CISA adapts to address cybersecurity threats

As ransomware attacks continue to plague IT teams across all sectors, the Cybersecurity and Infrastructure Security Agency is working to counter them through a variety of means. With Log4J giving the cyber and IT community a scare with how easy it was to exploit, it became clear that a paradigm shift was necessary.

“I think everyone needs to understand software supply chain, I think people also do need to understand how their systems work, what connects to the internet, what vectors exist, where you’re doing, mitigation efforts at your, your perimeter, we absolutely encourage everyone to start moving to a zero trust model,” CISA Chief Information Officer Robert Costello said on Federal Monthly Insights: Going Beyond Data Protection. “But we know that’s hard. It doesn’t happen overnight.”

Costello also emphasized that it is important to remember that every cybersecurity implementation affects real people in the field, meaning that keeping things from getting too difficult is critical.

“I think we’re seeing too, no matter what, if you make things too difficult, people will find a way to circumvent it,” Costello said on the Federal Drive with Tom Temin. “We want to ensure that as people are implementing these solutions, they are looking at all the different angles to make sure that they’re actually improving their security model and ensuring that their users, particularly privileged users won’t find ways to circumvent things. Because that’s something else that we need to be really, really hammering home is privileged users must be held to a higher standard for access across the board than standard users.”

Continuous monitoring has long been the recommendation by the Department of Homeland Security. According to Costello, static models don’t work anymore. Which is why they are working to improve their partnership with the private sector, particularly the research community. Tapping into them and their resources could prove to be greatly beneficial to those working in cybersecurity in the public sector. One way CISA is working with the private sector is through a program called Hack DHS, a bug bounty program set up to identify potential vulnerabilities. By rewarding those who come forward with information about weaknesses within the department’s systems.

“[There] have been a number of vulnerabilities found that we’re very thankful for, that we’re working to mitigate,” Costello said. “I did see on our site, a very rapid response, I didn’t see any negativity at all, which was very gratifying. So it’s definitely something I’m going to work on expanding and run continuously.”

Now, CISA holds “Industry Days” where they interact with their counterparts in the private sector. This allows the agency to learn from people with diverse backgrounds in cybersecurity, which ultimately benefits everyone involved.

“[The] vendor community can’t help the federal government if they don’t know what our requirements are. So if we’re not all talking, if the only time we talk is when we drop an RFI or an RFQ — we need to improve that,” said Costello. “And we need to make sure that we’re having good positive interactions with the vendor community that we’re running proofs of values, and that we’re working together because I do believe that that will lead to better results.”