CISA seeks to expand mission amidst turmoil

The turmoil surrounding the Cybersecurity and Infrastructure Security Agency (CISA) is starting to have a significant impact on cybersecurity teams that — without any liability protection — are, for now, less inclined to share information about how breaches occurred.

At the same time, however, the agency is also signaling its intent to provide a wide range of services directly in the long term, rather than continuing to rely on a small number of industry partners.

Just prior to the shutdown of the Federal government, the U.S. Congress failed to renew the Cybersecurity Information Sharing Act, primarily because of objections from Sen. Rand Paul (R-KY), who is concerned that the original legislation enables the agency to exceed its mission by delving into disinformation campaigns in the last two presidential elections. At the core of that debate are concerns that in its efforts to protect critical election infrastructure, CISA got caught up in a political debate over perceived limitations placed on free speech.

A few days later, the U.S. government shutdown, which has resulted in layoffs that could have a significant impact on the agency’s ability to provide certain services, including services that CISA provides to third-party organizations. Prior to those cutbacks, CISA also let lapse a cooperative agreement with the Center for Internet Security (CIS) through which a Multi-State Information Sharing and Analysis Center (MS-ISAC) program has been managed. Now CISA plans to administer funding for specific initiatives itself, in addition to providing tools it develops to individual states and localities at no cost.

Shifting focus

All these changes are occurring at a time when CISA is also signaling its intent to revamp the Common Vulnerabilities and Exposures (CVE) program currently administered by Mitre Corp. A CISA Strategic Focus document published by CISA indicates the agency is reviewing how CVEs are numbered and ranked, along with how information about them is distributed, as part of a new focus on quality.

Specifically, the document calls for a commitment to conflict-free and vendor-neutral stewardship, broad multi-sector engagement, transparent processes and more accountability. That latter issue is, of course, a subject of keen interest among cybersecurity professionals who regularly find themselves waiting for developers to build and apply patches to applications. The hope is that if organizations are held more accountable for providing software that has known vulnerabilities that cybercriminals exploit, there might be a lot less of them.

It might be a while before any concrete changes are made, but it is apparent the scope of the CISA mission is changing. Resources are clearly being shifted away from some initiatives in line with the priorities set by the Trump administration. It’s less apparent to what degree CISA has the resources needed to fulfill its emerging mandate, which includes directly providing a wider range of services.

Hopefully, CISA will again become the clearinghouse for safely sharing threat information while simultaneously expanding the scope of the services it provides. The challenge, as always, is achieving that mandate in a way that invites the least amount of political interference possible.