CISA: “We don’t stab the wounded.”
Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), repeatedly emphasizes CISA’s cooperative approach with the U.S. private sector. During her interview with Sidley’s Alan Raul on April 13, 2022, Easterly emphasized that CISA’s role was not to “name, blame, shame, or stab the wounded” victims of cybersecurity incidents. Instead, she described the Agency as a coequal partner with the private sector in securing U.S. infrastructure. CISA desires to partner with other agencies as well, operating as the “front door” to federal agency support and cyber security resources, she stated. During the Raul interview, she also provided insight into the Agency’s perspective on the newly enacted Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
Much of the nation’s infrastructure is privately owned, Easterly noted, rich in research and other coveted information, yet often poor in resources. CISA offers readily available expertise and resources. Indeed, CISA is uniquely positioned to offer this assistance to the private sector because it does not play a role as the primary regulator of the victims of cyber incidents. However, attributing much of the current “badness” in “cyber land” to poor cybersecurity, she emphasized CISA’s aim is to rally the community to remediate cyber vulnerabilities. For example, she noted that the Agency’s vulnerability scoring system and exploited vulnerability advisories can be a useful guide to the private sector as it prioritizes its cyber security IT hygiene and its remediation obligations.
Easterly also provided insight concerning newly enacted CIRCIA (while also expressing her preference that the anacronym be pronounced as SEAR sha). Easterly pointed out that CISA remained the appropriate agency to receive reporting mandated by CIRCIA, having been the lead federal agency for reporting since 2015. CISA, she added, will coordinate with other federal agencies to create a coherent ecosystem, capitalizing on the differing authorities and skills of various federal authorities to address cyber threats. “One of our best superpowers is our ability to share information very expansively while protecting privacy, civil liberties and liability,” she added. (subscription access) Noting that CISA has no subpoena power to collect documents from victims, Easterly emphasized that the agency intended to act as “a safe learning environment” for victims of cyber incidents. She added that mandatory reports required by CIRCIA will not be subject to Freedom of Information Act (FOIA) disclosure obligations.
Critically, as concerns the reporting mandates in the Act, the private sector should begin now, Easterly said, to set up an internal communication structure to report discovered vulnerabilities, also noting that no one will be given “absolution” from reporting obligations mandated by the Act. The private sector should also look for opportunities to contribute in the Agency’s planned listening sessions as it builds out the forthcoming regulations. She added that the applicable rulemaking agencies intend to move quickly through the rulemaking process.