The Future of CISA

Nov 3, 2025 | Cyber Security, DHS & Cyber, Essay, Policy and Strategy

The Future of CISA

Essays on Building the Next Generation of Cyber Defense

Edited by Jane Holl Lute, Rob Knake, and James Lewis

Project on Technology and Security

November 3, 2025

Executive Summary:

Introduction (Jane Holl Lute)

  • Persistent US Cyber Weakness and Bureaucratic Conflict: Despite its power, the US remains vulnerable to cyberattacks due to the vast, rapidly growing complexity of cyberspace and decades of internal bureaucratic battles—primarily among the Department of Homeland Security (DHS), NSA, and FBI—over which agency should lead the federal cybersecurity effort.
  • Challenges Facing CISA and Escalating Threats: While the creation of the Cybersecurity and Infrastructure Security Agency (CISA) aimed to resolve the leadership issue, it has struggled to establish itself as the nation’s primary cyber defender. This challenge is heightened by the acceleration of Artificial Intelligence (AI), which provides attackers with vastly more powerful tools for intrusions aimed at causing physical-world effects (theft, extortion, destruction) across critical sectors.

Framing the Challenges for CISA (James Lewis)

  • CISA evolved from a fragmented agency landscape, consolidating multiple predecessor agencies (NCSD, NPPD) that struggled with unclear missions, interagency rivalries, and inadequate resources before its establishment as an independent agency in 2018.
  • Strong policy foundations (EO 13636, PPD-41, EO 14028) clarified CISA’s role as the lead federal agency for domestic cybersecurity and critical infrastructure protection, with primary responsibility for protecting civilian federal agencies.
  • CISA faces persistent challenges including resource constraints (exacerbated by DOGE cuts), tensions with ONCD, and ongoing debates about whether it should have regulatory powers beyond its current voluntary, partnership approach.

Why We Need a Team Defense in Cyber (Jeff Greene)

  • CISA is the only U.S. government agency with an unambiguous mission focused on cyber defense, distinguishing it from agencies like FBI (law enforcement), NSA (intelligence), and NIST (standards).
  • CISA’s “defense-first” focus enables it to serve as a trusted, neutral intermediary in critical functions like coordinated vulnerability disclosure, where researchers and vendors need a non-regulatory, non-law enforcement partner to facilitate responsible security improvements.
  • CISA’s brand credibility and defender-centric posture—demonstrated through programs like the KEV Catalog, Shields Up campaign, and cross-agency monitoring capabilities—makes it an essential voice in government policy debates and a vital resource for network defenders nationwide.

CISA and the Civilian Face of Cybersecurity (Bobbie Stempley)

  • Cyber resilience begins locally with state/local governments and industry—not in Washington—making CISA’s role as a civilian, non-regulatory partner essential for connecting federal insight with local action while respecting civil liberties and avoiding the trust issues associated with law enforcement or intelligence agencies.
  • CISA successfully translates national intelligence into actionable local warnings (e.g. 2,100-plus pre-ransomware alerts in 2024) and bridges gaps between large technology companies and resource-constrained municipalities, counties, hospitals and school districts that face the hardest challenges in cyber attacks.
  • Credibility depends on measurable outcomes and transparency, demonstrated through initiatives like phishing-resistant MFA deployment tracking at USDA, detailed incident response timelines, and the Nationwide Cybersecurity Review self-assessment tool that provides communities with benchmarks for improvement.

Beyond Federal Boundaries (David Mussington)

  • Resource constraints at CISA and Sector Risk Management Agencies (SRMAs) have shifted the operational burden of cyber defense to managed service providers (MSPs) and cloud service providers (CSPs), who now serve as frontline responders for critical infrastructure security at the asset and local levels.
  • This decentralized model can create significant risks including fragmented defenses, supply chain vulnerabilities (as seen in Log4j), accountability gaps, and reduced federal situational awareness, since CISA often learns of breaches through news reports rather than direct notification.
  • Effective national resilience requires federal policy to provide frameworks and incentives that empower local defense, set minimum vendor standards, strengthen ISACs/ISAOs as trusted intermediaries, and establish clear protocols for escalating asset-level incidents to sector and federal authorities.

Reauthorizing CISA 2015 (Cristin Flynn Goodwin)

  • The Cybersecurity Information Sharing Act of 2015, which provides legal protections for private sector threat information sharing with government, expired on September 30, 2025 and should be reauthorized to maintain stability in both public-private and private-private sector information exchanges.
  • CISA currently functions primarily as an information disseminator rather than a true sharing partner because it still lacks significant first-party threat data, creating an imbalance where companies must weigh what to share, knowing it could be broadly distributed across federal agencies.
  • CISA’s future potential lies in developing robust threat-hunting capabilities across the Federal Civilian Executive Branch (using tools like CDM and EINSTEIN) to generate its own intelligence, transforming it into an equal partner to FBI and NSA that can truly share rather than just receive and disseminate threat information.

Lessons Learned from Lessons Learned: The CSRB Can’t Be Voluntary (Rob Knake)

  • The Cyber Safety Review Board’s scathing report on Microsoft’s 2023 Exchange Online intrusion—while exemplary—likely destroyed prospects for future voluntary corporate cooperation, as no rational CEO would willingly participate in a process that could harm shareholder value without legal compulsion.
  • The CSRB needs three fundamental reforms to be effective: unambiguous investigative and subpoena authority (modeled on the NTSB), a full-time professional investigative staff paid at market rates to handle multiple concurrent investigations, and true independence from federal agencies whose actions may be under review.
  • The current part-time, voluntary model cannot scale to meet the challenge—numerous significant incidents (Colonial Pipeline, Kaseya, MoveIT, CrowdStrike outages) have gone uninvestigated, and having federal agency representatives serve as board members creates inherent conflicts when those agencies’ failures should be examined.


Author Biographies

Jeff Greene is a Distinguished Fellow with the Aspen Institute’s Cybersecurity Program and the author of the blog Cyber Shorthanded.  He also advises public and private sector leaders on cybersecurity and resilience issues. Jeff served as the Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA) and the Chief of Cyber Response and Policy on the National Security Council (NSC) during the Biden Administration. Before that he was Director of NIST’s Cybersecurity Center of Excellence and was an executive in a private sector cybersecurity company.

Rob Knake served as Deputy National Cyber Director at the Office of the National Cyber Director (ONCD) from 2022 to 2023. Earlier in his career he served at CISA’s predecessor agency, the National Protection and Programs Directorate. 

James Lewis is a Distinguished Fellow at the Center for European Policy Analysis who has written extensively on cybersecurity. Earlier, he was a researcher at the Center for Strategic and International Studies.

Jane Holl Lute is a distinguished American diplomat and senior executive who has held key roles in the United Nations and U.S. government. She served as the first UN Assistant Secretary-General for Peacebuilding Support and as Deputy Secretary of Homeland Security. Lute is known for her expertise in international security, crisis management, and global peacekeeping efforts.

Dr. David Mussington is a Professor of the Practice at the University of Maryland’s School of Public Policy. He rejoined UMD after serving as the Executive Assistant Director for Infrastructure at CISA, where he was a Presidentially appointed official responsible for implementing the nation’s critical infrastructure security and resilience. He led efforts on counter-terrorism, reducing targeted violence, and physical infrastructure security. He was also a founding member of CISA’s Cyber Safety Review Board. Dr. Mussington has extensive public and private sector experience in cyber and infrastructure security, including roles as a Senior Advisor for Cyber Policy for the Office of the Secretary of Defense and as a Director for Surface Transportation Security Policy on the NSC staff. He directed cybersecurity studies for DHS, ODNI, and NATO as a researcher at RAND and the Institute for Defense Analyses. He is a life member of the Council on Foreign Relations.

Cristin Flynn Goodwin is the Managing Partner of Advanced Cyber Law, LLC and the host of the Advancing Cyber Podcast. She also consults with Good Harbor Security Risk Management. Cristin spent over 17 years as the head cybersecurity lawyer for Microsoft’s incident response, threat intelligence, and information sharing teams and led Microsoft’s work to disrupt nation state actors and spyware vendors.

Roberta Stempfley serves in an executive leadership role at Dell Technologies driving Security and Resilience efforts in the product business units. Bobbie served in executive leadership roles in DHS and DoD where she led efforts to engage with critical infrastructure and the Federal Government to reduce cyber risks and prepare and respond to cyber events As the CIO of the Defense Information Systems Agency she had the responsibility for the digital transformation of a major defense agency.

Introduction

Jane Holl Lute

It surely is an irony of the current day that, notwithstanding the extraordinary power of the United States, it remains remarkably weak in defending its most important assets against cyber attacks. Part of the explanation for this persistent weakness lies in the nature of the challenge – the world of cyberspace is vast and complex – growing organically, instantaneously, and increasingly wealthy with every passing day. Very simply, the power to connect has vastly outpaced the power to protect, leaving governments, including the world’s most powerful government, in the unfamiliar role of market participant and not market leader in the domain of security.

But part of this sorry state of affairs can also be explained by the way the U.S. government has approached its role in cybersecurity over the past four decades – following the first documented case of a cyber breach in 1986 revealing that one Markus Hess, a German national, had hacked into the Lawrence Berkeley National Lab, selling the information he stole to the Soviets.

For a good part of the years since then, a quiet battle has raged in the bureaucracies of the U.S. federal government and among U.S. national security, law enforcement, and homeland security agencies through the better part of this Century. Which among them would ultimately be tapped to lead the federal effort? Indeed, what, exactly, was the federal government expected to do when it came to ensuring the cybersecurity of the nation?

The question was crystalized in 2010 with the publication of the first ever Quadrennial Homeland Security Review (QHSR). For the first time, the (still relatively new) Department of Homeland Security (DHS) identified “safeguarding and securing the nation’s cyberspace” as one of its five core homeland security missions. And over the past fifteen years, DHS has organized and reorganized itself to achieve this aim – while under near-constant bureaucratic opposition and assault from its sister agencies – principally the National Security Agency and FBI – that believed the mission belonged with them.

It appeared that Congress resolved the question of agency primacy with the creation of the Cybersecurity and Infrastructure Security Agency (CISA) under an act of the same name in 2018. But in many ways, the challenge was just beginning. Notwithstanding Congress’ intent and support from the White House, CISA has struggled to establish its role as the Nation’s leading cyber defender. Why this is so is no mystery, and in the pages that follow, some of the most experienced voices who lived these developments offer explanations to account for the weaknesses that persist.   

Yet, it would be wrong to say that no progress has been made. There can be no question that the owners of U.S. critical infrastructure are now more aware of the hazards in cyberspace, more engaged in active defenses, and more willing to work with the government to further strengthen those defenses than even a few short years ago.

But time is not on the side of defense. With the rapid acceleration of artificial intelligence (AI) in all its manifestations, cyber attackers now have a vastly more powerful set of tools for mischief and crime, not only in cyberspace, but in every conceivable domain. No area is safe or secure from harm: finance, education, health care, biosecurity, national defense, and more. Indeed, it is probably safe to say, again, perhaps ironically, that cyber attacks are not even their own point any more (if they ever were). Cyber intrusions are intended to have a physical world effect – theft, extortion, distortion, and even destruction.

But no single actor can do all that needs doing when it comes to cyber defense, and all that needs doing cannot be done alone. If the Federal Government will now do less in our lives than in previous decades, there remains, nevertheless, an irreducible role for it to play here. The U.S. government must orient its attention and effort on the practical steps necessary to ensure the nation’s cyber protection, and CISA has a critical role to play in the coming months and years ahead. The chapters that follow are focused on the future – which has come for us, whether we are ready or not.

Framing the Challenges for the Cybersecurity and Infrastructure Security Agency (CISA)

James Lewis

The Cybersecurity and Infrastructure Security Agency (CISA) is the lead agency for domestic cybersecurity and critical infrastructure protection. CISA is a major improvement over its predecessors. It has achieved many of the initial goals envisioned in its creation. The challenges CISA faces date to its inception: interagency rivalries, a lingering debate over the need for regulation, and resources for building a tech-centric workforce.  CISA has been a success, but more could be done, and these essays lay out the rationale for further developing CISA’s missions.

A Fragmented Landscape Before CISA

Established in 2018, CISA is a relatively new agency and cybersecurity is a relatively new governmental function.  DHS itself was created in January 2003 in response to the September 11 attacks, to ensure another 9/11 would never happen again. The initial DHS component responsible for cybersecurity was the National Cyber Security Division (NCSD), established in June 2003. NCSD was created by merging existing cybersecurity organizations from other federal agencies. These included:

  • Critical Infrastructure Assurance Office (CIAO, ambiguously attached to the Department of Commerce))
  • National Infrastructure Protection Center (NIPC, formerly part of the FBI)
  • Federal Computer Incident Response Center (FedCIRC, part of the National Institute of Standards and Technology, within the Department of Commerce)
  • National Communications System (NCS), established in 1963 and managed by the Department of Defense)

NCSD was not a happy marriage of these previously competitive agencies, nor was cybersecurity a priority for DHS’s initial leadership.  In 2007, NCSD was folded into a new National Protection and Programs Directorate (NPPD), to create a more cohesive entity that could address both cyber and physical threats to the nation’s infrastructure.  This integration reflected the belief that physical and cyber threats were intertwined and best managed by a single directorate.  This belief reflected an intermediate stage of threat evolution. The initial concerns, post-9/11 were physical threats. This was followed by growing awareness of the convergence of physical and cyber threats, which then evolved into a focus on cybersecurity and its role in physical security. But since 2007 there have been only a handful of minor physical attacks (more like vandalism) against facilities like electrical substations that serve a single community. It would take dozens of these attacks launched simultaneously to achieve the disruptive effect of a single large cyber attack.

NPPD merged disparate programs within DHS, including NCSD’s cyber work, physical infrastructure protection, federal facility security (the Federal Protective Service, which guards embassies and federal buildings), and emergency communications. NPPD struggled with a lack of clear mission, interagency competition, inadequate resources, and a fragmented strategy. Its structure (as an appendage of the Secretary’s Office) meant that it lacked the bureaucratic stature to compete in addressing increasingly sophisticated cyber threats, within government and also with industry. One NSA Director even proposed giving NSA the lead role in cyber infrastructure protection.

The dilemma with moving responsibility for cybersecurity away from DHS was that it would assign a domestic security role to DOD and to an IC-related part of DOD at that.  This dilemma mirrored debates at the time on whether the US needed its own “MI5” for domestic security.  The conclusion of that discussion was that the US did not need an MI5, as it already had the FBI.  But FBI was also hindered in its cybersecurity role (which it had pioneered with the Clinton-era NIPC) because companies were reluctant to share information with a law enforcement agency.  Nor was a small but noisy privacy community happy with an expanded role for either FBI or NSA, and this community had some influence with Congress. 

CISA’s creation as a civilian, non-regulatory agency outside of law enforcement and intelligence addressed these concerns.  Congress created CISA with the Cybersecurity and Infrastructure Security Agency Act of 2018.  The bipartisan Act made CISA an independent agency within DHS. It gave CISA a clear mandate and increased its authorities, including designation as the lead federal agency for cyber and physical infrastructure security.  CISA would coordinate cybersecurity and critical infrastructure activities with federal, state, local, tribal, and international counterparts.  Its primary responsibility would be to protect “dot.gov,” civilian agencies within the federal government. The aim was to create a more effective Federal entity to lead national efforts to reduce risks to critical infrastructure.

EO 13636 and PPD-41

The new Agency began with a strong foundation in policy.  The Obama Administration created a new basis for US cybersecurity policy and organization.  Its February 2013 Executive Order 13636 adopted a voluntary, sector-specific approach that made individual regulatory agencies responsible for their sector rather than making DHS the cybersecurity “uberregulator.” Sector-specific agencies would use their existing authorities to ensure that cybersecurity was a priority for the sectors they oversee and the Executive Order encouraged independent agencies to take a similar approach. A cornerstone for the EO is NIST’s Voluntary Cybersecurity Framework, which identified actions that agencies – and industry – could take to better understand, manage, and reduce cybersecurity risks to critical infrastructure and review use to their own regulations to assess if they were adequate. NIST remains a vital partner for CISA.

The Administration also issued Presidential Policy Directive 41 (PPD-41) – “United States Cyber Incident Coordination in 2016. PPD 41 created a structured approach for the federal government response to significant cyber incidents, clarifying roles and responsibilities for agencies, including DHS.  PPD-41 established a coordinated Federal response to significant cyber incidents, led by the National Security Council (NSC) and clarifying which agencies were responsible for different aspects of a cyber incident.  It designated FBI, CISA, and DOD as lead agencies for different aspects of a cyber incident. FBI leads in cybercrime, and if determined to be an attack by a state, DOD leads.  PPD-41 created the Cyber Response Group and the Cyber Unified Coordination Group to provide the mechanism for Federal coordination. CISA benefitted from this clarity and its establishment as a standalone agency in 2018 gave it more authority and resources to carry out its PPD-41 responsibilities. 

