On the front lines of the Obama administration’s campaign to protect the country’s vital industries from foreign hackers, cyber criminals and online espionage is a tiny band of cybersecurity advisers housed within the Department of Homeland Security.
There are just six of these advisers around the country, acting as conduits between DHS and the local businesses that own and operate much of the infrastructure — from banks to sewage systems — that keeps America running. But DHS to looking to quadruple the number of advisors over the next two fiscal years.
The program was piloted in 2009, with a single officer in Pittsburgh. Currently, there are currently six CSAs at work: Chicago, Los Angeles, Pittsburgh, Dallas, Denver and New York. A seventh post sits vacant in Boston.
DHS Assistant Secretary for Cybersecurity and Communications Andy Ozment wants to up the roster to 13 advisers before the end of the fiscal year in September. The plan is to then almost-double it again to 24 over the next fiscal year, as part of the administration’s post-OPM cybersecurity action plan.
‘We need more CSAs, no question about it,’ Ozment told Cyberscoop. ‘The last thing you want is to be meeting someone [for the first time] after an incident.’
A typical CSA works with state, local and tribal governments, as well as businesses in the FEMA region to which they are assigned, said Sean McCloskey, who manages the program.
The job is to walk businesses through the basics of cybersecurity; offer them a pipeline to the federal government’s cyber threat information sharing programs; and to ‘build relationships’ so things run smoothly in the communications loop when an incident occurs.
As a result, these advisers travel a lot. When the program is fully stood up next year, the goal is to have CSAs traveling only 25 percent of their time, McCloskey said.
While CSAs are provided with a ‘variety of tools’ to help local businesses, McCloskey said, a lot of what advisers preach can be accessed via downloadable guides.
The Cyber Resilience Review ‘is what we would call our strategic level tool,’ McCloskey said. It evaluates an organization’s ‘operational resilience and cybersecurity practices across ten domains including risk management, incident management, and continuity.’
Think of it as ‘Quicken for cybersecurity,’ said Ozment, ‘It kind of walks you through the process.’
The Cyber Infrastructure Survey Tool, is ‘aimed at small and medium-sized businesses which is more tactical, down in the weeds kind of assessment … more controls focused,’ said McCloskey.
CSAs also promote the CyberSecurity Evaluation Tool, or CSET, which is aimed at critical infrastructure owners and operators employing the special computer systems that control machinery — ICS or SCADA.
‘We try and describe them at the level of management at which they’re aimed,’ said McCloskey of the various tools.
‘There’s a huge return on investment with CSAs,’ said Ozment, ‘They foster communities where people teach each other about cybersecurity.’
The tools — and the time of the CSAs — are theoretically available to any company. ‘We prioritize based on criticality,’ said Ozment, ‘But we may not view that in the same way as our customers.’
Ozment said the program was trying to stay ‘low overhead,’ owing the slow growth of the program to sequestration and stalled partisan funding battles, which have resulted in continuing resolution spending bills to fund the government.
‘We were just not funded to grow at the level we had hoped to grow at,’ he said of the program’s slow start. ‘We have a pretty good idea of how to grow this program, we just didn’t have the budget.’
By the end of 2017, when there should be 24 CSAs in the field, there would be no more than six support positions at headquarters and the whole program should cost no more than $14.6 million, Ozment said.