A panel advising the Cybersecurity and Infrastructure Security Agency on everything from combatting disinformation to reducing critical infrastructure risks approved its inaugural set of recommendations for the Department of Homeland Security cyber agency on Wednesday.
In total, the panel approved more than 100 recommendations (“Develop incentives and access to information to aid security researchers who will submit vulnerabilities affecting critical systems”) and sub-recommendations (“Encourage continued participation by providing rewards such as public recognition and cash awards”).
Some suggestions require action soon, such as CISA delivering a “What to Expect on Election Day” plan to election officials about how to counter false information ahead of 2022 midterm voting. Others stretch years into the future, such as CISA pressuring federal contractors to set up multifactor authentication by 2025. Multifactor authentication involves users verifying their identity via two or more steps, such as a password and entering a one-time code into a mobile phone.
The CISA Cybersecurity Advisory Committee emerged as a mandate under the fiscal 2021 defense policy bill and held its third meeting Wednesday. It draws membership from industry, academia and government, all of which could be affected by the panel’s recommendations. CISA Director Jen Easterly has 90 days to respond, then develop an action plan if she supports a given recommendation or explain why she rejected any.
Easterly praised the committee at Wednesday’s meeting for coming up with “some really incredible recommendations.”
She said she had added an assignment to one of the panel’s six subcommittees to develop a cyber threat advisory alert system to counter “vigilance fatigue,” the topic of a recent op-ed she penned for CyberScoop with National Cyber Director Chris Inglis. That subcommittee, Building Resilience and Reducing Systemic Risk to Critical Infrastructure, was the only one not to make recommendations Wednesday.
Some of the recommendations have their limits. For instance, CISA can attempt to incentivize federal contractors into meeting a deadline to implement multifactor authentication, but a patchwork of federal regulations govern contractors’ cybersecurity requirements. Others would require additional funding, such as the cash rewards for security researchers who report software flaws to agencies.