CISA’s responsibilities expanded as a result of major cyber incidents and new policy directives. The SolarWinds attack in late 2020 highlighted systemic vulnerabilities in the software supply chain.  Colonial Pipeline showed the risk of ransomware in disrupting critical services.  These incidents led to Executive Order 14028 in May 2021, “Improving the Nation’s Cybersecurity.” The EO tasked CISA with developing baseline security standards for software sold to the government, establishing a Cyber Safety Review Board (partially modelled on the NTSB), and (working with OMB) improving threat information sharing.

The Arrival of ONCD

Concerned by the first Trump administration’s apparent downgrading of cybersecurity, Congress created a new layer of management at the White House, the Office of the National Cyber Director (ONCD). ONCD was headed by a Senate-confirmed individual who, in theory, reported directly to the President.  This reporting structure created tensions with CISA – driven by a lack of clarity of roles and responsibilities – and with the NSC which already had the senior cyber role in the White House. The original thinking was to have either the senior White House role or the ONCD – not both.

ONCD’s disputes with CISA were not as intense as the intra-White House arguments. They involved defining the division of responsibilities.  The current Administration seems to have settled on ONCD as the lead cyber policy maker, with a smaller NSC cyber office fulfilling its traditional foreign policy and defense role, CISA leading domestic cybersecurity, and FBI, DOD, and State responsible for their law enforcement, defense, and diplomatic functions.

Resources

CISA faces persistent challenges with resources and staffing. This has only gotten worse. A 2023 report from the DHS Office of Inspector General noted that CISA lacked backup communication systems, staff, and secure spaces, to effectively manage major cyber incidents. The rapid evolution of cyber threats often outstripped the agency’s ability to hire and train personnel.  CISA was made the sector risk management agency for eight sectors. CISA’s election security and disinformation efforts attracted the ire of conservatives and the inaptly-named “Department of Government Efficiency” (DOGE)” made draconian cuts to CISA staff and contractors.  New funding is unlikely in the near term and one question for CISA is what missions should be a priority, given limited resources.  One potential solution is to focus its mission on securing government networks and improving its work with industry to protect critical infrastructure.

Information Sharing and Collaboration

A core element of CISA’s work involves leading and facilitating information sharing between the government and the private sector. Congress intended CISA to be the private sector’s primary partner and CISA’s sweet spot has been its collaboration with the private sector.  CISA became the central hub for sharing threat intelligence, vulnerability advisories, and best practices. As with its predecessors, there were complaints that information sharing was a one-way street, with companies not getting much in return for what they shared, but over time, CISA’s offerings improved and later initiatives like the Known Exploited Vulnerabilities (KEV) Catalog became crucial tools by providing a prioritized list of vulnerabilities that organizations should address immediately due to active exploitation. In 2022, CISA produced 416 vulnerability advisories and coordinated on over 700 cases. In Fiscal Year 2024, CISA released nearly 1,300 cyber defense alerts and advisories, a significant increase that includes a near-doubling of pre-ransomware alerts alone. Its joint threat advisories have also been effective in signaling to industry the importance of the information.

The creation of the Joint Cyber Defense Collaborative (JCDC) in 2021 provided a new mechanism for CISA’s collaboration with the private-sector and CISA introduced several new initiatives to proactively reduce cyber risk. JCDC received mixed reviews, but it was praised for its ability to quickly bring together government and private sector partners to respond to cyber incidents. Examples include coordinating responses to the Log4j vulnerability.  JCDC was criticized for being too selective in which companies could participate and for engaging too many partners without a structure. Critics argued that the JCDC needed to be more operationally focused with a clearer, proactive strategy for helping industry protect critical infrastructure. JCDC was reliant on contractors and DOGE cuts and contract lapses could impede JCDC’s ability to function. Despite its value, JCDC was stood down by the Trump Administration.

CISA’s role in protecting and defending the networks of FCEB (Federal Civilian Executive Branch) agencies involves both coordination and monitoring.  For coordination, CISA acts as the government’s central risk advisor using Binding Operational Directives (BODs) and Emergency Directives (EDs) that compel FCEB agencies to fix specific, high-priority vulnerabilities.  CISA is the hub for cyber threat information sharing across the government. CISA maintains situational awareness across the federal enterprise through programs like the Continuous Diagnostics and Mitigation (CDM) Program, which provides tools to agencies for real-time network visibility and risk management and the National Cybersecurity Protection System (NCPS) to detect and prevent intrusions. Some of these are replacements for the older EINSTEIN intrusion detection system, others (like CDM) are new.

Regulate Or not?

CISA and its predecessors have always disavowed any regulatory role, in part due to the recognition that Congress is unlikely to provide new authorities.  CISA largely operates on a voluntary basis, providing services and guidance that organizations can choose to adopt. While this builds trust and partnership, it also limits the agency’s ability to mandate changes in cybersecurity practices, particularly in the private sector. While CISA has been granted new authorities, such as the ability to issue administrative subpoenas, a fundamental tension remains between CISA’s role as a partner and its potential need for a more regulatory or enforcement-oriented function.

CISA’s Role in Risk Management

CISA attempted to expand its role beyond federal cybersecurity to become the nation’s “risk advisor.” CISA took a lead role in securing the 2020 and 2024 elections, providing voluntary support and services to state and local election officials, and combating election-related misinformation. More controversially, it attempted to help counter misinformation and disinformation. While DHS’s short-lived and ill-conceived Disinformation Governance Board (DGB) was not part of CISA, blowback from its rapid collapse damaged CISA.  CISA’s work was subject to political scrutiny for its role in election security and its efforts with social media companies on disinformation. CISA’s first Director was fired in 2020 for publicly stating that the Presidential election was secure. While the Supreme Court has rejected claims of CISA coercing social media platforms, the legal challenges highlight the sensitive nature of an approach not specifically authorized in legislation. 

CISA and the Future

As new Administrations grapple with cybersecurity, CISA will continue to evolve. The still-growing reliance on cyber infrastructure (and the effect of AI and quantum computing on this) and a worsening international environment will put even more demands on CISA.  This collection of essays is a first step to draw on experience and address salient issues for the future of CISA. They include:

Why We Need a Team Defense in Cyber (Jeff Greene): Today’s complex cybersecurity landscape requires a team defense for national security, economic stability, and democratic resilience. While numerous U.S. government agencies, such as the FBI, NIST, NSA and Cyber Command play crucial roles, only CISA has the primary, unambiguous mission of cyber defense. CISA’s singular focus allows it to act as a central hub for public-private collaboration, coordinate vulnerability disclosures between researchers and vendors, secure federal civilian networks, and serve as an important voice for defenders in government policy discussions. This “defense-first” approach builds trust with external partners and ensures that resilience is prioritized, filling a critical gap that other agencies with broader, more varied missions cannot.

Beyond Federal Boundaries: The Evolving Role of CISA, SRMAs, MSPs, and CSPs in Critical Infrastructure Cyber Risk Management (David Mussington):Securing U.S. critical infrastructure requires a layered, cooperative approach that extends beyond federal policy. While CISA and Sector Risk Management Agencies (SRMAs) set high-level approaches, they face resource limitations that prevent them from providing hands-on, day-to-day cyber defense. This has shifted the operational burden to managed service providers (MSPs) and cloud service providers (CSPs), who are now frontline responders for individual assets and local jurisdictions. As MSPs and CSPs manage systems and patch vulnerabilities, they play a crucial role in preventing cyberattacks. However, this model introduces risks, including fragmented defenses, supply chain vulnerabilities, and reduced situational awareness for federal agencies. To address these challenges, federal policy must provide frameworks and incentives that empower local defense, set minimum expectations for vendors, and improve information sharing among all stakeholders, including non-governmental organizations (NGOs) like Information Sharing and Analysis Centers (ISACs).

Lessons Learned from Lessons Learned: The Cyber Safety Review Board Can’t Be Voluntary (Rob Knake) While the Cyber Safety Review Board (CSRB) has produced valuable reports, its voluntary, part-time model is not effective in investigating significant cyber incidents. The CSRB’s productive, yet scathingly critical, review of a Microsoft intrusion highlights that relying on a company’s good faith is not a reliable long-term strategy, as it may deter future cooperation. To be truly effective and meet its mission, the CSRB needs three major changes: it must be given unambiguous investigative and subpoena authority, similar to the National Transportation Safety Board (NTSB); it needs a full-time, professional staff of investigators to scale its operations; and it must be structured as an independent body to avoid conflicts of interest, particularly by not including members from the very government agencies whose actions may be under review.

Reauthorizing CISA and Cyber Threat Intelligence Sharing (Cristin Flynn)Passed in response to a wave of major data breaches, the Cybersecurity Information Sharing Act of 2015 (CISA 2015) created a framework that provides legal protections for private companies to share cyber threat information with the government. While this act is important for its original purpose, its real value lies in what it can enable in the future. As the Cybersecurity and Infrastructure Security Agency (CISA) matures and develops its own robust threat-hunting capabilities across the federal government, it will shift from a role of simply disseminating information to one of true information sharing. By producing its own “first-party” data on threats and vulnerabilities, CISA can become an equal partner with the private sector and other intelligence agencies, fostering a more effective and reciprocal ecosystem for cybersecurity defense. Reauthorizing CISA 2015 is crucial to unlocking this potential, as it provides the legal foundation and trust necessary for this new era of collaborative defense.

Why We Need a Team Defense in Cyber

Jeff Greene

Today, every department and agency in the United States government has a cybersecurity mission.  For most, the mission is narrowly focused: defend their networks, data, and personnel.  For some, that mission is broader, from developing international standards or partnering with the private sector or conducting offensive operations.  But only one agency – CISA – has one primary, unambiguous mission: cyber defense.

This clarity of purpose matters.

This does not diminish the quality or importance of the work of other agencies; the FBI, NSA, NIST, CIA, State, Secret Service, OMB, and others play essential roles in securing our nation and imposing costs on our adversaries.  But none prioritizes defense as its central, animating mission.  In contrast, CISA’s first principle is empowering defenders and advocating for defense-first policies inside and outside government. 

Cyber attacks are now among the most significant threats to national security, economic stability, and democratic resilience, and the U.S. government’s cyber responsibilities are dispersed across numerous agencies.  Each has its own history, authorities, and culture.  On the cyber defense side, CISA’s work overlaps with several, including the following. 

  • The Federal Bureau of Investigation (FBI) is primarily a law enforcement agency. Its cyber mission centers on investigating cybercrime, attributing malicious activity, imposing costs on our adversaries, and bringing cases to prosecution.
  • The National Security Agency (NSA) is part of the intelligence community (IC), with signals intelligence (SIGINT) and cybersecurity missions.  It collects and processes SIGINT and works to prevent and eradicate threats to U.S. national security systems.  The NSA also partners with allies and industry to strengthen cybersecurity capabilities.
  • The National Institute of Standards and Technology (NIST) develops technical standards and guidance and works closely with industry and our international partners.  It is not an operational security agency, and is a non-regulatory body that supports the development and adoption of cybersecurity practices across government and industry.

Each of these organizations is essential to national and economic security, but their missions are broader than just defending America’s digital infrastructure.  For operational policy reasons, government needs an agency with that singular focus – and today that is CISA.

CISA’s Core Mission: Defense First

CISA was established in 2018, built on DHS’s National Protection and Programs Directorate (NPPD), which was home to the Office of Cybersecurity and Communications.  It is now an operational component of DHS charged with protecting the nation’s critical infrastructure from cyber threats and ensuring resilience in the face of attacks.  It has no offensive, intelligence collection, or law enforcement mandate.  Instead, its responsibilities are entirely defensive:

  • Protecting the Federal Civilian Executive Branch (FCEB): CISA is charged with safeguarding the networks of non-military, non-intelligence federal agencies – the digital backbone for services that millions of Americans rely on every day.
  • Serving as a hub for public-private collaboration: CISA leads information sharing with critical infrastructure sectors, state and local governments, and private industry.
  • Acting as a national coordinator: CISA provides guidance, alerts, and mitigation resources to defenders nationwide, ensuring consistent awareness of threats and vulnerabilities.
  • Empowering defenders: From free tools to advisories to incident response support, CISA exists to empower network defenders in both government and industry.

Disclosing Vulnerabilities and Mitigating Risk

Consider Coordinated Vulnerability Disclosure (CVD), the process by which security researchers and organizations work together to identify, report, and remediate software or system vulnerabilities in a responsible, timely manner.  CISA plays a central role in this process as a trusted, neutral intermediary between researchers and industry vendors.  CISA receives vulnerability reports, validates the information with the relevant vendors, and helps to develop and test mitigation plans before any public announcement.  This process ensures that patches or updates are ready for users when a vulnerability is disclosed, which reduces the amount of time that a vulnerability is publicly known and available for exploitation by malicious actors. 

This process can be fraught, as the two communities (security researchers and the technology industry) often do not trust one other, and at times outright dislike each other.  When a researcher comes to CISA, it is often after they are unable to establish contact with a vendor to disclose a vulnerability they discovered.  In other cases, a vendor approaches CISA when it is struggling to come to agreement on a responsible disclosure plan with a researcher.  In both cases, CISA’s role is more than technical.  Emotions are often raw, as vendors can feel like the researcher is attacking their product and their development processes, and researchers can feel unappreciated and disrespected.  It is CISA’s job to calm these emotions, ensuring that researchers can disclose flaws without having to navigate the complexities of vendor relations.  The end result benefits all of us:  a plan that ensures a vulnerability is disclosed and mitigated in a way that protects the broader public.

Can other agencies serve this function?  Of course, and some are part of the process.  But CISA has become the one-stop shop for many researchers, who trust it because its mission is pure defense – it has no law enforcement, intelligence, or regulatory responsibility.  The system works better and faster because of this trust, which means that vulnerabilities are remediated more quickly and effectively. 

Securing Federal Civilian Executive Branch (FCEB) Networks

Next consider CISA’s role in helping to secure the FCEB.  While every agency retains responsibility and authority for securing its own systems, CISA plays an essential role looking across agencies and providing support and tooling.  In the wake of Russia’s SolarWinds compromise of myriad public and private entities, discovered in late 2020, the federal government took a hard look at how Russia breached federal agencies.  With hindsight, we identified events that were part of the intrusion, but prior to detection we did not see enough and could not correlate them across federal agencies.

Fast-forward to when I left CISA in January of this year.  With help from the White House and Congress, and in partnership with dozens of federal agencies, CISA can now monitor scores of federal agencies in real- or near- real time.  It can take individual bits of data, look at logs and information from across the FCEB, and use this to detect malicious activity far earlier than even the most sophisticated local detection tools because CISA is looking at data from across agencies.  By using this capability – and as the hub for sharing with CISA’s federal and private sector partners – the agency has been able to detect sophisticated nation state activity before it was able to do much harm.  This is something no individual agency could do on its own.  CISA can, by using its unique statutory authorities and enabling direction from the White House provide insights and data sharing otherwise unavailable.

A Necessary Voice inside Government

CISA also plays an important role during internal U.S. government policy discussions – the oft cited “interagency.”  CISA’s defense-first mandate makes it the natural advocate for security and resilience in interagency debates.  Whether the subject is vulnerability disclosure, cyber norms, or critical infrastructure protection, CISA consistently emphasizes the needs of defenders.

This role is not abstract – it shapes real policy outcomes. For example, CISA can push for broader sharing of threat intelligence with private industry, even as other agencies might want to hold information close because of the needs of their mission, whether for law enforcement, military, or intelligence reasons.  It can champion rapid patching timelines, standardized configurations, and stronger baseline requirements across government networks.  Its influence derives not from investigative powers or offensive capabilities, but from its credibility as a defender, first and last.

One specific area where CISA’s voice matters is Vulnerabilities Equities Process, or VEP, created in 2010 and made public in 2014.  This is the interagency mechanism for deciding whether software vulnerabilities should be disclosed to vendors or retained for intelligence or military use.  During these important discussions, it is essential to have a defense-focused advocate.  CISA will not always win every policy debate (whether broadly or for VEP specifically), but policymakers need to hear all sides of an issue if they are to make the best decisions for the country. 

CISA as the Enabler of Network Defenders

Perhaps most importantly, CISA exists to enable defenders across the nation. Its alerts, advisories, free tools, and incident response teams are designed not for itself, but for the network operators who form the frontline of cybersecurity.  Over the past seven years, CISA has worked hard to build its brand; the debates we had about whether to issue cybersecurity advisories or to lend our name to other similar publications were frequent and intense.  We would not co-brand a publication if it was merely for publicity, included only information that others had already published, or did not provide actionable information to network defenders.  As a result, the CISA label on a cybersecurity advisory carries weight, and network defenders know that if CISA lends its name to something, they need to pay attention. 

This defender-centric posture is special in government.  CISA works with partners in the U.S. government and abroad, and proactively shares threat information and technical expertise to give defenders every possible advantage.  The Shields Up campaign in advance of Russia’s full-scale invasion of Ukraine gave specific, actionable information about Russian state-sponsored threats and steps to defend against them.  For every Fortune 100 company with a mature cybersecurity program, there are thousands of smaller organizations that depend on CISA’s accessible resources.

