2019 CISA Cybersecurity Summit – Themes and Impressions

Published: October 17, 2019

Critical Infrastructure ProtectionCybersecurityCISAPolicy and Legislation

Top federal cybersecurity leaders from the Department of Homeland Security, the White House and others discussed key cyber challenges and efforts.

In anticipation of National Cybersecurity Awareness Month the Cybersecurity and Infrastructure Security Agency held its second annual CISA Cyber Summit late last month.

Themed “Defend Today, Secure Tomorrow,” the multi-day event featured keynotes and panels by high-profile government and industry professionals focusing on the current cybersecurity challenges, efforts and plans across the agency and the federal landscape and beyond. While the multi-track event covered wide-ranging topics from election security to 5G technologies a few key themes stood out to me.

From Proliferation to Optimization – The number and types of cybersecurity tools has grown massively in the last decade and agencies have adopted many of these in an attempt to make strides in their security posture. In the cybersecurity domain it seems that every agency is building the same cyber-defenses, while in other sectors, like physical security, the federal government has taken a more holistic approach by collaborating and leveraging its collective resources. A panel moderated by former White House Cybersecurity Coordinator Michael Daniel concluded that the cyber industry is entering its first phase of rationalization as the evolution of cyber-capacities is forcing agencies to step-back and evaluate what they have in place so they can decide how best to move forward. The optimization of cyber-capabilities is the next step in the evolution of maturing their cybersecurity postures.

Maturation and Modernization – In describing current federal cybersecurity priorities CISA Assistant Director Jeanette Manfra emphasized operationalizing risk management (RM), re-architecting federal systems and moderation, and identifying what to systems, functions and processes to centralize. Donna Dodson, Chief Cybersecurity Advisor at the National Institute of Standards and Technology (NIST) said some of their highest priorities include increasing automation, securing the Internet of Things (IoT), improving identity management, and improving the security of software.

Shore up Supply Chain Security – CISA Director Christopher Krebs highlighted the White House’s May Executive Order on Securing the Information and Communications Technology and Services Supply Chain in his opening remarks and the theme was picked up by multiple panels throughout the event. Members of the Information and Communications Technology (ICT) Supply chain Risk Management (SCRM) Task Force noted their work on making key acquisition recommendations, establishing which criteria is useful to identify threats to/from supplier, products, services, etc. as well as identifying appropriate and effective SC threat information sharing processes. On a panel addressing improved cybersecurity of industrial control systems CISA’s Manfra took the SC issue beyond technical aspects, arguing that suppliers need to know the 2nd and 3rd level of their supply chain, not just technical elements, but business ownership.

There were other important topics interspersed throughout the many panels, including data security and leveraging analytics, cloud security, and dealing with emerging technologies, but discussing those will have to wait for another day.

Overall, the CISA event left a mix of impressions – from concern over the challenges that lay ahead and the risks at stake to an appreciation for how far agencies have come and the collaborations that are underway.