CISA Cyber Campaign Emphasizes Resiliency Around Threats

Throughout November the Cybersecurity and Infrastructure Security Agency (CISA) is running a cyber campaign to educate the public and private sectors to boost resiliency around key systems amid severe weather incidents and increased sophisticated ransomware attacks that could disrupt business processes.

“We have extreme weather, we have cyber attacks and we have just legacy critical infrastructure systems that often break. All that can impose burdens on businesses, on members of the public and on governments at various levels and on American communities,” CISA Executive Assistant Director of Infrastructure Security David Mussington told GovCIO Media & Research.

CISA’s “Resolve to be Resilient” campaign urges organizations at every level to invest in more techniques to defend critical day-to-day operations from nefarious activities that can significantly interrupt services and cause major financial burdens.

“What we’re trying to do is emphasize that by being resilient one can be more recoverable when incidents occur, for example, extreme weather, the recent hurricanes and provide more continuity and more predictably available services to the public and to all stakeholders,” he added.

CISA provides guidance for the public around best practices for resiliency to quickly recover following a cyber attack. Mussington said it’s important to know your environment, your infrastructure and the dependencies you have on your staff, business partners and stakeholders.

“Once you know your relationships, you have to assess the risks that different natural or human-made threats pose to those critical infrastructures and dependencies. Then you have to plan to mitigate risk and plan to manage your dependencies on others to make sure that if you are victimized or if you’re just unlucky, you’re more likely to be able to recover or ride out disruptive circumstances,” said Mussington. “Make your plans as measurable as possible, there’s no point to having a plan that you can’t tell whether you’re doing better or worse. You have to put in outcome-based metrics of some kind so that you can measure your progress as your plan matures.”

CISA’s Infrastructure Resilience Planning Framework released earlier this year is helping agencies better identify vulnerabilities and adapt to evolving threats. Mussington said the framework provides an approach for all sectors to collaborate on a plan for security and resilience of critical infrastructure.

“It’s a common planning framework, a common planning language, so that organizations from the public sector, the private sector and from the nonprofit sector can understand each other when they’re talking about risk mitigation,” said Mussington. “The primary audience is state and local governments, but they interact with civil society to make sure that plans and risks are properly understood by everybody who’s involved. It can be used flexibly by different kinds of organizations, so it’s not sort of a one size fits all it can be customized.”

Mussington said that a common framework helps communities better identify risks and integrate security and resilience into other planning efforts.

“It’s less the plan than the planning activity that that creates a sort of regular exchange between different stakeholder groups and allows them to understand each other and to grow to build trust,” said Mussington. “Building trust is really very important when it comes to implementing both disruption recovery and just ongoing understanding of risks as they change.”

Mussington also emphasized that while CISA is an all-hazardous agency that addresses complicated cyber related vulnerability mitigation, a great deal of importance is also placed on the physical security of critical infrastructure.

“We’re very involved in things like elections security and special events security. Sporting events where there are complex activities, which involve large numbers of people over a large geographic space where there are stakeholders,” said Mussington. “We provide insights and services in both those areas that maximize the physical and cybersecurity of Americans, and that’s our mission. We’re committed to it and we’re here to help.”