Why CISA Must Remain the Nation’s Cyber Defense Hub

In a federal landscape of agencies with varied cyber missions, CISA’s clarity of purpose and defense-focused voice is invaluable.  This ensures that resilience is never an afterthought. Moreover, CISA has become a trusted public face of government cybersecurity. Researchers, vendors, and network operators know they can turn to CISA as a non-regulatory body with no law enforcement or intelligence mission.  This trust is not incidental—it is the product of CISA’s defense-first culture.

As cyber threats continue to grow, the U.S. will need offense, intelligence, law enforcement, and standards.  But without a pure defense agency, the balance of priorities could skew dangerously away from resilience.  CISA fills that gap.

What’s Next for CISA

CISA needs to solidify the gains it has made in the past years, and to sustain the quality and breadth of its work even as it goes through steep budget cuts and sees key staff depart.  This will not be easy.  CISA’s new leadership is focused on the mission, but unfortunately, they have fewer resources with which to work than did I or my predecessors.

The most important thing CISA can do is to stay focused on being “Team Defense” in the U.S. government cybersecurity community.  This perspective is an essential part of internal policy debates and a crucial resource to the private sector.  CISA’s positions will not always carry the day – nor should they, as other agencies have competing, legitimate interests.  But these views, and the defense-first arguments, will help shape policy regardless of whether they are adopted in whole or in part.

CISA should also build on the brand it has already established, through continued rigor and through outreach to the broader cybersecurity community.  In the months since I left the Cybersecurity Division, I have talked to numerous cybersecurity executives in a variety of companies, in the technology sector and beyond.  Some understand and appreciate that CISA is careful about using its logo on advisories, but many do not.  CISA should work to expand this awareness – not for its own brand, but rather so that cyber defenders know that CISA’s endorsement of an alert means it is something they need to consider immediately. 

CISA and CSD should also continue some of the key programs and initiatives of the past few years.  Every administration has different priorities and philosophies, but some should transcend these changes.  For instance, encouraging vendors to build better, more secure products is not a political statement, and I’ve been pleased to hear DHS leadership talk about this publicly.  Similarly, CISA should lean into success stories like the Known Exploited Vulnerabilities (“KEV”) Catalog, a list of the highest-priority software vulnerabilities that must be patched quickly to reduce real-world attack risk.  Just four years old, cyber defenders across sectors already see KEV as an invaluable tool. 

Along those lines, CISA must double-down on its track record of partnership with the private sector, and maintain its strong relationships with Congress.  The private sector needs CISA as much as CISA needs it, and together they can advance our nation’s security posture. 

CISA and the Civilian Face of Cybersecurity

Bobbie Stempley

When an adversary strikes a hospital with ransomware or compromises a water system, it is not just a federal government problem, it is a community crisis. In moments like these, the public needs a capable, trusted partner – one that can support local leaders, bring technical expertise, understand the operational realities of industry, and respect civil liberties.

These scenarios are no longer rare. Over the past three decades, awareness of cyber threats has grown, information sharing has matured, and technical capacity across government and industry has expanded. And, one truth endures: trust, relationships, and collaboration remain the foundation of resilience. To sustain them, America must return to first principles, aligning with two of its greatest strengths: a federalist system of distributed authority and an entrepreneurial culture of innovation. Today, this approach means ensuring cybersecurity has a trusted, civilian face, one that empowers local governments delivering essential services and supports the industries driving our economy.

First Principles: Resilience Begins Locally

Resilience does not begin in Washington. It begins with those closest to the risk: the state and local governments that keep water safe, schools open, and transit running; the industries that drive economic growth and operate critical infrastructure; and the individuals whose vigilance makes a difference every day.

Recognizing this reality does not diminish the federal role. It clarifies it. Washington’s advantage is not in directing every move, but in providing the tools, intelligence, and standards that others need to succeed and having a broader vision and understanding across localities and sectors, nationally. Done well, federal engagement multiplies the efforts of local leaders, equips industry to innovate securely, and reinforces individual responsibility with national resources.

This intersection is precisely where the Cybersecurity and Infrastructure Security Agency (CISA) has value. As the nation’s civilian cybersecurity agency, CISA is not designed to compete with state or industry leadership but to complement and amplify it. Its greatest contributions lie in bridging communities, setting priorities, and enabling stakeholders.

By prioritizing risk through tools such as the Known Exploited Vulnerabilities (KEV) Catalog and National Critical Functions, by applying deep analytic expertise through programs such as the national cyber assessment teams, and by drawing on experience that ranges from rural water utilities to global cloud providers, CISA enables scarce resources to be allocated where they matter most. In doing so, the federal government fulfills its proper role: not commander of the system, but enabler of those already carrying the burden of resilience.

Industry Trust and Innovation

One of America’s defining strengths in the 21st century is its strength in innovation. Our digital ecosystem has transformed how humans work, live, and relate to one another. It has also fostered new partnerships and collaboration between government and industry. Effective two-way sharing of threat insights, collaborative response actions, and joint messaging now happen daily. But these are delicate negotiations and ones where industry must weigh domestic and international market considerations, customer privacy, and the consequences of sharing information with law enforcement or intelligence agencies.

These concerns may seem like throwbacks to 2001, but the 2024 ODNI Inspector General Semi Annual Report underscored ongoing concerns about the business and regulatory risks of sharing data with intelligence and law enforcement. Meanwhile, debates around FISA Section 702 [1]reauthorization and surveillance authority have hampered trust-building. Progress has been made in building trust between FBI, NSA, and industry, but trust remains fragile.

A civilian face and partner is indispensable. CISA’s focus is resilience, not prosecution or espionage. Its programs, from the early Cyber Information Sharing and Collaboration Program (CISCP) to today’s Joint Cyber Defense Collaborative (JCDC), have evolved from information sharing to coordinated action. JCDC has flaws, but it proved that when industry sees government as a partner aligned with common goals, the speed and scale of defense improve dramatically.

Bridging Industry and State/Local Governments

Focus matters. Not every partner brings value in every situation. CISA’s unique role enables it to bridge large industry partners with state and local governments that often face attacks with limited resources. Technology giants may develop cutting-edge defenses, but counties, municipalities, and school districts absorb the first and hardest blows.  And the ability to translate those defenses to local action requires engagement.

CISA translates national and industry intelligence into warnings local operators can use. A striking example is its pre-ransomware notification program. In 2024, CISA issued over 2,100 such alerts — nearly double from the prior year. These early warnings have already been credited with enabling local entities to stop intruders before they could encrypt or exfiltrate data. Partnerships with organizations like the Multi-State Information Sharing and Analysis Center (MS-ISAC) ensure that these insights reach those who need them most and enable a two-way flow of insights.

Accountability and Measurable Outcomes

Credibility in cybersecurity does not come from issuing advisories alone. It comes from evidence of progress. In a world of scarce resources and fast-moving threats, only measurable outcomes, from local response to federal coordination, build trust. CISA has begun to prove its impact by pairing initiatives with clear measurement.

  • Phishing-Resistant MFA at USDA: With CISA’s technical support, the Department of Agriculture rolled out phishing-resistant multifactor authentication across its workforce. Importantly, it tracked deployment rates, authentication success, and user feedback. Publishing this data created a model for others to emulate, showing that strong security could be scaled and adopted when measured transparently.
  • Incident Response Lessons and Metrics: After a federal breach caused by a known software flaw, CISA’s “lessons learned” advisory (AA25-266A) went beyond generic warnings. It provided timelines for patching, detection intervals, and assessments of response effectiveness. These details allows other agencies and companies to benchmark themselves against real-world incidents.
  • Nationwide Cybersecurity Review (NCSR): Each year, thousands of state, local, tribal, and territorial governments participate in the NCSR self-assessment. The aggregated results provide a national snapshot of maturity and progress, while individual communities gain insights into their own strengths and weaknesses. The NCSR has become a quiet but powerful accountability tool, turning self-assessment into a roadmap for measurable improvement.

These examples illustrate a larger truth: U.S. cyber defense cannot rely on rhetoric. Citizens and companies must see tangible progress. By institutionalizing measurement and sharing outcomes, CISA builds credibility as a civilian partner and reinforces trust in the system.

Reaffirming the Founding Narrative

Every federal program attracts both advocates and critics. Once launched, programs evolve, and they can be difficult to redirect. Revisiting the founding conditions of CISA is essential. It was created to be a civilian-facing, collaborative organization that would strengthen the resilience of critical infrastructure, including federal systems and networks.

That need still holds. Success lies in embracing the strengths of a decentralized system: increasing resilience through a civilian agency partner that empowers state and local governments, while supporting national security and public safety objectives through collaboration, prioritization, technical skill, and capacity-building.

Conclusion

America’s cybersecurity future depends not on centralized control but on empowered collaboration. It requires connective tissue that links federal insight with local action, translates innovation into resilience, and sustains trust through consistency and transparency. By focusing on what it does best: convening stakeholders, setting priorities, and measuring outcomes, CISA can fulfill its role as the nation’s civilian cybersecurity agency.

National security and public safety are best protected when the federal government enables, rather than directs; when industry collaborates as a partner rather than a suspect; and when communities can see that progress is not just promised but proven. That is the civilian presence and role that America needs, and the role CISA must continue to play.

Beyond Federal Boundaries: The Evolving Role of CISA, SRMAs, MSPs, and CSPs in Critical Infrastructure Cyber Risk Management

David Mussington

I. Introduction

Securing and sustaining the resilience of U.S. critical infrastructure depends on more than federal policy; it relies on layered risk management—across national frameworks, sector organizations, local jurisdictions, and individual assets. The Cybersecurity and Infrastructure Security Agency (CISA) and sixteen Sector Risk Management Agencies (SRMAs) historically provided coordination and strategy for cross-sector risk, but ongoing resource constraints have left operational capacity uneven and increasingly insufficient. This growing gap means that managed service providers (MSPs) and cloud service providers (CSPs) must now play a frontline role, not only in general cyber defense but in safeguarding the security and resilience of specific assets, localities, and sectors.

As adversary cyber-attack methods change, US defenses confront a more challenging opponent. It is no longer enough for risk management to be the preserve of federal leadership; practical defense and recovery begin at the asset and local level and must be reinforced by effective sectoral and cross-sectoral partnerships. The security of vital systems depends on a smooth and transparent system of shared information and consistent prioritization of vulnerabilities. This paper argues that resilience depends on the efficacy of public authorities’ oversight of a complex network of public and private sector critical infrastructure owners and stakeholders.

II. Background on the Evolved Framework for Infrastructure Risk

The traditional model placed CISA and SRMAs at the center, responsible for policy, broad situational awareness, and coordination of sector resilience efforts. Sector-specific regulations or frameworks were meant to guide local asset owners—whether power plant operators, water authorities, or hospital systems—in investing in defense and recovery planning.

Yet the technical—and increasingly, operational—capacity to monitor, respond, and remediate threats is rarely housed in federal or even state agencies. Instead, the practical burden has shifted outward. For key assets, MSPs and CSPs manage systems, patch vulnerabilities, and incident response. For specific localities and key sectors, however, NGOs such as ISACs and ISAOs share threat intelligence and orchestrate community-based response. Federal agencies provide higher-level coordination, advisories, and standards, but are less directly involved in day-to-day protection unless a major national event unfolds.

Other federal actors like the Department of Defense (DoD) or law enforcement agencies play specialized, often after-the-fact roles—handling military networks or pursuing attribution. In practice, critical infrastructure security and resilience hinges on the combined capabilities of local operators, their chosen MSPs, CSPs, and sector- or community-level response organizations, all operating under a federal framework.

III. Reductions in Public Sector Capacity and Localized Impact

Persistent resource shortfalls at CISA and SRMAs have made federal agencies less able to support technical risk management at the operational edge. While they set standards and advise during large-scale incidents, they now seldom provide rapid hands-on detection or real-time response at the asset level.

At the state and local level jurisdictions, agencies frequently lack the resources or expertise to operate capable cybersecurity programs. SRMAs may issue policy recommendations or convene sector partners, but effective resilience depends on the presence and performance of the MSPs/CSPs retained by each operator. Local asset owners—if left unsupported—may not discover vulnerabilities or respond to incidents until adversaries have already acted.

In landmark incidents such as SolarWinds and Colonial Pipeline, federal agencies coordinated response and issued guidance, but practical recovery for affected assets and localities relied on rapid action (or lack thereof) by third-party service providers and the owners themselves.

IV. MSPs and CSPs: First Responders Across Assets, Sectors, and Localities

With shrinking public agency resources, MSPs and CSPs now form the operational backbone of asset, locality, and sector cyber defense. For the critical infrastructures at risk, private sector risk managers operate and maintain key systems – even when these systems are behind on patches or essential maintenance. The security of critical infrastructures and key resources is, as a result, continually at risk.

At the sectoral scale, leading CSPs offer customer-wide visibility across regions and industries, enabling pattern recognition and warning at speeds unmatched by government. Locally, MSPs maintain direct access to systems in schools, city governments, and utilities, and can patch, isolate, or restore compromised assets without waiting for a federal surge. 

This model has real advantages but introduces new risks:

  • Relying too heavily on a handful of large CSPs or MSPs can expose entire sectors or communities if these providers are compromised.
  • Asset-level disparities emerge facilities with modern services and vigilant maintenance fare well, while those with budget or unsupported vendors may accumulate unmitigated risk.
  • Situational awareness on risk may become fragmented: CISA, SRMAs, and sector NGOs rely on voluntary sharing from asset operators and their MSPs, reducing the government’s real-time situational awareness about national and cross-sector vulnerabilities.

V. Risk Management Implications for Local, Sectoral, and National Resilience

The evolving risk setting creates several significant challenges:

  • Fragmented Resilience: Some assets and localities have high-caliber MSP/CSP support, while others—by choice or constraint—do not, leaving a patchwork of defenses both within and across sectors.
  • Supply Chain and Cross-Sector Stress: Single vulnerabilities, such as flaws in a widely used software or CSP service, can traverse from one asset to many, rippling across entire sectors or geographies.
  • Unclear Accountability: Incident reporting and recovery rely on contractual, not regulatory, relationships at the asset and local level.

NGO Coordination May Prove Inadequate: ISACs and ISAOs must bridge information divides, amplify sector/asset lessons, and ensure east-west communication, as federal guidance and local needs rarely align without translation.

  • Federal Oversight Gap: CISA and SRMAs sometimes learn of asset-level breaches from news reports or delayed sector notifications, which undermines collective risk posture.

VI. Rethinking Partnerships and Enabling Local Resilience

To better manage risk at the asset, locality, and sector levels: CISA and SRMA must provide legal and policy frameworks, funding incentives, and technical guidelines that empower local asset owners to contract high-quality MSP/CSP services—and set minimum expectations for those vendors.

  • Mandatory protocols for incident response and technical risk identification should be instituted for critical infrastructures. Owner operators should be held accountable for coordinating with authorities whenever worsening risk conditions require it.
  • ISACs and ISAOs must be better resourced and perhaps authorized to act as trusted intermediaries—generating, and selectively disseminating threat information to localities, sectors, providers, and public agencies.
  • CISA must promulgate Clear “hand off” protocols and coordinated response procedures to ensure that local incident detection is rapidly communicated to sector partners and to federal (CISA or SRMA) authorities when necessary.

VII. Case Study: Log4Shell—Asset-Level Response Meets National Challenge

The December 2021 Log4Shell vulnerability highlighted the realities of defense and risk management in this ecosystem. The Apache Log4j vulnerability threatened widely divergent infrastructures – from electric grids to hospitals and waste water systems.  Attackers weaponized the vulnerability rapidly, creating problems for poorly equipped jurisdictions.

Federal agencies moved fast to issue advisories, with CISA and SRMAs broadcasting alerts. Yet containment and patching happened mainly through CSPs and MSPs: providers flagged exposures, deployed virtual patches, and escalated asset-level vulnerabilities up to sector ISACs and ISAOs. Well-resourced utilities and hospitals, already partnered with top-tier MSPs and plugged into their sector’s ISAC, identified and remediated Log4Shell exposures in hours. Rural water authorities and small schools—many operating with minimal support—struggled, leaving critical services exposed for days or weeks.

NGOs played a vital role: ISACs interpreted national advisories, contextualized threat data for frontline staff, and connected isolated assets with advice and surge resources. In some cases, ISACs helped assemble technical “strike teams” from sector peers to backstop local operators who lacked MSP support. Still, uneven risk management at the asset level meant that resilience varied widely—not due to intent, but capacity and accessibility of response resources.

Log4Shell underscored not just the technical speed [and potential scope] of modern threats, but the importance of robust local and sectoral partnerships, timely intelligence flows, and federal coordination that reaches beyond advisories to real operational impact.

VIII. Conclusion

The security and resilience of U.S. critical infrastructure—whether a single water utility, a city government, or a sector-wide network—now depends on the effective integration of risk management at each of the following levels: asset, locality, sector, and nation. As the operational centrality of MSPs, CSPs increases, and the importance of responsive NGOs reinforces, federal policy and governance must keep pace by providing both frameworks and incentives to empower local infrastructure defense, raise sector-wide standards, and foster enhanced information sharing.

