Categories
Regulatory

CISA: “Shields Up” is the New Normal; New Rules Coming

This is the second of three articles covering NTCA’s Telecom Executive Policy Summit. The first article can be found here.

One hundred rural broadband provider executives came to the nation’s capital for sessions and meetings with legislators and other policymakers November 6 – 7th as part of the Telecom Executive Policy Summit (TEPS), produced by NTCA – The Rural Broadband Association. After hearing from industry and government leaders about universal service and broadband funding (covered in Part 1), Attendees also heard from Brandon Wales, Executive Director of the Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security.

CISA: “Shields Up” is the New Normal; New Rules Coming #

Wales explained that CISA is the national coordinator for all federal civilian agencies’ critical infrastructure protection, including cyber defenses. CISA also coordinates with the private sector and offers technical assistance and information to help make networks more secure and resilient.

“Shields Up is the new normal,”

Brandon Wales speaking at NTCA’s 2023 TEPS

Wales said that in anticipation of increased global tensions before the invasion of Ukraine, CISA launched a “Shields Up” campaign in anticipation of increased cyber threats. While large-scale cyberattacks did not occur, productive coordination between CISA and the private sector did provide valuable feedback. However, the threat has not gone away. Furthermore, increased violence in the Middle East could represent increased threats from hostile groups and the nation-states that support them. Accordingly, “Shields Up is the new normal,” said Wales.

Increasingly, CISA is also focusing on resiliency, according to Wales. Protecting against threats will always remain a priority. However, he noted that a determined attacker, with enough time, is always likely to find some vulnerability in some area. In addition, natural disasters may impair any number of functions.

The Shields Up logo

Therefore, ensuring that agencies and businesses can recover quickly from an attack or natural disaster and continue providing services even as mitigation steps are undertaken, has become even more critical. Wales indicated that functional resiliency is now as important as protection when it comes to cybersecurity and critical infrastructure protection.

Wales observed that funding programs, such as enhanced A-CAM and BEAD, have cyber and supply chain requirements. While CISA does not have a role in administering these rules, they do have resources available to assist small providers. Although it is not normally a regulator, Wales pointed out that last year Congress did provide CISA with the authority to issue a rule about providing notice in case of a cyberattack. A rulemaking proceeding is currently underway.

“If you’re not talking about cybersecurity in the boardroom today,” Wales said, “you’ll be doing it during or after an attack.”

Brandon Wales speaking at NTCA’s 2023 TEPS

Wales stressed that CISA was not about penalizing or holding businesses accountable. Rather, he said that CISA’s goal regarding attack notification is to give them a better view of the big picture.  “We probably only know 30 to 45 percent of what’s going on due to lack of reporting,” he said. CISA’s Notice of Proposed Rulemaking is seeking feedback on how to streamline reporting to minimize burdens, while at the same time allowing CISA to see what new tactics are being deployed and to operationalize this information effectively. 

Wales stated that CISA understands that when it comes to reporting and other cybersecurity requirements, there is a need for regulatory harmonization. “This comes up a lot,” he said. Part of the challenge is that various agencies have been given direction by different pieces of legislation from Congress, so the requirements are not identical. By working with industry and gathering feedback, CISA hopes to smooth things out as much as possible. The good news, Wales said, is that Congress did direct CISA not to impose more reporting rules when a current requirement exists.

Wales stressed that CISA remains dedicated to providing cybersecurity resources to industry, especially smaller businesses that have fewer staff. CISA recognizes the challenges smaller providers face in implementing things like the NIST Cybersecurity Framework. Following up on every standard and implementing every recommendation is often not practical.

However, CISA can help smaller providers assess what their cybersecurity priorities might be, what the most essential controls and most effective mitigation steps are likely to be, and can assist with measuring the relative costs and effectiveness of various approaches, given differing levels of complexity, resource availability, and other factors. He also noted that CISA has a great partnership with NTCA through the CyberShare Information Sharing and Analysis Center (ISAC).

CISA also has 125 advisors throughout the country. Wales said that establishing relationships with them in advance and perhaps engaging them to help with a vulnerability assessment, can be effective in the event of an attack. It is better to have those lines of communication open at the outset. This includes at the leadership level; cybersecurity is not just an IT problem. “If you’re not talking about cybersecurity in the boardroom today,” Wales said, “you’ll be doing it during or after an attack.”

“Reach out to us; we can take on some of this. We are here to assist.”

Brandon Wales speaking at NTCA’s 2023 TEPS

Should an attack occur, Wales recognized that reaching out to the government is not always easy as staff is trying to contain damage. Even so, he encouraged providers to do so if at all possible. He noted that coordination between CISA and other agencies like the FBI has improved greatly over the past several years. If you call one of them, they will take care of coordinating with other agencies – a statement Wales admitted he could not make several years ago.

The “Report a Cyber Issue” link at the upper right of www.cisa.gov is a good starting point. Wales concluded by asking providers to be in touch. “There are a lot of attackers out there,” he said. “Reach out to us; we can take on some of this. We are here to assist.”

Author Steve Pastorkovich

By Steve Pastorkovich

Steve Pastorkovich is a Washington, D.C.-based consultant specializing in telecommunications, trade association operations, and public policy. Reach him at https://www.linkedin.com/in/steve-pastorkovich-4a94412/

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.