The Growing Power Of The US Cybersecurity and Infrastructure Security Agency (CISA)
At the center of US critical infrastructure protection (CIP) is an agency with little power to enforce cyber or physical security standards on operators beyond giving advice. But this is beginning to change amid increasing threats and security failures, and businesses may be forced to upgrade practices with downstream impacts on security sellers.
In this report, we examine the Cybersecurity and Infrastructure Security Agency (CISA), its role as an advisor rather than a regulator, the resources and services it offers, and its increasing powers to act as a security watchdog.
Executive *******
***** ****'* **** ** ** ******* critical **************, ** **** *** ******* cyber ** ******** ******** *********. *** agency ******* ** ******** ************* *** sharing *********** **** *** ********** **** operate ******** **************. **********, ******* **** choose ** ******* ********** ** ******* up ** ****.
** ** ****, **** ****** * plethora ** *********, ********* ***** *** physical ******** *********, ********, **-****** ***********, courses, *********** ******* ** ***************, *** more. ********** *** ******** ******* ** taking ********* ** **** *** ****** reach *** ** ***** ******** ****** for **** ***********.
****'* ******** ******** *** *** **** as ******** ******** ******** **** ******** infrastructure *********. ****** *********** *** ********* its ****** ** ********* ** ******* industry; ******* ******** ****** *** ****** and *** ******* ********* ****** **** just ********* ***** *** ******** ******** standards. ***** ****** **** ******** ******** sellers *** **** ** **** ****** standards *** ***-*****.
CISA's *******
**** ** *** ** ********** ** Homeland ******** (***), **** ********** **** the******** ********** *** ******** ***********(****), ***** *** ******* ** **** to ********** *** *** ** ********** manages *** *** ***** *******.
******** ****** *** **** **** **** in ******** **** ***** **************** *** ************** ******** ****** ***, * ******** ***** ** ******** a ********* ****** ** ******* ***** and ************** ******** ******* ****** *** federal **********. ** ** ****, **** is ***** *** * ******* ********* for ***, ***** ********* ** ** managed ** ***** ******* ******** ** a ********* *** *** ******** *******, as ********* *****.
**** *** ***** ************ ***** *** establishment. ** ** ****** ****, *** headcount ****** ** *,***, ** ***** 1,300 **** ***** ***** ****. *** budget ** **** **********, ****** **** $2 ******* ** ****** ** $*.* billion *** ******, ** ******** ** 45%.
CISA ** ** *******, *** * ********
*************, **** ** ** ******-****** ******, not * ******** ************** *********.
**** ********* ******** *** "******** *********** *** ******** infrastructure ******** *** **********," ****** ** "lead *** ******** ****** ** **********, manage, *** ****** **** ** [*******'*] cyber *** ******** **************."
**** ** *** ***** ** ** private ******** ****** **** ********** ******** or ********** *****,** **** ******, "*** ******* ****** **** *** operates * ******** ** *** ******'* critical **************."
*** ** *** ****** ** ***** to ******* ***** ** ******** ******** standards ** ***** ******* **********, ******* the "********" ********** **** **** ******* themselves. **** **** *** **** ***** or ***** *********. *** ***************** ** ****** *** *********. ** ** ** ** ********** whether ** ****** **** **** ** take ********* ** *** ********.
**** **** **** ******** **-****** ******** assessments ** ********** (***** *** *** mandatory),****** *** *************** **** ******* "****** *********, *** **** ******** determines **** ******* ** ****."
*** ******* ********** ************ *** ******** role *** *** **** ********* ******* changes. ** ****, **** ******** *** Easterly,********** ** ******** ************* ******** ****'* ******, ****, "** the *** ** *** ***, * don’t **** **** ** ** * regulator."
**** *********** ************* *** *** ******* ************* *** *** ***** ** *************** "******* *********** ********** (****)"********** ***** ********.**** ******* **** ** ********* ***** identified ** **** ** ********* ** protect ******* *******, **** ****** *****.
CISA's *********, ********, *** *********** *******
******* *** **** ** *********** *********, CISA's ********** *** ************, **** ** annual ******** $* ************** ****** ** ********. ***** *** principally ******* ** ********* ** **** organizations ******** ******* (** **** ** choose), ******** **** ******** *** ****** assessment *****, *** *********** ******* ** threats.
**** ********* ******* ********* ***************** **** ************ ************ ****** ******** ********- ********* ** *********** *** ******** infrastructure ***** - ********* ****** ** everything *******-*************** ******************* ****** **********.
****** ***** ************ ** ***** ** *** ****** US **********, *********** ********* **** ********** ********, such ** ************* ********, ********** ******** Advisors, *** ****. ** *******, **** will **** ************** ******* **-************** *********** *** ************ **********.
******** **** ******** *** ******* ** information ******* **** ****** ************* ** threats. **** *******, **** ******** ************** ************* **********(***) *******, ***** *********** ****** ********** of *** ***** ***************, **** ***** ******** ******** ********.
