In 2023 CISA reached its five-year anniversary, and much has happened in those years.
The Cybersecurity and Infrastructure Security Agency, the U.S. government’s federal agency dedicated to cybersecurity-related issues, has had to contend with a global pandemic, multiple geopolitical conflicts, leadership changes and an evolving, increasingly aggressive cyberthreat landscape.
CISA Deputy Director Nitin Natarajan, who was appointed to the role in February 2021, told TechTarget Editorial in an interview that adapting to such a landscape has been a challenge, but the agency has built a team of individuals who are “used to working in fast-paced and dynamic organizations.” Natarajan said CISA has hired well over a thousand staffers in the last few years, while also receiving increased budget support from Capitol Hill and forming partnerships that have helped it scale up.
Said staffers include individuals from backgrounds across the federal government, state governments, local governments, the private sector, the intelligence community, the Department of Defense and more. This wide range of experience, the deputy director said, has enabled CISA to adapt to the volatile, constantly changing cybersecurity landscape.
CISA recently published its 2023 Year in Review, a webpage detailing the agency’s accomplishments last year. Some of these accomplishments include nearly 6,700 engagements with stakeholders in the private and public sectors, newly updated secure-by-design guidance, 1,200 warnings of early-stage ransomware activity, a public service announcement campaign and more.
Natarajan said that of CISA’s 2023 accomplishments, he was most proud of the agency’s partnerships and collaborations with entities such as global government partners; security researchers; and state, local, tribal and territorial governments.
“It’s all about partnerships and collaboration. That is what has allowed us to be successful as well as what has allowed us to mitigate risks. It is what allows us to keep adversaries at bay. It is what’s allowed us to do a lot of what we do,” he said. “It’s not easy. It’s easy to say the words collaboration and partnership, but to really build those trusted relationships on an individual level and then elevate those relationships so that it outlives us — I think that is a huge undertaking.”
Here’s more from the conversation with Natarajan.
Editor’s note: This Q&A has been edited for clarity and length.
One of the major things CISA focused on in its 2023 Year in Review was its engagements with 6,700 government and private sector participants. Related to this is CISA’s emphasis on private sector collaborations and partnerships, of which there are many. Have there been any growing pains scaling up to meet these needs? And if so, what were they?
Nitin Natarajan: A lot of that falls on our regional teams. We have 700-plus people in regions and communities across the nation that are focused on these things. At CISA, while we’re five years old, we had a predecessor organization at DHS [Department of Homeland Security] headquarters, and so we’ve had regional teams that have built relationships and communities for the last 15 years.
We are looking at a couple of things. One, that demand always exceeds capacity. I think that’s the same for most government organizations. We’re talking about growing pains as we’re scaling up — it’s really about focusing on those scalable services. We’ve talked about things like our vulnerability scanning, things that are very scalable. And then it’s really about fine-tuning some of those appropriate services for the appropriate customers. When you’re a smaller organization and you have a finite level of engagement, you can offer everything to everyone and see what people are interested in.
As we continue to grow and scale, and as need continues to scale, how do we really get the right solutions or tools into the hands of the right organizations? An organization that is just starting off, or that is new and maturing, has a different capability to accept services than a larger, multinational corporation. Similarly, a large multinational corporation doesn’t need some of the same services as a small business bank. We’ve spent a lot of time really fine-tuning and building new relationships, and having the conversations to get the right tools and services into the hands of our partners. And I think that has allowed us to scale as well. That combination seems to work, and it’s something we’ll continue to do.
Given that CISA is a fairly young organization compared with other U.S. federal agencies that have, in some cases, been established for decades, how receptive have other agencies been to CISA’s leadership on cybersecurity matters?
Natarajan: I think we have built great reputations with our partners. A lot of that has been done by proving our value. I can’t speak for our other partners, but I’d be shocked if they weren’t skeptical of a federal agency standing up.
But there have been a couple things. One, because we’re not mired in decades of doctrine and decades of ‘this is the way we always do things,’ I think that has allowed us to be nimbler and more flexible in meeting the needs of our partners. That has allowed us to really build our relationships in a way that allows us to adapt and not just meet what CISA needs, but meet our partners’ needs as well.
And the second part, which I mentioned, really has been proving our value. When in-house experts [at other partners] come to us with questions and information, we’re able to actually turn around and provide value.
I have a mantra with information sharing that I’ve developed over the years: How do we get the right information to the right people in a timely manner that results in more informed decision-making? We’ve taken a proactive stance in strengthening our information-sharing efforts and sharing with our partners. I think that combination of efforts is really showing our partners that we’ve earned a seat at the table and that we provide value just as they do. And it’s because it truly is a bidirectional or multidirectional relationship with these partners.
