What is CISA?

The Cybersecurity and Infrastructure Security Agency (CISA) was formerly the National Protection and Programs Directorate (NPPD). This new name for the DHS department better reflects its core function. Like the National Security Agency (NSA) is tasked with protecting the .mil domains of the U.S. military, it’s the job of DHS (and more specifically CISA) to protect the .gov space of the civilian government. CISA’s name and mission both reflect its core mandate: to protect the U.S. critical infrastructure, especially against attacks performed via cyberspace.

The role of CISA in government

The job of CISA is to protect the government from being hacked. More specifically, this involves acting a lot like a third-party cybersecurity services provider to other government departments. CISA’s role includes:

Providing cybersecurity tools Incident assessment and response Coordinating public/private sector partnerships for security and resilience Technical assistance and assessments Supporting emergency and natural disaster responders Risk assessment for critical infrastructure

With this list of capabilities, it appears likely that CISA will continue to fill a consulting or advisory role for other government departments instead of a controlling one. Other departments will likely have to decide (or be ordered) to enlist CISA’s help when preparing to deal with potential threats.

Potential impacts of CISA

As a whole, CISA seems to be designed to provide U.S. government departments with the tools and aid that they need to protect themselves. With the agency only a few months old, it’s difficult to predict what they will do; however, some potential impacts stand out, based on their mandate and mission statement.

Increased regulation and standardization

Increasingly stringent regulations have been in vogue lately, with the creation of the EU’s General Data Privacy Regulation (GDPR) and the many other privacy regulations that have followed it. While the United States does not currently have a national privacy regulation other than industry-specific ones like HIPAA, many states have adopted data privacy regulations. The creation of a national privacy standard (possibly mandatory for .gov) might be one of the impacts of CISA. CISA is more likely to produce additional industry-specific standards. A large part of their mandate is protecting critical infrastructure, which includes Industrial Internet of Things (IIoT) devices. The Internet of Things (IoT) is notorious for its poor security, and, since the same devices are used for both personal and business purposes, new regulations and standards for devices to be sold to the government are likely to produce improvements in the security of devices available to the average consumer.

Improvements to SCADA/ICS security

SCADA and ICS security is one of the main focus areas of CISA as demonstrated by their choice of name and mission statement. The nation’s critical infrastructure is known to be in need of a cybersecurity upgrade since many systems are connected to the Internet but were never designed to be. Critical infrastructure also makes use of IoT devices, which are also known for their poor security. One example that underscores the need for improvements to critical infrastructure cybersecurity is the recent DDoS attack against the power sector. While this attack did not cause a loss of power in any of the target systems, it did have an impact on other areas of the system. DDoS mitigation technology is readily available, so this type of attack should not have been possible against a properly secured system. CISA has already demonstrated that they intend to make a serious effort toward improving the security of critical infrastructure. They have released a list of National Critical Functions, detailing the functions of the public and private sector that are necessary for national security and health and safety. This list is intended to be a starting point for a risk assessment of critical infrastructure that can be used to focus the agency’s efforts to improve the security of the nation’s critical assets.

Cybersecurity tool availability

Based on the CISA’s role description and recent governmental activity, it’s likely that one of the impacts of the creation of CISA will be increased availability of cybersecurity tools to government departments and, possibly, the private sector. The NSA recently released Ghidra, a reverse-engineering tool developed in-house to rival IDA Pro. This tool is extremely powerful, and there has been a lot of discussion in the industry about its functionality and usage since the release. The CISA’s mission includes making cybersecurity tools available to government agencies, and the public release of Ghidra by the NSA (as well as other releases) may indicate a move by the government toward protecting the public sector by improving the security of the private sector. If this is the case, it seems possible that CISA will sponsor the development and release of cybersecurity tools, especially in their focus areas like critical infrastructure.

The future of CISA

The Department of Homeland Security is well-known for reshuffling and renaming its departments on a regular basis. As a result, it’s difficult to predict whether the repackaging of the NPPD as the CISA will have a significant impact on how the department operates and its mission statement. However, CISA has already taken some significant strides toward fulfilling their new mission statement. The creation of the list of National Critical Functions is an important first step in generating a risk assessment for critical infrastructure, which would allow them to focus their energies on the components of the national critical infrastructure where they would be most effective. Demonstrating actual action toward achieving organizational objectives within a few months of a major restructuring is a pretty good start, especially for a government department.  


About CISA, Department of Homeland Security National Critical Functions, Department of Homeland Security National Critical Functions Resources, Department of Homeland Security 4 lessons to be learned from the DOE’s DDoS attack, Malwarebytes Labs