Progress toward better integrated critical infrastructure security and resilience performance can only be achieved through improved technical quality at the asset level, more material support for asset owners and critical infrastructures, and federal orchestration of national incident response. Federal efforts should seek to shape and support this multi layered ecosystem of service providers and risk managers, reinforcing vulnerability management and risk identification, and ensuring that connections between decision makers enable decision making in both a timely and contextually informing setting.

Reauthorizing CISA 2015: Securing the Future of Cyber Threat Intelligence Sharing

Cristin Flynn Goodwin

Introduction

The years 2013, 2014, and 2015 brought challenging days for those who worked in cybersecurity. Wave after wave of massive breaches saw the data of hundreds of millions of people stolen by cyber criminals. Names that now have faded into the background but at the time were headline-generating news: Target, JP Morgan Chase. Home Depot. Later in 2014 and into 2015, we saw the rise of nation state attacks, with the Sony Pictures hack by North Korea, then the Office of Personnel Management hack by China, and the Russian attack against the Ukrainian power grid. Threat intelligence and incident response teams were working overtime to identify threats and respond to constant incidents.

It was against this backdrop that the Cybersecurity Information Sharing Act of 2015 (CISA 2015) was enacted. At the time, some private sector entities – particularly those in regulated sectors – expressed concern about liability arising out of the risk of disclosing information to the federal government. CISA’s passage enabled private sector entities to share cyber threat indicators with the federal government and each other in a way that otherwise did not exist, under a framework that provided legal protections and privacy safeguards.

The Act expires on September 30, 2025.  Congress should reauthorize CISA 2015. Not for the obvious reasons – that it calms the anxieties of legal teams worried about information donation in the face of legal risk, or that it gives the Cybersecurity and Infrastructure Security Agency (CISA) insights from the private sector that it would not otherwise have and can then share with the federal government, critical infrastructures, and even the world at large. Those reasons should be enough to reauthorize CISA 2015.

The real reason for a e reauthorized CISA 2015 is for what it will enable over the next 10 to 15 years. As the Cybersecurity and Infrastructure Security Agency matures into a more operationally capable agency that can hunt for threats across the Federal Civilian Executive Branch (FCEB) and generate its own first-party data, only then will CISA move from being a conduit for information provided by others to the era of information “giving” when it has generates its own information to share.

Information Sharing versus Information Dissemination

Nation-state actors, criminal syndicates, and opportunistic hackers exploit vulnerabilities across sectors, often using the same tactics, techniques, and procedures (TTPs) against multiple targets. Information sharing enables defenders to learn from each other’s experiences, identify patterns, and respond more effectively. It’s been the foundation of cybersecurity policy since Presidential Decision Directive 63 in 1998, and part of the ethos of the cybersecurity community. Those who have data exchange it with others to unite against a common threat and protect the largest number of customers possible. This data exchange also creates efficiencies across sectors.

CISA 2015 was designed to facilitate this sharing by creating a voluntary framework for sharing cyber threat indicators and defensive measures. It provides liability protections, antitrust exemptions, and safeguards against public disclosure, thereby reducing the legal and reputational risks that might otherwise deter companies from sharing sensitive information. As the Protecting America’s Cyber Networks Coalition emphasized in its May 2025 letter to Congress, “CISA 2015 helps defenders improve their security measures while raising costs for attackers.”[2]

Unfortunately, that sharing mindset conflicted with the mission the agency was given back in 2018 when Congress established it, and the cognitive dissonance persists. When CISA was created as a legal entity in 2018, the Cybersecurity and Infrastructure Security Agency Act (CISA 2018), assigned it the responsibility of coordinating “a national effort to secure and protect against critical infrastructure risks” and to “integrate relevant information, analysis, and vulnerability assessments” regardless of source, and to disseminate information analyzed across the government and with the private sector.[3]

That dissemination obligation meant that information given to the agency became information it had the authority to distribute. It also elevated CISA to a unique position in the federal cybersecurity landscape, making CISA both a broadcaster of threat intelligence to the private sector and a coordinator of cybersecurity efforts across the FCEB. When companies seek broad amplification or rapid dissemination for FCEB action, CISA can be a trusted partner for information dissemination and distribution. That’s when CISA is at its best, and its advisories amplify information about important and critical vulnerabilities for response teams.[4]

But it also meant that companies needed to think carefully about what to give CISA, and when to provide it. The data it would share would be distributed across the FCEB and shared with agencies in the intelligence community first and assessed for impact and need to reach either trusted members of CISA’s private sector community (the Joint Cyber Defense Collaborative), or a broader reach (critical infrastructure information sharing and analysis centers and organizations (ISACs and ISAOs)), or the general public. This awareness brings a level of intentionality to any company’s decision-making process to give information to CISA.

Knowledge is Power – And Someone Else’s Knowledge is Someone Else’s Power

One of the great realities in DC and in cybersecurity is that knowledge is power.  Generally speaking, CISA has not had a significant amount of first party data to share. But it doesn’t have to be that way in the future. Back in 2018, CISA was given the under-appreciated responsibility of securing Federal information and infrastructure.[5] This mission is difficult and challenging, given the stubborn independence of agencies, the variety of missions, and disparity of budgets across the FCEB.

Despite the passage of time, the need for this responsibility remains acute. Cyberattacks have grown more sophisticated since 2018, and the Federal government is a frequent target. SolarWinds, Hafnium Exchange, the Log4j attack, the MOVEit compromise in 2023, and more recently, the Microsoft SharePoint TopShell vulnerability used to compromise the National Nuclear Security Administration, according to press reports[6] are just a few of the more well-known examples of attacks. CISA needs more fulsome hunting capabilities to find attack activity sooner, in order to limit impact. This can’t be left to the Departments alone. CISA has to be equipped to be the nation’s threat hunting team. and has to use its dissemination mandate to share what it’s seeing.

 As an example, CISA continues to operate its EINSTEIN 1 tool as an intrusion detection tool installed across the FCEB to “monitor the flow of network traffic transiting between FCEB agencies and the internet.”[7] This netflow data can be helpful for cybersecurity responders to help detect anomalies, identify affected systems, trace the path of an attack, provide historical data to search for indicators of compromise (IOCs). It’s not a complete story, but it can be useful. In the aggregate, it could also be used to tell stories over time – CISA observed X classes of anomalies, or Y types of IOCs over time by using their data to create and share reports via its dissemination channels – through JCDC, to critical infrastructures, or with the public.

Agencies like the FBI and NSA have long held an advantage in the intelligence sharing ecosystem because they generate their own data. They are not merely consumers of threat intelligence, they are producers, with something to “share” to “partners.” This reciprocity fosters deeper partnerships and more robust exchanges. But if CISA were to engage more deeply with its authority from CISA 2018 and begin to hunt for nation state activity across the FCEB, it would have over 100 agencies and bodies, hundreds of thousands of persons, and likely millions of devices and service accounts from which it could draw data about threats and anomalies.[8]

CISA would have the ability to analyze this data over time, and the stories it would tell would be powerful. It would show the emergence of new attacks, new indicators of compromise, new zero-day vulnerabilities, new tactics, techniques, and procedures (TTPs) attempted by attackers, and those could be shared – actually shared – with companies whose products or services were involved in the events or incidents. The reports generated would be game changing, because CISA’s data and insights would set a true baseline on a massive scale, and potentially serve as early warnings of broader attack activity to come.  The headlines would write themselves. 

This is where CISA needs to be. An equal partner – sharing first party data it has collected with big tech, the NSA, and the FBI, as equals. Only then will it be able to achieve its dissemination and security missions established by Congress.

The Path Forward: A New Era of Information Sharing

Of course, allowing CISA 2015 to lapse would not simply freeze progress, it would reverse it. Companies that are anxious about sharing with government know that CISA 2015 provides legal protections. Lawyers have been using CISA 2015 references and definitions in private sector information sharing agreements across the industry. Removing CISA 2015 would upend the stability of those private sector exchanges and the protections afforded by CISA 2015.

More importantly, retraction of these authorities would undermine the future of CISA’s most promising mission: hunting for threats across the FCEB and sharing its findings with its partner ecosystem. This capability, still in its early stages, could be a transformative shift in how the federal government defends its networks. The current model of decentralized detection, where each agency is responsible for monitoring its own networks, has serious limitations. It creates data silos, slows response times, and makes it difficult to identify coordinated attacks that span multiple agencies. Threat actors exploit this reality time and time again, despite agency obligations to notify CISA.

CISA’s centralized hunting capability offers a solution. By aggregating telemetry from across the FCEB, the agency can detect patterns that no single agency could see on its own. It can identify common indicators of compromise, correlate seemingly unrelated events, and issue alerts that benefit the entire FCEB ecosystem. Then, using its CISA 2018 authorities, it can disseminate information to responders to help protect against what CISA finds. This builds an actual sharing ecosystem. One where parties are exchanging information, rather than one side giving data and the other side is disseminating that information.

But this model only works if CISA has the legal authority, technical infrastructure, and stakeholder trust to operate at scale. CISA is on the cusp of becoming something it has never been before: a producer of first-party threat intelligence, a hunter across the federal enterprise, and a peer in the global cybersecurity community. Reauthorizing CISA 2015 is the key to unlocking that potential.

Lessons Learned from Lessons Learned: The Cyber Safety Review Board Can’t Be Voluntary

Rob Knake

Along with almost all other advisory boards at the Department of Homeland Security, the Trump Administration moved quickly to disband the Cyber Safety Review Board (CSRB) in the name of cost savings and government efficiency. Yet the CSRB may not be much dead as it is dormant. The Trump Administration has not rescinded EO 14028, which created the board, and the next major cyber incident, it will face pressure to see the board stood back up under existing authorities. Many have already called to reinstate the board. When that happens, the difficulty of operating an investigative board on a voluntary basis will become all too apparent to the current administration.

Don’t get me wrong here, the CSRB did some incredible work. I was proud to be part of its stand up and to have made some small contributions representing the Office of the National Cyber Director in some of its proceedings. The three reports the CSRB completed all provide valuable lessons learned for cybersecurity operators as well as insights for policymakers and lawmakers. Yet at a meta-level, the lesson learned from this body of work is that relying on voluntary efforts by board members and voluntary cooperation by companies does not scale to meet the challenge.

For the CSRB to meet its mandate, three things need to change. First, the board needs to be trimmed and granted unequivocal authority to investigate significant cyber incidents; second, the investigative staff needs to be professionalized and staffed sufficiently to carry out multiple investigations at any given time; and, finally, the board must operate independently without the oversight of Federal agencies whose actions are under review.

Investigative Authority

After side-stepping the mandate to investigate SolarWinds, the CSRB’s first two reports investigated an open-source vulnerability (log4j) and the actions of a threat group (Lapsus$). Because of their subjects, neither delivered the hard-hitting findings or criticisms of corporate cybersecurity practices or security tool failures that this industry so badly needs. Yet when the CSRB, in its third and final report, picked an incident that was not an ecosystem problem but the failing of a single company, it inadvertently showed why relying on good faith participation is likely to fail in the future.

The Review of the Summer 2023 Microsoft Exchange Online Intrusion is the best example of an after action review in the public domain. It pulls no punches and solidly lands a combination that would have knocked out most other companies. In all candor, even a large cybersecurity vendor might not have survived such a brutal flurry.

While the report praises Microsoft’s cooperation, finding that “Microsoft fully cooperated with the board,” it goes on to offer a scathing indictment of Microsoft’s security practices. “The Board finds that this intrusion was preventable and should never have occurred.” Ouch. “The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul.” Double ouch.

The success of the report likely killed off the prospect of the CSRB ever gaining the kind of cooperation Microsoft provided again. At least if not compelled to do so. No doubt, at least in the short-term, cooperating with the CSRB’s investigation harmed shareholder value. Any sensible CEO will conclude that refusing to cooperate, lawyering up, and controlling the narrative is the right course of action when asked nicely to engage in a voluntary process. That outcome is of course not in the national security interest.

Luckily, we have a model for how to encourage the kind of cooperation Microsoft provided in the National Transportation Safety Board NTSB. Somewhat counterintuitively, it starts with clear authority to investigate, compel testimony, and require the turnover of evidence.

The NTSB’s authorizing legislation gives it unambiguous authority to investigate transportation incidents including the authority to force the turnover of information and data it deems relevant. With the authority to compel the sharing of evidence of failure, most companies choose to become “parties” to the investigation, engaging in a cooperative process with the NTSB to share not only evidence but also expertise all in the interest of promoting aviation safety.

In contrast, strengthening the authorities of the CSRB is viewed in the cyber community as a last resort rather than the basis for engendering cooperation. The legislative proposal released by the Biden Administration in 2023 positions subpoena authority as a tool that could only be used when all else failed and created a high bar for its use. In the draft legislation, only when the chair deems the response to a voluntary request insufficient can the chair move to use the subpoena authority. Even then, a subpoena would only be issued when two-thirds of board members approve it. As Congress considers granting authority to investigate to the CSRB, that authority must be unambiguous as it is for the NTSB.

Professional Staff: Scaling to Meet the Challenge

Under the part-time and voluntary service model, the CSRB’s investigations have been far too constrained. The current setup for the CSRB means that the investigation of cyber incidents is not anyone’s day job. Since the CSRB was stood up, we’ve had many significant incidents that should have been investigated including Colonial Pipeline, Kaseya, MoveIT, the Crowdstrike outages, and this summer’s Microsoft SharePoint attacks to name a few examples. None were investigated, but all merited investigation by the CSRB, as did a sampling of the 3000+ reported incidents within the health care sector since May of 2021.

Instead of relying on part-time experts, the CSRB should be staffed by trained investigators whose one and only job will be to investigate cyber incidents and produced lessons learned reports. These professional staff members should be paid and paid well in line with market rates for experience incident responders and likely well above even CISA’s cyber pay levels. In modeling legislation, Congress should look to the authorities granted to the Veterans Administration to hire doctors at market rates and provide additional incentives for hiring. 

The staff should have the authority to contract out specific tasks such as malware analysis or specialized forensic activities but the generation of findings and the production of reports should be entirely the work of the professional staff. These employees should fall under the strictest of ethics obligations and should be prohibited from holding investments in cybersecurity or related fields.

Board Independence

While in its first incarnation, most of the work of the CSRB was conducted by board members, a professional staff will obviate the need for board members to carry out investigations. Instead, board members can provide oversight for the professional staff as well as invaluable context and connections in investigations.

Board members should continue to serve as special government employees on a part-time basis though the role of chair should be considered for a full-time role. While the CSRB did an exemplary job of managing conflicts of interest, future board members should be drawn from the large pool of “formers” that have served at large technology companies, cybersecurity firms, and in government rather than current executives.

More so than current employment by private cybersecurity companies, Federal agency representation is more problematic. As conceived in EO 14028, CSRB membership is to include representatives of relevant Federal agencies as well as representatives of cybersecurity firms and software providers. While I have deep respect for each and every person who served on the CSRB and do not question their integrity or professionalism, it makes little sense to have representatives of the agencies that failed to prevent an incident or were involved in the response to it as members of the board. In the case of the Microsoft incident, representatives from Microsoft and its competitors like Google recused themselves. But representatives from CISA, the FBI, and NSA did not. The report provides little criticism of these organizations. It is reasonable to ask why CISA was unable to detect that its own systems were compromised while even the State Department was able to do so. It is also reasonable to ask why the NSA apparently failed to pick up on this adversary activity attributed to a nation-state group under active scrutiny or failed to share this information if it did. Yet these issues were not examined in the report. It may be that they did not deserve examination but a setup in which the Secretary of the Department of Homeland Security would need to sanction criticizing their own department or peer agencies that they need to work with every day makes little sense. There is a reason the NTSB is not part of the Department of Transportation let alone the FAA and that its reports are not subject to the approval of any Federal official other than the NTSB chair.

[1] Section 702 of the Foreign Intelligence Surveillance Act permits the U.S. government to collect communications (emails, texts, phone calls) of non-Americans located outside the U.S. without an individual warrant.

[2] Coalition Letter Supporting Reauthorization of the Cybersecurity Information Sharing Act of 2015 (CISA 2015) | U.S. Chamber of Commerce

[3] PUBL278.PS, Cybersecurity and Infrastructure Security Agency Act (CISA 2018) Sec. 2202.

[4] Cybersecurity Alerts & Advisories | CISA

[5] PUBL278.PS, Cybersecurity and Infrastructure Security Agency Act (CISA 2018) Sec. 2202(c)(3).