We don’t have the same kind of pushback that a new agency would get when they’re first starting up. I think we’ve matured very quickly.
With the Cyber Incident Reporting for Critical Infrastructure Act of 2022 and the agency’s general philosophy, CISA has made a major push for incident reporting in recent years. Could you tell me more about the progress CISA has made on this front?
Natarajan: The one thing we’re really pushing when we talk about incident reporting is that we don’t want to wait for a rule to come out for folks to share with us. CISA is a unique organization in that we are not law enforcement, we’re not the military and we’re not the intelligence community. We work very closely with all those partners, and they’re critical partners in the cybersecurity space. But we truly want to get information and incident reporting — whether it’s hardware or software developers, academic partners, the federal agencies or others — so that we can actually take that information, help identify mitigation steps and get that information back out. Not just to the individual that reported to us, but to the broader ecosystem, other organizations in their sector and global partners.
We want information so we can help you and help your peers not become victims of whatever we’re seeing. The reason we have been pushing information sharing so much is that it is about taking a tragic situation from one organization and helping potentially hundreds, if not thousands or tens of thousands of organizations, by learning from what has happened.
The other thing that has been a huge success for us is our Pre-Ransomware Notification Initiative. This is something that we expected would be extremely helpful, but we found that the number of notifications we did were much greater than expected in the first year.
This is an effort where we know that a victim has been compromised. We know that an actor has either dropped a payload or is in somebody’s network. And we’re able to work with them before they’re locked up to take the right mitigation steps and either evict the adversary, disconnect or what have you. This is somebody who is on the verge of being locked out, on the verge of becoming a victim, and then we’re able to help them stop being a victim.
We did, in 2023, 1,200 of these notifications, which is really kind of mind-boggling. This is 1,200 entities, including over 100 schools, over 150 healthcare organizations — and ultimately, in the healthcare space, these attacks can result in patient safety issues and other issues. That includes almost 100 state, local, tribal, territorial governments, and then hundreds with our partners all over the globe.
Right now, we work with organizations after they get locked up, but preventing organizations from getting locked up, to me, that was a game-changer. And that’s really where we can make a difference that can be used across the nation, and frankly, across the globe.
When it comes to organizations that are affected by a cyberincident or ransomware attack that aren’t healthcare, education or critical organizations — companies that, unfortunately, might be financially motivated to keep elements of a cybersecurity incident under wraps — what messaging or strategies have been effective in getting them to share information at that level? In other words, how do you reach organizations that don’t have any obligation to report things to you?
Natarajan: There are a couple of fronts. One is just education — letting people understand why we want information sharing and what the return on investment is, what the return to them for sharing with us can result in. And we’ve done this through a number of efforts.
We have an effort that we kicked off last year on corporate cyber-responsibility. We want to educate CEOs and boards. We want to elevate the conversation of the value add — the importance of cybersecurity at large, but also elements of cybersecurity such as incident reporting.
I look at risk as a three-legged stool. We spend a lot of time on risk identification at organizations. We spend a lot of time on risk mitigation at organizations. But we often forget the third leg of that stool, which is risk acceptance. If we identify risk, and we can’t mitigate it, because we can’t mitigate all risks, we’re accepting the risk. And that risk acceptance, usually in the private sector, doesn’t reside with the CISOs. It resides with the CEOs and the board. We have really done a lot of education to help CEOs and boards of organizations to understand the value in being an active participant in information sharing, as well as the return on investment to them and their organization.
The other element that has been helpful is that people are seeing the protections that are in place for information sharing. If you talk to CISA, we don’t put it on the front page. We have legislation in place since 2015 that prevents us from sharing that information broadly. I think that as more people work with us and more people see the value add, frankly, they’re telling their peers and their colleagues. We also get a lot of referrals, and that’s really been helpful in getting people to share more with us.
Some organizations use third parties. We have things like the Multi-State Information Sharing and Analysis Center [MS-ISAC], and ISAC in general, that we have great relationships with and share information with us. There are multiple ways to get into the process. I think as more folks see the value add from that, the more people want to participate because they see their ROI.
But you do feel year over year that more victim organizations are looping CISA in or working with you post-attack?
Natarajan: Yes. I definitely think it’s increasing. It’s never where we want it to be, but I think we’re definitely seeing an increase in people getting more comfortable and trusting as CISA continues to mature.
Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.