Why We Need a Team Defense in Cyber

Why We Need a Team Defense in Cyber

Jeff Greene

Today, every department and agency in the United States government has a cybersecurity mission. For most, the mission is narrowly focused: defend their networks, data, and personnel. For some, that mission is broader, from developing international standards or partnering with the private sector or conducting offensive operations. But only one agency – CISA – has one primary, unambiguous mission: cyber defense.

This clarity of purpose matters.

This does not diminish the quality or importance of the work of other agencies; the FBI, NSA, NIST, CIA, State, Secret Service, OMB, and others play essential roles in securing our nation and imposing costs on our adversaries. But none prioritizes defense as its central, animating mission. In contrast, CISA’s first principle is empowering defenders and advocating for defense-first policies inside and outside government.

Cyber attacks are now among the most significant threats to national security, economic stability, and democratic resilience, and the U.S. government’s cyber responsibilities are dispersed across numerous agencies. Each has its own history, authorities, and culture. On the cyber defense side, CISA’s work overlaps with several, including the following.

The Federal Bureau of Investigation (FBI) is primarily a law enforcement agency. Its cyber mission centers on investigating cybercrime, attributing malicious activity, imposing costs on our adversaries, and bringing cases to prosecution.
The National Security Agency (NSA) is part of the intelligence community (IC), with signals intelligence (SIGINT) and cybersecurity missions. It collects and processes SIGINT and works to prevent and eradicate threats to U.S. national security systems. The NSA also partners with allies and industry to strengthen cybersecurity capabilities.
The National Institute of Standards and Technology (NIST) develops technical standards and guidance and works closely with industry and our international partners. It is not an operational security agency, and is a non-regulatory body that supports the development and adoption of cybersecurity practices across government and industry.

Each of these organizations is essential to national and economic security, but their missions are broader than just defending America’s digital infrastructure. For operational policy reasons, government needs an agency with that singular focus – and today that is CISA.

CISA’s Core Mission: Defense First

CISA was established in 2018, built on DHS’s National Protection and Programs Directorate (NPPD), which was home to the Office of Cybersecurity and Communications. It is now an operational component of DHS charged with protecting the nation’s critical infrastructure from cyber threats and ensuring resilience in the face of attacks. It has no offensive, intelligence collection, or law enforcement mandate. Instead, its responsibilities are entirely defensive:

Protecting the Federal Civilian Executive Branch (FCEB): CISA is charged with safeguarding the networks of non-military, non-intelligence federal agencies – the digital backbone for services that millions of Americans rely on every day.
Serving as a hub for public-private collaboration: CISA leads information sharing with critical infrastructure sectors, state and local governments, and private industry.
Acting as a national coordinator: CISA provides guidance, alerts, and mitigation resources to defenders nationwide, ensuring consistent awareness of threats and vulnerabilities.
Empowering defenders: From free tools to advisories to incident response support, CISA exists to empower network defenders in both government and industry.

Disclosing Vulnerabilities and Mitigating Risk

Consider Coordinated Vulnerability Disclosure (CVD), the process by which security researchers and organizations work together to identify, report, and remediate software or system vulnerabilities in a responsible, timely manner. CISA plays a central role in this process as a trusted, neutral intermediary between researchers and industry vendors. CISA receives vulnerability reports, validates the information with the relevant vendors, and helps to develop and test mitigation plans before any public announcement. This process ensures that patches or updates are ready for users when a vulnerability is disclosed, which reduces the amount of time that a vulnerability is publicly known and available for exploitation by malicious actors.

This process can be fraught, as the two communities (security researchers and the technology industry) often do not trust one other, and at times outright dislike each other. When a researcher comes to CISA, it is often after they are unable to establish contact with a vendor to disclose a vulnerability they discovered. In other cases, a vendor approaches CISA when it is struggling to come to agreement on a responsible disclosure plan with a researcher. In both cases, CISA’s role is more than technical. Emotions are often raw, as vendors can feel like the researcher is attacking their product and their development processes, and researchers can feel unappreciated and disrespected. It is CISA’s job to calm these emotions, ensuring that researchers can disclose flaws without having to navigate the complexities of vendor relations. The end result benefits all of us: a plan that ensures a vulnerability is disclosed and mitigated in a way that protects the broader public.

Can other agencies serve this function? Of course, and some are part of the process. But CISA has become the one-stop shop for many researchers, who trust it because its mission is pure defense – it has no law enforcement, intelligence, or regulatory responsibility. The system works better and faster because of this trust, which means that vulnerabilities are remediated more quickly and effectively.

Securing Federal Civilian Executive Branch (FCEB) Networks

Next consider CISA’s role in helping to secure the FCEB. While every agency retains responsibility and authority for securing its own systems, CISA plays an essential role looking across agencies and providing support and tooling. In the wake of Russia’s SolarWinds compromise of myriad public and private entities, discovered in late 2020, the federal government took a hard look at how Russia breached federal agencies. With hindsight, we identified events that were part of the intrusion, but prior to detection we did not see enough and could not correlate them across federal agencies.

Fast-forward to when I left CISA in January of this year. With help from the White House and Congress, and in partnership with dozens of federal agencies, CISA can now monitor scores of federal agencies in real- or near- real time. It can take individual bits of data, look at logs and information from across the FCEB, and use this to detect malicious activity far earlier than even the most sophisticated local detection tools because CISA is looking at data from across agencies. By using this capability – and as the hub for sharing with CISA’s federal and private sector partners – the agency has been able to detect sophisticated nation state activity before it was able to do much harm. This is something no individual agency could do on its own. CISA can, by using its unique statutory authorities and enabling direction from the White House provide insights and data sharing otherwise unavailable.