[6] US nuclear weapons agency hacked in Microsoft SharePoint attacks

[7] EINSTEIN | CISA

[8] Federal Civilian Executive Branch Agencies List | CISAThe Future of CISA

Building the Next Generation of Cyber Defense

A Collection of Essays edited by Jane Holl Lute, Rob Knake, James Lewis, and Kiersten Todt

Project on Technology and Security

November 3, 2025

The Future of CISA Table of Contents

Executive Summary

Author Biographies

Introduction: Jane Holl Lute

1 Framing Challenges for the Cybersecurity and Infrastructure Security Agency (CISA)

James Lewis

2: Why We Need a Team Defense in Cyber: The Rationale for a Cyber-Focused Agency

Jeff Greene

3 CISA and the Civilian Face of Cybersecurity

Bobbie Stempley

4.  Beyond Federal Boundaries: The Evolving Role of CISA, SRMAs, MSPs, and CSPs in Critical Infrastructure Cyber Risk Management

David Mussington

5. Reauthorizing CISA and Cyber Threat Intelligence Sharing

Cristin Flynn Goodwin

6. Lessons Learned from Lessons Learned: The Cyber Safety Review Board Can’t Be Voluntary

Rob Knake

Executive Summary:

Introduction (Jane Holl Lute)

  • Persistent US Cyber Weakness and Bureaucratic Conflict: Despite its power, the US remains vulnerable to cyberattacks due to the vast, rapidly growing complexity of cyberspace and decades of internal bureaucratic battles—primarily among the Department of Homeland Security (DHS), NSA, and FBI—over which agency should lead the federal cybersecurity effort.
  • Challenges Facing CISA and Escalating Threats: While the creation of the Cybersecurity and Infrastructure Security Agency (CISA) aimed to resolve the leadership issue, it has struggled to establish itself as the nation’s primary cyber defender. This challenge is heightened by the acceleration of Artificial Intelligence (AI), which provides attackers with vastly more powerful tools for intrusions aimed at causing physical-world effects (theft, extortion, destruction) across critical sectors.

Framing the Challenges for CISA (James Lewis)

  • CISA evolved from a fragmented agency landscape, consolidating multiple predecessor agencies (NCSD, NPPD) that struggled with unclear missions, interagency rivalries, and inadequate resources before its establishment as an independent agency in 2018.
  • Strong policy foundations (EO 13636, PPD-41, EO 14028) clarified CISA’s role as the lead federal agency for domestic cybersecurity and critical infrastructure protection, with primary responsibility for protecting civilian federal agencies.
  • CISA faces persistent challenges including resource constraints (exacerbated by DOGE cuts), tensions with ONCD, and ongoing debates about whether it should have regulatory powers beyond its current voluntary, partnership approach.

Why We Need a Team Defense in Cyber (Jeff Greene)

  • CISA is the only U.S. government agency with an unambiguous mission focused on cyber defense, distinguishing it from agencies like FBI (law enforcement), NSA (intelligence), and NIST (standards).
  • CISA’s “defense-first” focus enables it to serve as a trusted, neutral intermediary in critical functions like coordinated vulnerability disclosure, where researchers and vendors need a non-regulatory, non-law enforcement partner to facilitate responsible security improvements.
  • CISA’s brand credibility and defender-centric posture—demonstrated through programs like the KEV Catalog, Shields Up campaign, and cross-agency monitoring capabilities—makes it an essential voice in government policy debates and a vital resource for network defenders nationwide.

CISA and the Civilian Face of Cybersecurity (Bobbie Stempley)

  • Cyber resilience begins locally with state/local governments and industry—not in Washington—making CISA’s role as a civilian, non-regulatory partner essential for connecting federal insight with local action while respecting civil liberties and avoiding the trust issues associated with law enforcement or intelligence agencies.
  • CISA successfully translates national intelligence into actionable local warnings (e.g. 2,100-plus pre-ransomware alerts in 2024) and bridges gaps between large technology companies and resource-constrained municipalities, counties, hospitals and school districts that face the hardest challenges in cyber attacks.
  • Credibility depends on measurable outcomes and transparency, demonstrated through initiatives like phishing-resistant MFA deployment tracking at USDA, detailed incident response timelines, and the Nationwide Cybersecurity Review self-assessment tool that provides communities with benchmarks for improvement.

Beyond Federal Boundaries (David Mussington)

  • Resource constraints at CISA and Sector Risk Management Agencies (SRMAs) have shifted the operational burden of cyber defense to managed service providers (MSPs) and cloud service providers (CSPs), who now serve as frontline responders for critical infrastructure security at the asset and local levels.
  • This decentralized model can create significant risks including fragmented defenses, supply chain vulnerabilities (as seen in Log4j), accountability gaps, and reduced federal situational awareness, since CISA often learns of breaches through news reports rather than direct notification.
  • Effective national resilience requires federal policy to provide frameworks and incentives that empower local defense, set minimum vendor standards, strengthen ISACs/ISAOs as trusted intermediaries, and establish clear protocols for escalating asset-level incidents to sector and federal authorities.

Reauthorizing CISA 2015 (Cristin Flynn Goodwin)

  • The Cybersecurity Information Sharing Act of 2015, which provides legal protections for private sector threat information sharing with government, expired on September 30, 2025 and should be reauthorized to maintain stability in both public-private and private-private sector information exchanges.
  • CISA currently functions primarily as an information disseminator rather than a true sharing partner because it still lacks significant first-party threat data, creating an imbalance where companies must weigh what to share, knowing it could be broadly distributed across federal agencies.
  • CISA’s future potential lies in developing robust threat-hunting capabilities across the Federal Civilian Executive Branch (using tools like CDM and EINSTEIN) to generate its own intelligence, transforming it into an equal partner to FBI and NSA that can truly share rather than just receive and disseminate threat information.

Lessons Learned from Lessons Learned: The CSRB Can’t Be Voluntary (Rob Knake)

  • The Cyber Safety Review Board’s scathing report on Microsoft’s 2023 Exchange Online intrusion—while exemplary—likely destroyed prospects for future voluntary corporate cooperation, as no rational CEO would willingly participate in a process that could harm shareholder value without legal compulsion.
  • The CSRB needs three fundamental reforms to be effective: unambiguous investigative and subpoena authority (modeled on the NTSB), a full-time professional investigative staff paid at market rates to handle multiple concurrent investigations, and true independence from federal agencies whose actions may be under review.
  • The current part-time, voluntary model cannot scale to meet the challenge—numerous significant incidents (Colonial Pipeline, Kaseya, MoveIT, CrowdStrike outages) have gone uninvestigated, and having federal agency representatives serve as board members creates inherent conflicts when those agencies’ failures should be examined.


Author Biographies

Jeff Greene is a Distinguished Fellow with the Aspen Institute’s Cybersecurity Program and the author of the blog Cyber Shorthanded.  He also advises public and private sector leaders on cybersecurity and resilience issues. Jeff served as the Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA) and the Chief of Cyber Response and Policy on the National Security Council (NSC) during the Biden Administration. Before that he was Director of NIST’s Cybersecurity Center of Excellence and was an executive in a private sector cybersecurity company.

Rob Knake served as Deputy National Cyber Director at the Office of the National Cyber Director (ONCD) from 2022 to 2023. Earlier in his career he served at CISA’s predecessor agency, the National Protection and Programs Directorate. 

James Lewis is a Distinguished Fellow at the Center for European Policy Analysis who has written extensively on cybersecurity. Earlier, he was a researcher at the Center for Strategic and International Studies.

Jane Holl Lute is a distinguished American diplomat and senior executive who has held key roles in the United Nations and U.S. government. She served as the first UN Assistant Secretary-General for Peacebuilding Support and as Deputy Secretary of Homeland Security. Lute is known for her expertise in international security, crisis management, and global peacekeeping efforts.

Dr. David Mussington is a Professor of the Practice at the University of Maryland’s School of Public Policy. He rejoined UMD after serving as the Executive Assistant Director for Infrastructure at CISA, where he was a Presidentially appointed official responsible for implementing the nation’s critical infrastructure security and resilience. He led efforts on counter-terrorism, reducing targeted violence, and physical infrastructure security. He was also a founding member of CISA’s Cyber Safety Review Board. Dr. Mussington has extensive public and private sector experience in cyber and infrastructure security, including roles as a Senior Advisor for Cyber Policy for the Office of the Secretary of Defense and as a Director for Surface Transportation Security Policy on the NSC staff. He directed cybersecurity studies for DHS, ODNI, and NATO as a researcher at RAND and the Institute for Defense Analyses. He is a life member of the Council on Foreign Relations.

Cristin Flynn Goodwin is the Managing Partner of Advanced Cyber Law, LLC and the host of the Advancing Cyber Podcast. She also consults with Good Harbor Security Risk Management. Cristin spent over 17 years as the head cybersecurity lawyer for Microsoft’s incident response, threat intelligence, and information sharing teams and led Microsoft’s work to disrupt nation state actors and spyware vendors.

Roberta Stempfley serves in an executive leadership role at Dell Technologies driving Security and Resilience efforts in the product business units. Bobbie served in executive leadership roles in DHS and DoD where she led efforts to engage with critical infrastructure and the Federal Government to reduce cyber risks and prepare and respond to cyber events As the CIO of the Defense Information Systems Agency she had the responsibility for the digital transformation of a major defense agency.

Introduction

Jane Holl Lute

It surely is an irony of the current day that, notwithstanding the extraordinary power of the United States, it remains remarkably weak in defending its most important assets against cyber attacks. Part of the explanation for this persistent weakness lies in the nature of the challenge – the world of cyberspace is vast and complex – growing organically, instantaneously, and increasingly wealthy with every passing day. Very simply, the power to connect has vastly outpaced the power to protect, leaving governments, including the world’s most powerful government, in the unfamiliar role of market participant and not market leader in the domain of security.

But part of this sorry state of affairs can also be explained by the way the U.S. government has approached its role in cybersecurity over the past four decades – following the first documented case of a cyber breach in 1986 revealing that one Markus Hess, a German national, had hacked into the Lawrence Berkeley National Lab, selling the information he stole to the Soviets.

For a good part of the years since then, a quiet battle has raged in the bureaucracies of the U.S. federal government and among U.S. national security, law enforcement, and homeland security agencies through the better part of this Century. Which among them would ultimately be tapped to lead the federal effort? Indeed, what, exactly, was the federal government expected to do when it came to ensuring the cybersecurity of the nation?

The question was crystalized in 2010 with the publication of the first ever Quadrennial Homeland Security Review (QHSR). For the first time, the (still relatively new) Department of Homeland Security (DHS) identified “safeguarding and securing the nation’s cyberspace” as one of its five core homeland security missions. And over the past fifteen years, DHS has organized and reorganized itself to achieve this aim – while under near-constant bureaucratic opposition and assault from its sister agencies – principally the National Security Agency and FBI – that believed the mission belonged with them.

It appeared that Congress resolved the question of agency primacy with the creation of the Cybersecurity and Infrastructure Security Agency (CISA) under an act of the same name in 2018. But in many ways, the challenge was just beginning. Notwithstanding Congress’ intent and support from the White House, CISA has struggled to establish its role as the Nation’s leading cyber defender. Why this is so is no mystery, and in the pages that follow, some of the most experienced voices who lived these developments offer explanations to account for the weaknesses that persist.   

Yet, it would be wrong to say that no progress has been made. There can be no question that the owners of U.S. critical infrastructure are now more aware of the hazards in cyberspace, more engaged in active defenses, and more willing to work with the government to further strengthen those defenses than even a few short years ago.

But time is not on the side of defense. With the rapid acceleration of artificial intelligence (AI) in all its manifestations, cyber attackers now have a vastly more powerful set of tools for mischief and crime, not only in cyberspace, but in every conceivable domain. No area is safe or secure from harm: finance, education, health care, biosecurity, national defense, and more. Indeed, it is probably safe to say, again, perhaps ironically, that cyber attacks are not even their own point any more (if they ever were). Cyber intrusions are intended to have a physical world effect – theft, extortion, distortion, and even destruction.

But no single actor can do all that needs doing when it comes to cyber defense, and all that needs doing cannot be done alone. If the Federal Government will now do less in our lives than in previous decades, there remains, nevertheless, an irreducible role for it to play here. The U.S. government must orient its attention and effort on the practical steps necessary to ensure the nation’s cyber protection, and CISA has a critical role to play in the coming months and years ahead. The chapters that follow are focused on the future – which has come for us, whether we are ready or not.

Framing the Challenges for the Cybersecurity and Infrastructure Security Agency (CISA)

James Lewis

The Cybersecurity and Infrastructure Security Agency (CISA) is the lead agency for domestic cybersecurity and critical infrastructure protection. CISA is a major improvement over its predecessors. It has achieved many of the initial goals envisioned in its creation. The challenges CISA faces date to its inception: interagency rivalries, a lingering debate over the need for regulation, and resources for building a tech-centric workforce.  CISA has been a success, but more could be done, and these essays lay out the rationale for further developing CISA’s missions.

A Fragmented Landscape Before CISA

Established in 2018, CISA is a relatively new agency and cybersecurity is a relatively new governmental function.  DHS itself was created in January 2003 in response to the September 11 attacks, to ensure another 9/11 would never happen again. The initial DHS component responsible for cybersecurity was the National Cyber Security Division (NCSD), established in June 2003. NCSD was created by merging existing cybersecurity organizations from other federal agencies. These included:

  • Critical Infrastructure Assurance Office (CIAO, ambiguously attached to the Department of Commerce))
  • National Infrastructure Protection Center (NIPC, formerly part of the FBI)
  • Federal Computer Incident Response Center (FedCIRC, part of the National Institute of Standards and Technology, within the Department of Commerce)
  • National Communications System (NCS), established in 1963 and managed by the Department of Defense)

NCSD was not a happy marriage of these previously competitive agencies, nor was cybersecurity a priority for DHS’s initial leadership.  In 2007, NCSD was folded into a new National Protection and Programs Directorate (NPPD), to create a more cohesive entity that could address both cyber and physical threats to the nation’s infrastructure.  This integration reflected the belief that physical and cyber threats were intertwined and best managed by a single directorate.  This belief reflected an intermediate stage of threat evolution. The initial concerns, post-9/11 were physical threats. This was followed by growing awareness of the convergence of physical and cyber threats, which then evolved into a focus on cybersecurity and its role in physical security. But since 2007 there have been only a handful of minor physical attacks (more like vandalism) against facilities like electrical substations that serve a single community. It would take dozens of these attacks launched simultaneously to achieve the disruptive effect of a single large cyber attack.

NPPD merged disparate programs within DHS, including NCSD’s cyber work, physical infrastructure protection, federal facility security (the Federal Protective Service, which guards embassies and federal buildings), and emergency communications. NPPD struggled with a lack of clear mission, interagency competition, inadequate resources, and a fragmented strategy. Its structure (as an appendage of the Secretary’s Office) meant that it lacked the bureaucratic stature to compete in addressing increasingly sophisticated cyber threats, within government and also with industry. One NSA Director even proposed giving NSA the lead role in cyber infrastructure protection.

The dilemma with moving responsibility for cybersecurity away from DHS was that it would assign a domestic security role to DOD and to an IC-related part of DOD at that.  This dilemma mirrored debates at the time on whether the US needed its own “MI5” for domestic security.  The conclusion of that discussion was that the US did not need an MI5, as it already had the FBI.  But FBI was also hindered in its cybersecurity role (which it had pioneered with the Clinton-era NIPC) because companies were reluctant to share information with a law enforcement agency.  Nor was a small but noisy privacy community happy with an expanded role for either FBI or NSA, and this community had some influence with Congress. 

CISA’s creation as a civilian, non-regulatory agency outside of law enforcement and intelligence addressed these concerns.  Congress created CISA with the Cybersecurity and Infrastructure Security Agency Act of 2018.  The bipartisan Act made CISA an independent agency within DHS. It gave CISA a clear mandate and increased its authorities, including designation as the lead federal agency for cyber and physical infrastructure security.  CISA would coordinate cybersecurity and critical infrastructure activities with federal, state, local, tribal, and international counterparts.  Its primary responsibility would be to protect “dot.gov,” civilian agencies within the federal government. The aim was to create a more effective Federal entity to lead national efforts to reduce risks to critical infrastructure.

EO 13636 and PPD-41

The new Agency began with a strong foundation in policy.  The Obama Administration created a new basis for US cybersecurity policy and organization.  Its February 2013 Executive Order 13636 adopted a voluntary, sector-specific approach that made individual regulatory agencies responsible for their sector rather than making DHS the cybersecurity “uberregulator.” Sector-specific agencies would use their existing authorities to ensure that cybersecurity was a priority for the sectors they oversee and the Executive Order encouraged independent agencies to take a similar approach. A cornerstone for the EO is NIST’s Voluntary Cybersecurity Framework, which identified actions that agencies – and industry – could take to better understand, manage, and reduce cybersecurity risks to critical infrastructure and review use to their own regulations to assess if they were adequate. NIST remains a vital partner for CISA.

The Administration also issued Presidential Policy Directive 41 (PPD-41) – “United States Cyber Incident Coordination in 2016. PPD 41 created a structured approach for the federal government response to significant cyber incidents, clarifying roles and responsibilities for agencies, including DHS.  PPD-41 established a coordinated Federal response to significant cyber incidents, led by the National Security Council (NSC) and clarifying which agencies were responsible for different aspects of a cyber incident.  It designated FBI, CISA, and DOD as lead agencies for different aspects of a cyber incident. FBI leads in cybercrime, and if determined to be an attack by a state, DOD leads.  PPD-41 created the Cyber Response Group and the Cyber Unified Coordination Group to provide the mechanism for Federal coordination. CISA benefitted from this clarity and its establishment as a standalone agency in 2018 gave it more authority and resources to carry out its PPD-41 responsibilities. 

