COMMENTARY: The U.S. Congress has reauthorized the Cybersecurity Information Sharing Act of 2015 (CISA 2015) through January 30, 2026, restoring the law’s liability protections and legal certainty for companies and organizations sharing cyber threat data with the federal government and the ISAO/ISAC communities.This past week, a leaked memo allegedly from Madhu Gottumukkala, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA), appears to direct his agency to begin aggressively staffing-up.The memo claims the organization has been “hampered by an approximately 40% vacancy rate across key mission areas” and lacks the “ability to fully support national security imperatives and administration priorities.”[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Taken together, these developments call for some geopolitical perspective and some practical prescriptions on how the agency and Congress’s support of it must proceed. There’s no question CISA will need to “build back better.” However, as a practical matter, what new ideas and solutions can the agency implement to improve upon its previous incarnations and present state?
A great part of our struggle to sufficiently address today’s cyber threats is that they are somewhat like the future conceptual threat of climate change catastrophe. Too many Americans won't appreciate the severity of what confronts us until we are hit by a cyber-kinetic catastrophe with loss of life and economic desolation.But all four of our top nation-state adversaries have made the cyber domain central to their national security doctrines. China and Russia are committed to AI dominance and are certainly working to apply such technologies to improve their cyberattacks.The time was yesterday for the United States to rebuild its cyber defenses — and Congress must act accordingly — with urgency to resource and empower them as soon as possible.Tom Kellermann, vice president of cyber risk, HITRUSTSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Limited capabilities, growing threats
CISA continues to do an excellent job of issuing notifications and thoughtful sharing of threat data, exploit code, and other threat intelligence. But the last several months have seen the agency undergo dramatic budget cuts and personnel reassignments and departures. Gottumukkala’s acknowledgement of capability deficits should not be shocking so much as infuriating.The neglect of CISA 2015’s expiration and the legislative extension “kicking the can down the road” by only two months are additionally vexing given the substantial degree of bipartisan support for the legislation as well as its proposed replacement from the Senate: The Protecting America from Cyber Threats Act.CISA has essentially become “the wall” between four hostile, rogue nation states — China, Russia, Iran, and North Korea — and the critical infrastructure supporting every aspect of modern life for the American people. These adversaries have been undeniably and unabashedly active in the cyber realm despite a decade of U.S. government protests.Chinese actors in particular have made dramatic progress in burrowing into and colonizing wide swaths of U.S. IT and OT systems, with the Salt Typhoon and Volt Typhoon campaigns being the most significant systemic cyber events in the history of the cyber domain.And the collaboration between these actors has grown. An apparent sharing of attack code and threat intelligence mirrors these governments’ collaboration in the kinetic domain of missile systems, nuclear technology, drones, and other technologies.Indeed, the expiration of CISA 2015 seriously raised the prospect of our attackers sharing more cyber intelligence, technology, and learned expertise than our domestic U.S. public and private sector defenders — let alone between U.S. defenders and allied defenders.Re-staffing and budgeting to meet the mission
As CISA’s Gottumukkala memo prompts the agency’s re-staffing process, recently departed employees have found roles in the private cybersecurity sector, making private sector salaries, and enjoying job security. The agency will either need to spend twice as much on salaries to hire these talented individuals back or contract with Booz Allen, Lockheed, Leidos, and other entities to regain capacity. This will certainly require greater funding for CISA than Congress has budgeted.As a Global Fellow at the Wilson Center, I advocated policies the nation could apply to bolster critical cyber defense capabilities at CISA and across its private sector partners:- Tax credits: We should offer tax credits for corporations that invest a certain percentage of their IT and OT budgets on cybersecurity. Congress would empower and reward the implementation of the defenses specific organizations need, rather than layer prescriptive mandates and inflict fines upon the non-compliant.
- Leverage enforcement to fund critical infrastructure security: The government could force the forfeiture of virtual currencies that are used in child porn and or cybercrime cases. We could then put those funds into a superfund for cash-poor critical infrastructure sectors such as local water utilities that can't afford the latest cyber defense products.
- Invest in cybersecurity education: We could also invest forfeiture in programs to train college students to become certified cyber professionals — and then assign them to spend a few years working for the military or CISA.
