CISA reveals 3-year cyber security strategic plan

The FY 2024–26 Cybersecurity Strategic Plan will be executed under the Cybersecurity and Infrastructure Security Agency’s (CISA) 2023–25 Strategic Plan and has been informed by the wider-looking US National Cybersecurity Strategy.

The new plan rests on three core pillars, each broken down into three further parts. Taken as a whole, the plan “provides a blueprint for how the agency will pursue a future in which damaging cyber intrusions are a shocking anomaly, organisations are secure and resilient, and technology products are secure by design and default”.

Goal one: Address immediate threats

To cut a long story short, CISA believes cyber criminals and other threat actors currently have it too easy. Software and hardware vulnerabilities are not only rife, they are too often discovered well after an intrusion has already taken place, making American organisations a “soft target”.

According to CISA, the goal moving forward should be to make cyber crime and espionage harder to accomplish and more costly for the threat actors involved. When an intrusion does occur, it is detected and ejected, and vulnerabilities are found and addressed before they can be taken advantage of.

To that aim, CISA plans to increase the cyber security community’s ability to discover and mitigate threats using every tool available. Data must be shared in real time with partners and stakeholders.

“Working collaboratively with our partners, we must identify and mitigate threat campaigns before significant damage occurs,” CISA said in the strategy document.

The second objective in threat detection is coordinating the discovery and disclosure of critical vulnerabilities. These must be discovered and understood before they are taken advantage of by threat actors and be widely shared between the cyber security community. CISA believes collaboration between all parties, private and public, is essential.

Lastly, CISA aims to update the National Cyber Incident Response Plan and work closely with government partners so that when incidents do occur, there are “appropriate consequences” for the threat actors behind them.

Goal two: Harden the terrain

CISA believes that while chief information security officers are calling for more investment in cyber security technology and capacity, not enough executives are listening, “to the detriment of cyber security and, at times, national security”.

CISA aims to provide clear advice and guidance in the hope of influencing decision makers while also providing “best-in-class services” to what it calls “target rich, resource-poor” organisations.

The first part of this strategic goal is to understand how attacks are taking place. Analysis of successful intrusions is a key part of this goal, as well as sharing this knowledge with all stakeholders.

“This knowledge is a prerequisite for us to proactively drive pro-security decisions and inform and justify security decisions made by all levels of government and across the private sector,” CISA said.

Providing actionable advice and guidance to organisations is the second key plank of this goal. CISA will exercise its authority to improve baseline security in federal civilian executive branch agencies while also addressing any perceived gaps in security. At the same time, CISA will “provide guidance that supports prudent investment, including machine-readable technical information by default” to organisations country-wide.

The final objective is filling gaps across the board and measuring the progress of all cyber security initiatives. This includes expanding the Continuous Diagnostics and Mitigation program and CISA’s Cybersecurity Shared Services Office.

To that end, CISA “will provide cyber security assessments and, in cases where our authorities allow us, shared services that meet identified capability gaps and are consumable by our partners, guiding target rich/resource-poor entities to alternative providers when necessary, benefiting from relationships and scale offered by our regional teams”.

Leveraging commercially available tools is a key part of this objective, and CISA plans to develop its own tools only when absolutely necessary.

Goal three: Drive security at scale

The final goal can be summed up simply with one phrase: security first.

“Technology should be designed, developed, and tested to minimise the number of exploitable flaws before they are introduced to the market,” CISA said.

CISA believes that cyber security should be treated like any other serious safety issue and that technology companies need to be “radically transparent” when it comes to flaws in any part of their business, from supply chains to hardware. Security needs to be built in, not an afterthought.

Artificial intelligence, in particular, is called out as something that needs to be addressed as both a risk and an opportunity, as is quantum computing.

“Recognising that a secure future is dependent first on our people,” CISA believes, “we will do our part to build a national cyber security workforce that reflects the diversity of our country.”

The first step to building this future is building a culture of security first when it comes to product design of any kind. This begins with defining what makes a secure product offering in the first place; this will be a data-driven process to drive down risk across a range of different attack vectors.

CISA also proposes the adoption of a software bill of materials to boost transparency when it comes to vulnerabilities.

“Even as we maintain our voluntary, trust-based model of collaboration,” CISA said, “we will strive to ensure that regulators and other government entities with compulsory authorities leverage technically sound and effective practices developed together with our partners across the private sector, ideally enabling harmonisation across both US and global regulatory regimes”.

Addressing emergent technologies such as AI and quantum computing is the second step. According to CISA, “the technology environment of the near future” may present just as much risk, if not more, than the technology practices of the past and present”. The key is to ensure that such technology is used in a responsible – and secure – manner.

The last step in hardening the attack surface is building capacity within the cyber security workforce. Currently, the entire sector is remarkably short-handed – and suffers from a serious diversity problem. CISA intends to work with the Office of the National Cyber Director to address this problem, while also focusing on education of the general public.

“We will seek opportunities to bolster the national cyber and cyber-adjacent workforce – focusing both on ensuring the current cyber security workforce has the skills needed for a changing risk and threat environment and expanding the pipeline for the future workforce, from ‘K to Gray.’”

The last word

Ultimately, CISA believes this is a make-or-break-it moment, especially over the next three years. It considers the current situation effectively “untenable” and that the work to be done is “essential”.

“The risks are severe and mounting, the hurdles are high,” CISA believes. “But they are surmountable.”

This article was originally published on Momentum Media's sister company Cyber Connect.