CISA’s responsibilities expanded as a result of major cyber incidents and new policy directives. The SolarWinds attack in late 2020 highlighted systemic vulnerabilities in the software supply chain.  Colonial Pipeline showed the risk of ransomware in disrupting critical services.  These incidents led to Executive Order 14028 in May 2021, “Improving the Nation’s Cybersecurity.” The EO tasked CISA with developing baseline security standards for software sold to the government, establishing a Cyber Safety Review Board (partially modelled on the NTSB), and (working with OMB) improving threat information sharing.

The Arrival of ONCD

Concerned by the first Trump administration’s apparent downgrading of cybersecurity, Congress created a new layer of management at the White House, the Office of the National Cyber Director (ONCD). ONCD was headed by a Senate-confirmed individual who, in theory, reported directly to the President.  This reporting structure created tensions with CISA – driven by a lack of clarity of roles and responsibilities – and with the NSC which already had the senior cyber role in the White House. The original thinking was to have either the senior White House role or the ONCD – not both.

ONCD’s disputes with CISA were not as intense as the intra-White House arguments. They involved defining the division of responsibilities.  The current Administration seems to have settled on ONCD as the lead cyber policy maker, with a smaller NSC cyber office fulfilling its traditional foreign policy and defense role, CISA leading domestic cybersecurity, and FBI, DOD, and State responsible for their law enforcement, defense, and diplomatic functions.

Resources

CISA faces persistent challenges with resources and staffing. This has only gotten worse. A 2023 report from the DHS Office of Inspector General noted that CISA lacked backup communication systems, staff, and secure spaces, to effectively manage major cyber incidents. The rapid evolution of cyber threats often outstripped the agency’s ability to hire and train personnel.  CISA was made the sector risk management agency for eight sectors. CISA’s election security and disinformation efforts attracted the ire of conservatives and the inaptly-named “Department of Government Efficiency” (DOGE)” made draconian cuts to CISA staff and contractors.  New funding is unlikely in the near term and one question for CISA is what missions should be a priority, given limited resources.  One potential solution is to focus its mission on securing government networks and improving its work with industry to protect critical infrastructure.

Information Sharing and Collaboration

A core element of CISA’s work involves leading and facilitating information sharing between the government and the private sector. Congress intended CISA to be the private sector’s primary partner and CISA’s sweet spot has been its collaboration with the private sector.  CISA became the central hub for sharing threat intelligence, vulnerability advisories, and best practices. As with its predecessors, there were complaints that information sharing was a one-way street, with companies not getting much in return for what they shared, but over time, CISA’s offerings improved and later initiatives like the Known Exploited Vulnerabilities (KEV) Catalog became crucial tools by providing a prioritized list of vulnerabilities that organizations should address immediately due to active exploitation. In 2022, CISA produced 416 vulnerability advisories and coordinated on over 700 cases. In Fiscal Year 2024, CISA released nearly 1,300 cyber defense alerts and advisories, a significant increase that includes a near-doubling of pre-ransomware alerts alone. Its joint threat advisories have also been effective in signaling to industry the importance of the information.

The creation of the Joint Cyber Defense Collaborative (JCDC) in 2021 provided a new mechanism for CISA’s collaboration with the private-sector and CISA introduced several new initiatives to proactively reduce cyber risk. JCDC received mixed reviews, but it was praised for its ability to quickly bring together government and private sector partners to respond to cyber incidents. Examples include coordinating responses to the Log4j vulnerability.  JCDC was criticized for being too selective in which companies could participate and for engaging too many partners without a structure. Critics argued that the JCDC needed to be more operationally focused with a clearer, proactive strategy for helping industry protect critical infrastructure. JCDC was reliant on contractors and DOGE cuts and contract lapses could impede JCDC’s ability to function. Despite its value, JCDC was stood down by the Trump Administration.

CISA’s role in protecting and defending the networks of FCEB (Federal Civilian Executive Branch) agencies involves both coordination and monitoring.  For coordination, CISA acts as the government’s central risk advisor using Binding Operational Directives (BODs) and Emergency Directives (EDs) that compel FCEB agencies to fix specific, high-priority vulnerabilities.  CISA is the hub for cyber threat information sharing across the government. CISA maintains situational awareness across the federal enterprise through programs like the Continuous Diagnostics and Mitigation (CDM) Program, which provides tools to agencies for real-time network visibility and risk management and the National Cybersecurity Protection System (NCPS) to detect and prevent intrusions. Some of these are replacements for the older EINSTEIN intrusion detection system, others (like CDM) are new.

Regulate Or not?

CISA and its predecessors have always disavowed any regulatory role, in part due to the recognition that Congress is unlikely to provide new authorities.  CISA largely operates on a voluntary basis, providing services and guidance that organizations can choose to adopt. While this builds trust and partnership, it also limits the agency’s ability to mandate changes in cybersecurity practices, particularly in the private sector. While CISA has been granted new authorities, such as the ability to issue administrative subpoenas, a fundamental tension remains between CISA’s role as a partner and its potential need for a more regulatory or enforcement-oriented function.

CISA’s Role in Risk Management

CISA attempted to expand its role beyond federal cybersecurity to become the nation’s “risk advisor.” CISA took a lead role in securing the 2020 and 2024 elections, providing voluntary support and services to state and local election officials, and combating election-related misinformation. More controversially, it attempted to help counter misinformation and disinformation. While DHS’s short-lived and ill-conceived Disinformation Governance Board (DGB) was not part of CISA, blowback from its rapid collapse damaged CISA.  CISA’s work was subject to political scrutiny for its role in election security and its efforts with social media companies on disinformation. CISA’s first Director was fired in 2020 for publicly stating that the Presidential election was secure. While the Supreme Court has rejected claims of CISA coercing social media platforms, the legal challenges highlight the sensitive nature of an approach not specifically authorized in legislation. 

CISA and the Future

As new Administrations grapple with cybersecurity, CISA will continue to evolve. The still-growing reliance on cyber infrastructure (and the effect of AI and quantum computing on this) and a worsening international environment will put even more demands on CISA.  This collection of essays is a first step to draw on experience and address salient issues for the future of CISA. They include:

Why We Need a Team Defense in Cyber (Jeff Greene): Today’s complex cybersecurity landscape requires a team defense for national security, economic stability, and democratic resilience. While numerous U.S. government agencies, such as the FBI, NIST, NSA and Cyber Command play crucial roles, only CISA has the primary, unambiguous mission of cyber defense. CISA’s singular focus allows it to act as a central hub for public-private collaboration, coordinate vulnerability disclosures between researchers and vendors, secure federal civilian networks, and serve as an important voice for defenders in government policy discussions. This “defense-first” approach builds trust with external partners and ensures that resilience is prioritized, filling a critical gap that other agencies with broader, more varied missions cannot.

Beyond Federal Boundaries: The Evolving Role of CISA, SRMAs, MSPs, and CSPs in Critical Infrastructure Cyber Risk Management (David Mussington):Securing U.S. critical infrastructure requires a layered, cooperative approach that extends beyond federal policy. While CISA and Sector Risk Management Agencies (SRMAs) set high-level approaches, they face resource limitations that prevent them from providing hands-on, day-to-day cyber defense. This has shifted the operational burden to managed service providers (MSPs) and cloud service providers (CSPs), who are now frontline responders for individual assets and local jurisdictions. As MSPs and CSPs manage systems and patch vulnerabilities, they play a crucial role in preventing cyberattacks. However, this model introduces risks, including fragmented defenses, supply chain vulnerabilities, and reduced situational awareness for federal agencies. To address these challenges, federal policy must provide frameworks and incentives that empower local defense, set minimum expectations for vendors, and improve information sharing among all stakeholders, including non-governmental organizations (NGOs) like Information Sharing and Analysis Centers (ISACs).

Lessons Learned from Lessons Learned: The Cyber Safety Review Board Can’t Be Voluntary (Rob Knake) While the Cyber Safety Review Board (CSRB) has produced valuable reports, its voluntary, part-time model is not effective in investigating significant cyber incidents. The CSRB’s productive, yet scathingly critical, review of a Microsoft intrusion highlights that relying on a company’s good faith is not a reliable long-term strategy, as it may deter future cooperation. To be truly effective and meet its mission, the CSRB needs three major changes: it must be given unambiguous investigative and subpoena authority, similar to the National Transportation Safety Board (NTSB); it needs a full-time, professional staff of investigators to scale its operations; and it must be structured as an independent body to avoid conflicts of interest, particularly by not including members from the very government agencies whose actions may be under review.

Reauthorizing CISA and Cyber Threat Intelligence Sharing (Cristin Flynn)Passed in response to a wave of major data breaches, the Cybersecurity Information Sharing Act of 2015 (CISA 2015) created a framework that provides legal protections for private companies to share cyber threat information with the government. While this act is important for its original purpose, its real value lies in what it can enable in the future. As the Cybersecurity and Infrastructure Security Agency (CISA) matures and develops its own robust threat-hunting capabilities across the federal government, it will shift from a role of simply disseminating information to one of true information sharing. By producing its own “first-party” data on threats and vulnerabilities, CISA can become an equal partner with the private sector and other intelligence agencies, fostering a more effective and reciprocal ecosystem for cybersecurity defense. Reauthorizing CISA 2015 is crucial to unlocking this potential, as it provides the legal foundation and trust necessary for this new era of collaborative defense.

Why We Need a Team Defense in Cyber

Jeff Greene

Today, every department and agency in the United States government has a cybersecurity mission.  For most, the mission is narrowly focused: defend their networks, data, and personnel.  For some, that mission is broader, from developing international standards or partnering with the private sector or conducting offensive operations.  But only one agency – CISA – has one primary, unambiguous mission: cyber defense.

This clarity of purpose matters.

This does not diminish the quality or importance of the work of other agencies; the FBI, NSA, NIST, CIA, State, Secret Service, OMB, and others play essential roles in securing our nation and imposing costs on our adversaries.  But none prioritizes defense as its central, animating mission.  In contrast, CISA’s first principle is empowering defenders and advocating for defense-first policies inside and outside government. 

Cyber attacks are now among the most significant threats to national security, economic stability, and democratic resilience, and the U.S. government’s cyber responsibilities are dispersed across numerous agencies.  Each has its own history, authorities, and culture.  On the cyber defense side, CISA’s work overlaps with several, including the following. 

  • The Federal Bureau of Investigation (FBI) is primarily a law enforcement agency. Its cyber mission centers on investigating cybercrime, attributing malicious activity, imposing costs on our adversaries, and bringing cases to prosecution.
  • The National Security Agency (NSA) is part of the intelligence community (IC), with signals intelligence (SIGINT) and cybersecurity missions.  It collects and processes SIGINT and works to prevent and eradicate threats to U.S. national security systems.  The NSA also partners with allies and industry to strengthen cybersecurity capabilities.
  • The National Institute of Standards and Technology (NIST) develops technical standards and guidance and works closely with industry and our international partners.  It is not an operational security agency, and is a non-regulatory body that supports the development and adoption of cybersecurity practices across government and industry.

Each of these organizations is essential to national and economic security, but their missions are broader than just defending America’s digital infrastructure.  For operational policy reasons, government needs an agency with that singular focus – and today that is CISA.

CISA’s Core Mission: Defense First

CISA was established in 2018, built on DHS’s National Protection and Programs Directorate (NPPD), which was home to the Office of Cybersecurity and Communications.  It is now an operational component of DHS charged with protecting the nation’s critical infrastructure from cyber threats and ensuring resilience in the face of attacks.  It has no offensive, intelligence collection, or law enforcement mandate.  Instead, its responsibilities are entirely defensive:

  • Protecting the Federal Civilian Executive Branch (FCEB): CISA is charged with safeguarding the networks of non-military, non-intelligence federal agencies – the digital backbone for services that millions of Americans rely on every day.
  • Serving as a hub for public-private collaboration: CISA leads information sharing with critical infrastructure sectors, state and local governments, and private industry.
  • Acting as a national coordinator: CISA provides guidance, alerts, and mitigation resources to defenders nationwide, ensuring consistent awareness of threats and vulnerabilities.
  • Empowering defenders: From free tools to advisories to incident response support, CISA exists to empower network defenders in both government and industry.

Disclosing Vulnerabilities and Mitigating Risk

Consider Coordinated Vulnerability Disclosure (CVD), the process by which security researchers and organizations work together to identify, report, and remediate software or system vulnerabilities in a responsible, timely manner.  CISA plays a central role in this process as a trusted, neutral intermediary between researchers and industry vendors.  CISA receives vulnerability reports, validates the information with the relevant vendors, and helps to develop and test mitigation plans before any public announcement.  This process ensures that patches or updates are ready for users when a vulnerability is disclosed, which reduces the amount of time that a vulnerability is publicly known and available for exploitation by malicious actors. 

This process can be fraught, as the two communities (security researchers and the technology industry) often do not trust one other, and at times outright dislike each other.  When a researcher comes to CISA, it is often after they are unable to establish contact with a vendor to disclose a vulnerability they discovered.  In other cases, a vendor approaches CISA when it is struggling to come to agreement on a responsible disclosure plan with a researcher.  In both cases, CISA’s role is more than technical.  Emotions are often raw, as vendors can feel like the researcher is attacking their product and their development processes, and researchers can feel unappreciated and disrespected.  It is CISA’s job to calm these emotions, ensuring that researchers can disclose flaws without having to navigate the complexities of vendor relations.  The end result benefits all of us:  a plan that ensures a vulnerability is disclosed and mitigated in a way that protects the broader public.

Can other agencies serve this function?  Of course, and some are part of the process.  But CISA has become the one-stop shop for many researchers, who trust it because its mission is pure defense – it has no law enforcement, intelligence, or regulatory responsibility.  The system works better and faster because of this trust, which means that vulnerabilities are remediated more quickly and effectively. 

Securing Federal Civilian Executive Branch (FCEB) Networks

Next consider CISA’s role in helping to secure the FCEB.  While every agency retains responsibility and authority for securing its own systems, CISA plays an essential role looking across agencies and providing support and tooling.  In the wake of Russia’s SolarWinds compromise of myriad public and private entities, discovered in late 2020, the federal government took a hard look at how Russia breached federal agencies.  With hindsight, we identified events that were part of the intrusion, but prior to detection we did not see enough and could not correlate them across federal agencies.

Fast-forward to when I left CISA in January of this year.  With help from the White House and Congress, and in partnership with dozens of federal agencies, CISA can now monitor scores of federal agencies in real- or near- real time.  It can take individual bits of data, look at logs and information from across the FCEB, and use this to detect malicious activity far earlier than even the most sophisticated local detection tools because CISA is looking at data from across agencies.  By using this capability – and as the hub for sharing with CISA’s federal and private sector partners – the agency has been able to detect sophisticated nation state activity before it was able to do much harm.  This is something no individual agency could do on its own.  CISA can, by using its unique statutory authorities and enabling direction from the White House provide insights and data sharing otherwise unavailable.

A Necessary Voice inside Government

CISA also plays an important role during internal U.S. government policy discussions – the oft cited “interagency.”  CISA’s defense-first mandate makes it the natural advocate for security and resilience in interagency debates.  Whether the subject is vulnerability disclosure, cyber norms, or critical infrastructure protection, CISA consistently emphasizes the needs of defenders.

This role is not abstract – it shapes real policy outcomes. For example, CISA can push for broader sharing of threat intelligence with private industry, even as other agencies might want to hold information close because of the needs of their mission, whether for law enforcement, military, or intelligence reasons.  It can champion rapid patching timelines, standardized configurations, and stronger baseline requirements across government networks.  Its influence derives not from investigative powers or offensive capabilities, but from its credibility as a defender, first and last.

One specific area where CISA’s voice matters is Vulnerabilities Equities Process, or VEP, created in 2010 and made public in 2014.  This is the interagency mechanism for deciding whether software vulnerabilities should be disclosed to vendors or retained for intelligence or military use.  During these important discussions, it is essential to have a defense-focused advocate.  CISA will not always win every policy debate (whether broadly or for VEP specifically), but policymakers need to hear all sides of an issue if they are to make the best decisions for the country. 

CISA as the Enabler of Network Defenders

Perhaps most importantly, CISA exists to enable defenders across the nation. Its alerts, advisories, free tools, and incident response teams are designed not for itself, but for the network operators who form the frontline of cybersecurity.  Over the past seven years, CISA has worked hard to build its brand; the debates we had about whether to issue cybersecurity advisories or to lend our name to other similar publications were frequent and intense.  We would not co-brand a publication if it was merely for publicity, included only information that others had already published, or did not provide actionable information to network defenders.  As a result, the CISA label on a cybersecurity advisory carries weight, and network defenders know that if CISA lends its name to something, they need to pay attention. 