**** *** **** ******* ********** *** industries ********* ***** ** ***-***** *************** or ******** ******** *****, **** ** this****** ******** *** **** ********** ******* systems ******** ** ***************.
***** ********, ****'* ******** *** ***** engaging **** ************* ** ****** **** high *** *********, ********** *** ****** without ******* **. ****** **** ******* agencies, ***** **** ** ** **** approachable,**** ****:
** ****, *********** *** ************* *** our ********** *** *** ********* ** what ** **. *********** ******* *** cooperative ****** – ****** **** ****** and ******* ******* – ** ********* to *** **** ** ******* *** nation’s ********** *******."
Who **** **** ****?
********** *** *** ****** **** **** to ***** *** ** **** *** take ********* ***** ****'* ********* *********, ******* ** *** **** *** sure **** *** ******** **************. ** order ** ******* **** ****, ********** should******* ***** ******** ******.
*** ******* ********** ***** * *****, comprehensive *********** ** **** ** *** is *** ******** ************** *** ********* covered ** ****. ** * ****** post, **** **** ******* **** ***** in **** ******.
CISA **** *** ********* ****** ***
******* **** ** *"******** *********** *** ******** ************** ********," CISA ** ***, ** ****, *** nation's ******* ********* ** ******** ************** protection, ***** ** ******* ** ******** additional ********.
** ****, ********* ************ *** ******** ************** ********** ****, ***** ********* ** ******* ** critical ************** *** ******** * ********* agency ** **** ***. *** ********, the ********** ** ****** *** ***** Services ******** ************** **** *********, ***** the ************* ********** ****** ******** ***** and ********** *******.
**** ******** ******* ** ***** **** after *** **** ******** ** ****. Like ****, ***** ******** ******** ********* that *** ********* *** **** **** exceptions, **** ***** *** ****** ******.
CISA's ******* ******
******** ***** *** ** ******** ****, recent *********** ** ********* ****'* ******* to ******* ****** ************ ** ******** critical ************** ******* **** ******* ******** has ****** ** **** ******.
** *** **** **** ****, ********, *** *** ***** ****, gave ************ ***** ** *********** ******* ***** intrusion***** "** ***** *** *********" ** ***** ****'* **** ** powers ******* *** ******** ** *******.
** ****, ******** ****** ******** ******** ********* *** ******** ************** Act, ********* ******** ************** ********* ** report ***** ********* ** **** ****** 72 *****. ** **** ******** * company ****** ** ** **, ** can *** ***** * ******** *** information ** *** ****** ****** ** hours ** *******.
** ********* **** ** ****** **** CISA *********, **** "*** ******* **** the ******** ******* **** ***********" ** court.
**** ***** ***** *** *********** ********** beyond ****'* ******** **** **** ********* a **** *** ******* ****** ** intervene ** ******* ******** *** ****** adequate ******** ************** ********** ********.
Future **** ****** *** ********* *****/******** ******** **********
******* ********** ** **** ****** *** be ******, ********* ********* ****** **** just ********* *********. *** *** ******** security ********, ** ** ********* ** pay ***** ********* ** **** ******* more ** * ********. **** *** bring *** ************ *** *** ********* scrutiny ** *** *****. ************ ********** measures - *** ***** *** ******** - ** ****** ** ** ****** downstream ** *******.
**** **** ****** **** *******'* ***********,* ************ ***** ****** ******* ** hospitals*** ***+ "****** **** *****" ********* emergency *****, ********* ********, *** ****;*** ********* **** ************ ** ****. *** **** ** that ********* **********-***** *** ******** ** not ****** ****, ********** *** **********.
** * ****** ******, *** ********* ** ******** ******** and ********** ******* ********* ** ***** failures:
*** **** **** *** *******, ‘‘******-****** and ***-***** ****** **** **** ********** to ******* ******** *****, ******** ********, and *** ******** *** ** ****.’’ Cyber-attacks ********** ** ***** **** ****** ‘‘hundreds ** ******** ** ******* ** intellectual ********,’’ ******* ***** ********* **** influenced ******** ********* *** ****** ********** data, *** ***** ********* **** ****** state, *****, *** ******* ******** **** debilitating ********** *******. ** *** ******* and ******* ****** ************ ************** *** digitized, *********** **** **** **** ************* to ‘‘******* ******* *****, ******* ******** infrastructure, *** ****** *** ******** *** democratic ************.’’
********* ********* **** ** **** *** solutions. *** ****** ******** *** ******** introduced******** **** ********** *** ** ****(********** *** ********** ** *** *******), which ***** ****** * *****-***** ****** of *** ******** ** ******* ** CISA *** ******* *********.
*** ***** **************, ***** ***** ***** proposed *********,*** **** ** ***"**** ** **** ******** *** **********, both ********* *** *********," *** ******** "mandatory ************ ** ***** ** ****** that *** ******** ******** *** ******** people **** ** *** *********." ******** has **************** ****** **** **** ******** *****.
**** **** ******* *** ********* ** the ** **********'* ******** ************** ******** measures ** ******* ****** ** * future ****, ********* *** ********** ********** of ********* ***** *** ******** ******** standards.