A Necessary Voice inside Government

CISA also plays an important role during internal U.S. government policy discussions – the oft cited “interagency.” CISA’s defense-first mandate makes it the natural advocate for security and resilience in interagency debates. Whether the subject is vulnerability disclosure, cyber norms, or critical infrastructure protection, CISA consistently emphasizes the needs of defenders.

This role is not abstract – it shapes real policy outcomes. For example, CISA can push for broader sharing of threat intelligence with private industry, even as other agencies might want to hold information close because of the needs of their mission, whether for law enforcement, military, or intelligence reasons. It can champion rapid patching timelines, standardized configurations, and stronger baseline requirements across government networks. Its influence derives not from investigative powers or offensive capabilities, but from its credibility as a defender, first and last.

One specific area where CISA’s voice matters is Vulnerabilities Equities Process, or VEP, created in 2010 and made public in 2014. This is the interagency mechanism for deciding whether software vulnerabilities should be disclosed to vendors or retained for intelligence or military use. During these important discussions, it is essential to have a defense-focused advocate. CISA will not always win every policy debate (whether broadly or for VEP specifically), but policymakers need to hear all sides of an issue if they are to make the best decisions for the country.

CISA as the Enabler of Network Defenders

Perhaps most importantly, CISA exists to enable defenders across the nation. Its alerts, advisories, free tools, and incident response teams are designed not for itself, but for the network operators who form the frontline of cybersecurity. Over the past seven years, CISA has worked hard to build its brand; the debates we had about whether to issue cybersecurity advisories or to lend our name to other similar publications were frequent and intense. We would not co-brand a publication if it was merely for publicity, included only information that others had already published, or did not provide actionable information to network defenders. As a result, the CISA label on a cybersecurity advisory carries weight, and network defenders know that if CISA lends its name to something, they need to pay attention.

This defender-centric posture is special in government. CISA works with partners in the U.S. government and abroad, and proactively shares threat information and technical expertise to give defenders every possible advantage. The Shields Up campaign in advance of Russia’s full-scale invasion of Ukraine gave specific, actionable information about Russian state-sponsored threats and steps to defend against them. For every Fortune 100 company with a mature cybersecurity program, there are thousands of smaller organizations that depend on CISA’s accessible resources.

Why CISA Must Remain the Nation’s Cyber Defense Hub

In a federal landscape of agencies with varied cyber missions, CISA’s clarity of purpose and defense-focused voice is invaluable. This ensures that resilience is never an afterthought. Moreover, CISA has become a trusted public face of government cybersecurity. Researchers, vendors, and network operators know they can turn to CISA as a non-regulatory body with no law enforcement or intelligence mission. This trust is not incidental—it is the product of CISA’s defense-first culture.

As cyber threats continue to grow, the U.S. will need offense, intelligence, law enforcement, and standards. But without a pure defense agency, the balance of priorities could skew dangerously away from resilience. CISA fills that gap.

What’s Next for CISA

CISA needs to solidify the gains it has made in the past years, and to sustain the quality and breadth of its work even as it goes through steep budget cuts and sees key staff depart. This will not be easy. CISA’s new leadership is focused on the mission, but unfortunately, they have fewer resources with which to work than did I or my predecessors.

The most important thing CISA can do is to stay focused on being “Team Defense” in the U.S. government cybersecurity community. This perspective is an essential part of internal policy debates and a crucial resource to the private sector. CISA’s positions will not always carry the day – nor should they, as other agencies have competing, legitimate interests. But these views, and the defense-first arguments, will help shape policy regardless of whether they are adopted in whole or in part.

CISA should also build on the brand it has already established, through continued rigor and through outreach to the broader cybersecurity community. In the months since I left the Cybersecurity Division, I have talked to numerous cybersecurity executives in a variety of companies, in the technology sector and beyond. Some understand and appreciate that CISA is careful about using its logo on advisories, but many do not. CISA should work to expand this awareness – not for its own brand, but rather so that cyber defenders know that CISA’s endorsement of an alert means it is something they need to consider immediately.

CISA and CSD should also continue some of the key programs and initiatives of the past few years. Every administration has different priorities and philosophies, but some should transcend these changes. For instance, encouraging vendors to build better, more secure products is not a political statement, and I’ve been pleased to hear DHS leadership talk about this publicly. Similarly, CISA should lean into success stories like the Known Exploited Vulnerabilities (“KEV”) Catalog, a list of the highest-priority software vulnerabilities that must be patched quickly to reduce real-world attack risk. Just four years old, cyber defenders across sectors already see KEV as an invaluable tool.

Along those lines, CISA must double-down on its track record of partnership with the private sector, and maintain its strong relationships with Congress. The private sector needs CISA as much as CISA needs it, and together they can advance our nation’s security posture.

MORE ARTICLES

Introduction

Reauthorizing CISA 2015: Securing the Future of Cyber Threat Intelligence Sharing

Lessons Learned from Lessons Learned: The Cyber Safety Review Board Can’t Be Voluntary

Beyond Federal Boundaries: The Evolving Role of CISA, SRMAs, MSPs, and CSPs in Critical Infrastructure Cyber Risk Management

CISA and the Civilian Face of Cybersecurity

Framing Challenges for the Cybersecurity and Infrastructure Security Agency (CISA)