This defender-centric posture is special in government.  CISA works with partners in the U.S. government and abroad, and proactively shares threat information and technical expertise to give defenders every possible advantage.  The Shields Up campaign in advance of Russia’s full-scale invasion of Ukraine gave specific, actionable information about Russian state-sponsored threats and steps to defend against them.  For every Fortune 100 company with a mature cybersecurity program, there are thousands of smaller organizations that depend on CISA’s accessible resources.

Why CISA Must Remain the Nation’s Cyber Defense Hub

In a federal landscape of agencies with varied cyber missions, CISA’s clarity of purpose and defense-focused voice is invaluable.  This ensures that resilience is never an afterthought. Moreover, CISA has become a trusted public face of government cybersecurity. Researchers, vendors, and network operators know they can turn to CISA as a non-regulatory body with no law enforcement or intelligence mission.  This trust is not incidental—it is the product of CISA’s defense-first culture.

As cyber threats continue to grow, the U.S. will need offense, intelligence, law enforcement, and standards.  But without a pure defense agency, the balance of priorities could skew dangerously away from resilience.  CISA fills that gap.

What’s Next for CISA

CISA needs to solidify the gains it has made in the past years, and to sustain the quality and breadth of its work even as it goes through steep budget cuts and sees key staff depart.  This will not be easy.  CISA’s new leadership is focused on the mission, but unfortunately, they have fewer resources with which to work than did I or my predecessors.

The most important thing CISA can do is to stay focused on being “Team Defense” in the U.S. government cybersecurity community.  This perspective is an essential part of internal policy debates and a crucial resource to the private sector.  CISA’s positions will not always carry the day – nor should they, as other agencies have competing, legitimate interests.  But these views, and the defense-first arguments, will help shape policy regardless of whether they are adopted in whole or in part.

CISA should also build on the brand it has already established, through continued rigor and through outreach to the broader cybersecurity community.  In the months since I left the Cybersecurity Division, I have talked to numerous cybersecurity executives in a variety of companies, in the technology sector and beyond.  Some understand and appreciate that CISA is careful about using its logo on advisories, but many do not.  CISA should work to expand this awareness – not for its own brand, but rather so that cyber defenders know that CISA’s endorsement of an alert means it is something they need to consider immediately. 

CISA and CSD should also continue some of the key programs and initiatives of the past few years.  Every administration has different priorities and philosophies, but some should transcend these changes.  For instance, encouraging vendors to build better, more secure products is not a political statement, and I’ve been pleased to hear DHS leadership talk about this publicly.  Similarly, CISA should lean into success stories like the Known Exploited Vulnerabilities (“KEV”) Catalog, a list of the highest-priority software vulnerabilities that must be patched quickly to reduce real-world attack risk.  Just four years old, cyber defenders across sectors already see KEV as an invaluable tool. 

Along those lines, CISA must double-down on its track record of partnership with the private sector, and maintain its strong relationships with Congress.  The private sector needs CISA as much as CISA needs it, and together they can advance our nation’s security posture. 

CISA and the Civilian Face of Cybersecurity

Bobbie Stempley

When an adversary strikes a hospital with ransomware or compromises a water system, it is not just a federal government problem, it is a community crisis. In moments like these, the public needs a capable, trusted partner – one that can support local leaders, bring technical expertise, understand the operational realities of industry, and respect civil liberties.

These scenarios are no longer rare. Over the past three decades, awareness of cyber threats has grown, information sharing has matured, and technical capacity across government and industry has expanded. And, one truth endures: trust, relationships, and collaboration remain the foundation of resilience. To sustain them, America must return to first principles, aligning with two of its greatest strengths: a federalist system of distributed authority and an entrepreneurial culture of innovation. Today, this approach means ensuring cybersecurity has a trusted, civilian face, one that empowers local governments delivering essential services and supports the industries driving our economy.

First Principles: Resilience Begins Locally

Resilience does not begin in Washington. It begins with those closest to the risk: the state and local governments that keep water safe, schools open, and transit running; the industries that drive economic growth and operate critical infrastructure; and the individuals whose vigilance makes a difference every day.

Recognizing this reality does not diminish the federal role. It clarifies it. Washington’s advantage is not in directing every move, but in providing the tools, intelligence, and standards that others need to succeed and having a broader vision and understanding across localities and sectors, nationally. Done well, federal engagement multiplies the efforts of local leaders, equips industry to innovate securely, and reinforces individual responsibility with national resources.

This intersection is precisely where the Cybersecurity and Infrastructure Security Agency (CISA) has value. As the nation’s civilian cybersecurity agency, CISA is not designed to compete with state or industry leadership but to complement and amplify it. Its greatest contributions lie in bridging communities, setting priorities, and enabling stakeholders.

By prioritizing risk through tools such as the Known Exploited Vulnerabilities (KEV) Catalog and National Critical Functions, by applying deep analytic expertise through programs such as the national cyber assessment teams, and by drawing on experience that ranges from rural water utilities to global cloud providers, CISA enables scarce resources to be allocated where they matter most. In doing so, the federal government fulfills its proper role: not commander of the system, but enabler of those already carrying the burden of resilience.

Industry Trust and Innovation

One of America’s defining strengths in the 21st century is its strength in innovation. Our digital ecosystem has transformed how humans work, live, and relate to one another. It has also fostered new partnerships and collaboration between government and industry. Effective two-way sharing of threat insights, collaborative response actions, and joint messaging now happen daily. But these are delicate negotiations and ones where industry must weigh domestic and international market considerations, customer privacy, and the consequences of sharing information with law enforcement or intelligence agencies.

These concerns may seem like throwbacks to 2001, but the 2024 ODNI Inspector General Semi Annual Report underscored ongoing concerns about the business and regulatory risks of sharing data with intelligence and law enforcement. Meanwhile, debates around FISA Section 702 [1]reauthorization and surveillance authority have hampered trust-building. Progress has been made in building trust between FBI, NSA, and industry, but trust remains fragile.

A civilian face and partner is indispensable. CISA’s focus is resilience, not prosecution or espionage. Its programs, from the early Cyber Information Sharing and Collaboration Program (CISCP) to today’s Joint Cyber Defense Collaborative (JCDC), have evolved from information sharing to coordinated action. JCDC has flaws, but it proved that when industry sees government as a partner aligned with common goals, the speed and scale of defense improve dramatically.

Bridging Industry and State/Local Governments

Focus matters. Not every partner brings value in every situation. CISA’s unique role enables it to bridge large industry partners with state and local governments that often face attacks with limited resources. Technology giants may develop cutting-edge defenses, but counties, municipalities, and school districts absorb the first and hardest blows.  And the ability to translate those defenses to local action requires engagement.

CISA translates national and industry intelligence into warnings local operators can use. A striking example is its pre-ransomware notification program. In 2024, CISA issued over 2,100 such alerts — nearly double from the prior year. These early warnings have already been credited with enabling local entities to stop intruders before they could encrypt or exfiltrate data. Partnerships with organizations like the Multi-State Information Sharing and Analysis Center (MS-ISAC) ensure that these insights reach those who need them most and enable a two-way flow of insights.

Accountability and Measurable Outcomes

Credibility in cybersecurity does not come from issuing advisories alone. It comes from evidence of progress. In a world of scarce resources and fast-moving threats, only measurable outcomes, from local response to federal coordination, build trust. CISA has begun to prove its impact by pairing initiatives with clear measurement.

  • Phishing-Resistant MFA at USDA: With CISA’s technical support, the Department of Agriculture rolled out phishing-resistant multifactor authentication across its workforce. Importantly, it tracked deployment rates, authentication success, and user feedback. Publishing this data created a model for others to emulate, showing that strong security could be scaled and adopted when measured transparently.
  • Incident Response Lessons and Metrics: After a federal breach caused by a known software flaw, CISA’s “lessons learned” advisory (AA25-266A) went beyond generic warnings. It provided timelines for patching, detection intervals, and assessments of response effectiveness. These details allows other agencies and companies to benchmark themselves against real-world incidents.
  • Nationwide Cybersecurity Review (NCSR): Each year, thousands of state, local, tribal, and territorial governments participate in the NCSR self-assessment. The aggregated results provide a national snapshot of maturity and progress, while individual communities gain insights into their own strengths and weaknesses. The NCSR has become a quiet but powerful accountability tool, turning self-assessment into a roadmap for measurable improvement.

These examples illustrate a larger truth: U.S. cyber defense cannot rely on rhetoric. Citizens and companies must see tangible progress. By institutionalizing measurement and sharing outcomes, CISA builds credibility as a civilian partner and reinforces trust in the system.

Reaffirming the Founding Narrative

Every federal program attracts both advocates and critics. Once launched, programs evolve, and they can be difficult to redirect. Revisiting the founding conditions of CISA is essential. It was created to be a civilian-facing, collaborative organization that would strengthen the resilience of critical infrastructure, including federal systems and networks.

That need still holds. Success lies in embracing the strengths of a decentralized system: increasing resilience through a civilian agency partner that empowers state and local governments, while supporting national security and public safety objectives through collaboration, prioritization, technical skill, and capacity-building.

Conclusion

America’s cybersecurity future depends not on centralized control but on empowered collaboration. It requires connective tissue that links federal insight with local action, translates innovation into resilience, and sustains trust through consistency and transparency. By focusing on what it does best: convening stakeholders, setting priorities, and measuring outcomes, CISA can fulfill its role as the nation’s civilian cybersecurity agency.

National security and public safety are best protected when the federal government enables, rather than directs; when industry collaborates as a partner rather than a suspect; and when communities can see that progress is not just promised but proven. That is the civilian presence and role that America needs, and the role CISA must continue to play.

Beyond Federal Boundaries: The Evolving Role of CISA, SRMAs, MSPs, and CSPs in Critical Infrastructure Cyber Risk Management

David Mussington

I. Introduction

Securing and sustaining the resilience of U.S. critical infrastructure depends on more than federal policy; it relies on layered risk management—across national frameworks, sector organizations, local jurisdictions, and individual assets. The Cybersecurity and Infrastructure Security Agency (CISA) and sixteen Sector Risk Management Agencies (SRMAs) historically provided coordination and strategy for cross-sector risk, but ongoing resource constraints have left operational capacity uneven and increasingly insufficient. This growing gap means that managed service providers (MSPs) and cloud service providers (CSPs) must now play a frontline role, not only in general cyber defense but in safeguarding the security and resilience of specific assets, localities, and sectors.

As adversary cyber-attack methods change, US defenses confront a more challenging opponent. It is no longer enough for risk management to be the preserve of federal leadership; practical defense and recovery begin at the asset and local level and must be reinforced by effective sectoral and cross-sectoral partnerships. The security of vital systems depends on a smooth and transparent system of shared information and consistent prioritization of vulnerabilities. This paper argues that resilience depends on the efficacy of public authorities’ oversight of a complex network of public and private sector critical infrastructure owners and stakeholders.

II. Background on the Evolved Framework for Infrastructure Risk

The traditional model placed CISA and SRMAs at the center, responsible for policy, broad situational awareness, and coordination of sector resilience efforts. Sector-specific regulations or frameworks were meant to guide local asset owners—whether power plant operators, water authorities, or hospital systems—in investing in defense and recovery planning.

Yet the technical—and increasingly, operational—capacity to monitor, respond, and remediate threats is rarely housed in federal or even state agencies. Instead, the practical burden has shifted outward. For key assets, MSPs and CSPs manage systems, patch vulnerabilities, and incident response. For specific localities and key sectors, however, NGOs such as ISACs and ISAOs share threat intelligence and orchestrate community-based response. Federal agencies provide higher-level coordination, advisories, and standards, but are less directly involved in day-to-day protection unless a major national event unfolds.

Other federal actors like the Department of Defense (DoD) or law enforcement agencies play specialized, often after-the-fact roles—handling military networks or pursuing attribution. In practice, critical infrastructure security and resilience hinges on the combined capabilities of local operators, their chosen MSPs, CSPs, and sector- or community-level response organizations, all operating under a federal framework.

III. Reductions in Public Sector Capacity and Localized Impact

Persistent resource shortfalls at CISA and SRMAs have made federal agencies less able to support technical risk management at the operational edge. While they set standards and advise during large-scale incidents, they now seldom provide rapid hands-on detection or real-time response at the asset level.

At the state and local level jurisdictions, agencies frequently lack the resources or expertise to operate capable cybersecurity programs. SRMAs may issue policy recommendations or convene sector partners, but effective resilience depends on the presence and performance of the MSPs/CSPs retained by each operator. Local asset owners—if left unsupported—may not discover vulnerabilities or respond to incidents until adversaries have already acted.

In landmark incidents such as SolarWinds and Colonial Pipeline, federal agencies coordinated response and issued guidance, but practical recovery for affected assets and localities relied on rapid action (or lack thereof) by third-party service providers and the owners themselves.

IV. MSPs and CSPs: First Responders Across Assets, Sectors, and Localities

With shrinking public agency resources, MSPs and CSPs now form the operational backbone of asset, locality, and sector cyber defense. For the critical infrastructures at risk, private sector risk managers operate and maintain key systems – even when these systems are behind on patches or essential maintenance. The security of critical infrastructures and key resources is, as a result, continually at risk.

At the sectoral scale, leading CSPs offer customer-wide visibility across regions and industries, enabling pattern recognition and warning at speeds unmatched by government. Locally, MSPs maintain direct access to systems in schools, city governments, and utilities, and can patch, isolate, or restore compromised assets without waiting for a federal surge. 

This model has real advantages but introduces new risks:

  • Relying too heavily on a handful of large CSPs or MSPs can expose entire sectors or communities if these providers are compromised.
  • Asset-level disparities emerge facilities with modern services and vigilant maintenance fare well, while those with budget or unsupported vendors may accumulate unmitigated risk.
  • Situational awareness on risk may become fragmented: CISA, SRMAs, and sector NGOs rely on voluntary sharing from asset operators and their MSPs, reducing the government’s real-time situational awareness about national and cross-sector vulnerabilities.

V. Risk Management Implications for Local, Sectoral, and National Resilience

The evolving risk setting creates several significant challenges:

  • Fragmented Resilience: Some assets and localities have high-caliber MSP/CSP support, while others—by choice or constraint—do not, leaving a patchwork of defenses both within and across sectors.
  • Supply Chain and Cross-Sector Stress: Single vulnerabilities, such as flaws in a widely used software or CSP service, can traverse from one asset to many, rippling across entire sectors or geographies.
  • Unclear Accountability: Incident reporting and recovery rely on contractual, not regulatory, relationships at the asset and local level.

NGO Coordination May Prove Inadequate: ISACs and ISAOs must bridge information divides, amplify sector/asset lessons, and ensure east-west communication, as federal guidance and local needs rarely align without translation.

  • Federal Oversight Gap: CISA and SRMAs sometimes learn of asset-level breaches from news reports or delayed sector notifications, which undermines collective risk posture.

VI. Rethinking Partnerships and Enabling Local Resilience

To better manage risk at the asset, locality, and sector levels: CISA and SRMA must provide legal and policy frameworks, funding incentives, and technical guidelines that empower local asset owners to contract high-quality MSP/CSP services—and set minimum expectations for those vendors.

  • Mandatory protocols for incident response and technical risk identification should be instituted for critical infrastructures. Owner operators should be held accountable for coordinating with authorities whenever worsening risk conditions require it.
  • ISACs and ISAOs must be better resourced and perhaps authorized to act as trusted intermediaries—generating, and selectively disseminating threat information to localities, sectors, providers, and public agencies.
  • CISA must promulgate Clear “hand off” protocols and coordinated response procedures to ensure that local incident detection is rapidly communicated to sector partners and to federal (CISA or SRMA) authorities when necessary.

VII. Case Study: Log4Shell—Asset-Level Response Meets National Challenge

The December 2021 Log4Shell vulnerability highlighted the realities of defense and risk management in this ecosystem. The Apache Log4j vulnerability threatened widely divergent infrastructures – from electric grids to hospitals and waste water systems.  Attackers weaponized the vulnerability rapidly, creating problems for poorly equipped jurisdictions.

Federal agencies moved fast to issue advisories, with CISA and SRMAs broadcasting alerts. Yet containment and patching happened mainly through CSPs and MSPs: providers flagged exposures, deployed virtual patches, and escalated asset-level vulnerabilities up to sector ISACs and ISAOs. Well-resourced utilities and hospitals, already partnered with top-tier MSPs and plugged into their sector’s ISAC, identified and remediated Log4Shell exposures in hours. Rural water authorities and small schools—many operating with minimal support—struggled, leaving critical services exposed for days or weeks.

NGOs played a vital role: ISACs interpreted national advisories, contextualized threat data for frontline staff, and connected isolated assets with advice and surge resources. In some cases, ISACs helped assemble technical “strike teams” from sector peers to backstop local operators who lacked MSP support. Still, uneven risk management at the asset level meant that resilience varied widely—not due to intent, but capacity and accessibility of response resources.

Log4Shell underscored not just the technical speed [and potential scope] of modern threats, but the importance of robust local and sectoral partnerships, timely intelligence flows, and federal coordination that reaches beyond advisories to real operational impact.

