a government department.
What should you learn next?
Sources
- About CISA, Department of Homeland Security
- National Critical Functions, Department of Homeland Security
- National Critical Functions Resources, Department of Homeland Security
- 4 lessons to be learned from the DOE’s DDoS attack, Malwarebytes Labs
In this Series
- The Cybersecurity and Infrastructure Security Agency
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security