VIII. Conclusion

The security and resilience of U.S. critical infrastructure—whether a single water utility, a city government, or a sector-wide network—now depends on the effective integration of risk management at each of the following levels: asset, locality, sector, and nation. As the operational centrality of MSPs, CSPs increases, and the importance of responsive NGOs reinforces, federal policy and governance must keep pace by providing both frameworks and incentives to empower local infrastructure defense, raise sector-wide standards, and foster enhanced information sharing.

Progress toward better integrated critical infrastructure security and resilience performance can only be achieved through improved technical quality at the asset level, more material support for asset owners and critical infrastructures, and federal orchestration of national incident response. Federal efforts should seek to shape and support this multi layered ecosystem of service providers and risk managers, reinforcing vulnerability management and risk identification, and ensuring that connections between decision makers enable decision making in both a timely and contextually informing setting.

Reauthorizing CISA 2015: Securing the Future of Cyber Threat Intelligence Sharing

Cristin Flynn Goodwin

Introduction

The years 2013, 2014, and 2015 brought challenging days for those who worked in cybersecurity. Wave after wave of massive breaches saw the data of hundreds of millions of people stolen by cyber criminals. Names that now have faded into the background but at the time were headline-generating news: Target, JP Morgan Chase. Home Depot. Later in 2014 and into 2015, we saw the rise of nation state attacks, with the Sony Pictures hack by North Korea, then the Office of Personnel Management hack by China, and the Russian attack against the Ukrainian power grid. Threat intelligence and incident response teams were working overtime to identify threats and respond to constant incidents.

It was against this backdrop that the Cybersecurity Information Sharing Act of 2015 (CISA 2015) was enacted. At the time, some private sector entities – particularly those in regulated sectors – expressed concern about liability arising out of the risk of disclosing information to the federal government. CISA’s passage enabled private sector entities to share cyber threat indicators with the federal government and each other in a way that otherwise did not exist, under a framework that provided legal protections and privacy safeguards.

The Act expires on September 30, 2025.  Congress should reauthorize CISA 2015. Not for the obvious reasons – that it calms the anxieties of legal teams worried about information donation in the face of legal risk, or that it gives the Cybersecurity and Infrastructure Security Agency (CISA) insights from the private sector that it would not otherwise have and can then share with the federal government, critical infrastructures, and even the world at large. Those reasons should be enough to reauthorize CISA 2015.

The real reason for a e reauthorized CISA 2015 is for what it will enable over the next 10 to 15 years. As the Cybersecurity and Infrastructure Security Agency matures into a more operationally capable agency that can hunt for threats across the Federal Civilian Executive Branch (FCEB) and generate its own first-party data, only then will CISA move from being a conduit for information provided by others to the era of information “giving” when it has generates its own information to share.

Information Sharing versus Information Dissemination

Nation-state actors, criminal syndicates, and opportunistic hackers exploit vulnerabilities across sectors, often using the same tactics, techniques, and procedures (TTPs) against multiple targets. Information sharing enables defenders to learn from each other’s experiences, identify patterns, and respond more effectively. It’s been the foundation of cybersecurity policy since Presidential Decision Directive 63 in 1998, and part of the ethos of the cybersecurity community. Those who have data exchange it with others to unite against a common threat and protect the largest number of customers possible. This data exchange also creates efficiencies across sectors.

CISA 2015 was designed to facilitate this sharing by creating a voluntary framework for sharing cyber threat indicators and defensive measures. It provides liability protections, antitrust exemptions, and safeguards against public disclosure, thereby reducing the legal and reputational risks that might otherwise deter companies from sharing sensitive information. As the Protecting America’s Cyber Networks Coalition emphasized in its May 2025 letter to Congress, “CISA 2015 helps defenders improve their security measures while raising costs for attackers.”[2]

Unfortunately, that sharing mindset conflicted with the mission the agency was given back in 2018 when Congress established it, and the cognitive dissonance persists. When CISA was created as a legal entity in 2018, the Cybersecurity and Infrastructure Security Agency Act (CISA 2018), assigned it the responsibility of coordinating “a national effort to secure and protect against critical infrastructure risks” and to “integrate relevant information, analysis, and vulnerability assessments” regardless of source, and to disseminate information analyzed across the government and with the private sector.[3]

That dissemination obligation meant that information given to the agency became information it had the authority to distribute. It also elevated CISA to a unique position in the federal cybersecurity landscape, making CISA both a broadcaster of threat intelligence to the private sector and a coordinator of cybersecurity efforts across the FCEB. When companies seek broad amplification or rapid dissemination for FCEB action, CISA can be a trusted partner for information dissemination and distribution. That’s when CISA is at its best, and its advisories amplify information about important and critical vulnerabilities for response teams.[4]

But it also meant that companies needed to think carefully about what to give CISA, and when to provide it. The data it would share would be distributed across the FCEB and shared with agencies in the intelligence community first and assessed for impact and need to reach either trusted members of CISA’s private sector community (the Joint Cyber Defense Collaborative), or a broader reach (critical infrastructure information sharing and analysis centers and organizations (ISACs and ISAOs)), or the general public. This awareness brings a level of intentionality to any company’s decision-making process to give information to CISA.

Knowledge is Power – And Someone Else’s Knowledge is Someone Else’s Power

One of the great realities in DC and in cybersecurity is that knowledge is power.  Generally speaking, CISA has not had a significant amount of first party data to share. But it doesn’t have to be that way in the future. Back in 2018, CISA was given the under-appreciated responsibility of securing Federal information and infrastructure.[5] This mission is difficult and challenging, given the stubborn independence of agencies, the variety of missions, and disparity of budgets across the FCEB.

Despite the passage of time, the need for this responsibility remains acute. Cyberattacks have grown more sophisticated since 2018, and the Federal government is a frequent target. SolarWinds, Hafnium Exchange, the Log4j attack, the MOVEit compromise in 2023, and more recently, the Microsoft SharePoint TopShell vulnerability used to compromise the National Nuclear Security Administration, according to press reports[6] are just a few of the more well-known examples of attacks. CISA needs more fulsome hunting capabilities to find attack activity sooner, in order to limit impact. This can’t be left to the Departments alone. CISA has to be equipped to be the nation’s threat hunting team. and has to use its dissemination mandate to share what it’s seeing.

 As an example, CISA continues to operate its EINSTEIN 1 tool as an intrusion detection tool installed across the FCEB to “monitor the flow of network traffic transiting between FCEB agencies and the internet.”[7] This netflow data can be helpful for cybersecurity responders to help detect anomalies, identify affected systems, trace the path of an attack, provide historical data to search for indicators of compromise (IOCs). It’s not a complete story, but it can be useful. In the aggregate, it could also be used to tell stories over time – CISA observed X classes of anomalies, or Y types of IOCs over time by using their data to create and share reports via its dissemination channels – through JCDC, to critical infrastructures, or with the public.

Agencies like the FBI and NSA have long held an advantage in the intelligence sharing ecosystem because they generate their own data. They are not merely consumers of threat intelligence, they are producers, with something to “share” to “partners.” This reciprocity fosters deeper partnerships and more robust exchanges. But if CISA were to engage more deeply with its authority from CISA 2018 and begin to hunt for nation state activity across the FCEB, it would have over 100 agencies and bodies, hundreds of thousands of persons, and likely millions of devices and service accounts from which it could draw data about threats and anomalies.[8]

CISA would have the ability to analyze this data over time, and the stories it would tell would be powerful. It would show the emergence of new attacks, new indicators of compromise, new zero-day vulnerabilities, new tactics, techniques, and procedures (TTPs) attempted by attackers, and those could be shared – actually shared – with companies whose products or services were involved in the events or incidents. The reports generated would be game changing, because CISA’s data and insights would set a true baseline on a massive scale, and potentially serve as early warnings of broader attack activity to come.  The headlines would write themselves. 

This is where CISA needs to be. An equal partner – sharing first party data it has collected with big tech, the NSA, and the FBI, as equals. Only then will it be able to achieve its dissemination and security missions established by Congress.

The Path Forward: A New Era of Information Sharing

Of course, allowing CISA 2015 to lapse would not simply freeze progress, it would reverse it. Companies that are anxious about sharing with government know that CISA 2015 provides legal protections. Lawyers have been using CISA 2015 references and definitions in private sector information sharing agreements across the industry. Removing CISA 2015 would upend the stability of those private sector exchanges and the protections afforded by CISA 2015.

More importantly, retraction of these authorities would undermine the future of CISA’s most promising mission: hunting for threats across the FCEB and sharing its findings with its partner ecosystem. This capability, still in its early stages, could be a transformative shift in how the federal government defends its networks. The current model of decentralized detection, where each agency is responsible for monitoring its own networks, has serious limitations. It creates data silos, slows response times, and makes it difficult to identify coordinated attacks that span multiple agencies. Threat actors exploit this reality time and time again, despite agency obligations to notify CISA.

CISA’s centralized hunting capability offers a solution. By aggregating telemetry from across the FCEB, the agency can detect patterns that no single agency could see on its own. It can identify common indicators of compromise, correlate seemingly unrelated events, and issue alerts that benefit the entire FCEB ecosystem. Then, using its CISA 2018 authorities, it can disseminate information to responders to help protect against what CISA finds. This builds an actual sharing ecosystem. One where parties are exchanging information, rather than one side giving data and the other side is disseminating that information.

But this model only works if CISA has the legal authority, technical infrastructure, and stakeholder trust to operate at scale. CISA is on the cusp of becoming something it has never been before: a producer of first-party threat intelligence, a hunter across the federal enterprise, and a peer in the global cybersecurity community. Reauthorizing CISA 2015 is the key to unlocking that potential.

Lessons Learned from Lessons Learned: The Cyber Safety Review Board Can’t Be Voluntary

Rob Knake

Along with almost all other advisory boards at the Department of Homeland Security, the Trump Administration moved quickly to disband the Cyber Safety Review Board (CSRB) in the name of cost savings and government efficiency. Yet the CSRB may not be much dead as it is dormant. The Trump Administration has not rescinded EO 14028, which created the board, and the next major cyber incident, it will face pressure to see the board stood back up under existing authorities. Many have already called to reinstate the board. When that happens, the difficulty of operating an investigative board on a voluntary basis will become all too apparent to the current administration.

Don’t get me wrong here, the CSRB did some incredible work. I was proud to be part of its stand up and to have made some small contributions representing the Office of the National Cyber Director in some of its proceedings. The three reports the CSRB completed all provide valuable lessons learned for cybersecurity operators as well as insights for policymakers and lawmakers. Yet at a meta-level, the lesson learned from this body of work is that relying on voluntary efforts by board members and voluntary cooperation by companies does not scale to meet the challenge.

For the CSRB to meet its mandate, three things need to change. First, the board needs to be trimmed and granted unequivocal authority to investigate significant cyber incidents; second, the investigative staff needs to be professionalized and staffed sufficiently to carry out multiple investigations at any given time; and, finally, the board must operate independently without the oversight of Federal agencies whose actions are under review.

Investigative Authority

After side-stepping the mandate to investigate SolarWinds, the CSRB’s first two reports investigated an open-source vulnerability (log4j) and the actions of a threat group (Lapsus$). Because of their subjects, neither delivered the hard-hitting findings or criticisms of corporate cybersecurity practices or security tool failures that this industry so badly needs. Yet when the CSRB, in its third and final report, picked an incident that was not an ecosystem problem but the failing of a single company, it inadvertently showed why relying on good faith participation is likely to fail in the future.

The Review of the Summer 2023 Microsoft Exchange Online Intrusion is the best example of an after action review in the public domain. It pulls no punches and solidly lands a combination that would have knocked out most other companies. In all candor, even a large cybersecurity vendor might not have survived such a brutal flurry.

While the report praises Microsoft’s cooperation, finding that “Microsoft fully cooperated with the board,” it goes on to offer a scathing indictment of Microsoft’s security practices. “The Board finds that this intrusion was preventable and should never have occurred.” Ouch. “The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul.” Double ouch.

The success of the report likely killed off the prospect of the CSRB ever gaining the kind of cooperation Microsoft provided again. At least if not compelled to do so. No doubt, at least in the short-term, cooperating with the CSRB’s investigation harmed shareholder value. Any sensible CEO will conclude that refusing to cooperate, lawyering up, and controlling the narrative is the right course of action when asked nicely to engage in a voluntary process. That outcome is of course not in the national security interest.

Luckily, we have a model for how to encourage the kind of cooperation Microsoft provided in the National Transportation Safety Board NTSB. Somewhat counterintuitively, it starts with clear authority to investigate, compel testimony, and require the turnover of evidence.

The NTSB’s authorizing legislation gives it unambiguous authority to investigate transportation incidents including the authority to force the turnover of information and data it deems relevant. With the authority to compel the sharing of evidence of failure, most companies choose to become “parties” to the investigation, engaging in a cooperative process with the NTSB to share not only evidence but also expertise all in the interest of promoting aviation safety.

In contrast, strengthening the authorities of the CSRB is viewed in the cyber community as a last resort rather than the basis for engendering cooperation. The legislative proposal released by the Biden Administration in 2023 positions subpoena authority as a tool that could only be used when all else failed and created a high bar for its use. In the draft legislation, only when the chair deems the response to a voluntary request insufficient can the chair move to use the subpoena authority. Even then, a subpoena would only be issued when two-thirds of board members approve it. As Congress considers granting authority to investigate to the CSRB, that authority must be unambiguous as it is for the NTSB.

Professional Staff: Scaling to Meet the Challenge

Under the part-time and voluntary service model, the CSRB’s investigations have been far too constrained. The current setup for the CSRB means that the investigation of cyber incidents is not anyone’s day job. Since the CSRB was stood up, we’ve had many significant incidents that should have been investigated including Colonial Pipeline, Kaseya, MoveIT, the Crowdstrike outages, and this summer’s Microsoft SharePoint attacks to name a few examples. None were investigated, but all merited investigation by the CSRB, as did a sampling of the 3000+ reported incidents within the health care sector since May of 2021.

Instead of relying on part-time experts, the CSRB should be staffed by trained investigators whose one and only job will be to investigate cyber incidents and produced lessons learned reports. These professional staff members should be paid and paid well in line with market rates for experience incident responders and likely well above even CISA’s cyber pay levels. In modeling legislation, Congress should look to the authorities granted to the Veterans Administration to hire doctors at market rates and provide additional incentives for hiring. 

The staff should have the authority to contract out specific tasks such as malware analysis or specialized forensic activities but the generation of findings and the production of reports should be entirely the work of the professional staff. These employees should fall under the strictest of ethics obligations and should be prohibited from holding investments in cybersecurity or related fields.

Board Independence

While in its first incarnation, most of the work of the CSRB was conducted by board members, a professional staff will obviate the need for board members to carry out investigations. Instead, board members can provide oversight for the professional staff as well as invaluable context and connections in investigations.

Board members should continue to serve as special government employees on a part-time basis though the role of chair should be considered for a full-time role. While the CSRB did an exemplary job of managing conflicts of interest, future board members should be drawn from the large pool of “formers” that have served at large technology companies, cybersecurity firms, and in government rather than current executives.

More so than current employment by private cybersecurity companies, Federal agency representation is more problematic. As conceived in EO 14028, CSRB membership is to include representatives of relevant Federal agencies as well as representatives of cybersecurity firms and software providers. While I have deep respect for each and every person who served on the CSRB and do not question their integrity or professionalism, it makes little sense to have representatives of the agencies that failed to prevent an incident or were involved in the response to it as members of the board. In the case of the Microsoft incident, representatives from Microsoft and its competitors like Google recused themselves. But representatives from CISA, the FBI, and NSA did not. The report provides little criticism of these organizations. It is reasonable to ask why CISA was unable to detect that its own systems were compromised while even the State Department was able to do so. It is also reasonable to ask why the NSA apparently failed to pick up on this adversary activity attributed to a nation-state group under active scrutiny or failed to share this information if it did. Yet these issues were not examined in the report. It may be that they did not deserve examination but a setup in which the Secretary of the Department of Homeland Security would need to sanction criticizing their own department or peer agencies that they need to work with every day makes little sense. There is a reason the NTSB is not part of the Department of Transportation let alone the FAA and that its reports are not subject to the approval of any Federal official other than the NTSB chair.

[1] Section 702 of the Foreign Intelligence Surveillance Act permits the U.S. government to collect communications (emails, texts, phone calls) of non-Americans located outside the U.S. without an individual warrant.

[2] Coalition Letter Supporting Reauthorization of the Cybersecurity Information Sharing Act of 2015 (CISA 2015) | U.S. Chamber of Commerce

[3] PUBL278.PS, Cybersecurity and Infrastructure Security Agency Act (CISA 2018) Sec. 2202.

[4] Cybersecurity Alerts & Advisories | CISA

[5] PUBL278.PS, Cybersecurity and Infrastructure Security Agency Act (CISA 2018) Sec. 2202(c)(3).

[6] US nuclear weapons agency hacked in Microsoft SharePoint attacks

[7] EINSTEIN | CISA

[8] Federal Civilian Executive Branch Agencies List | CISA