The Cybersecurity and Infrastructure Security Agency (CISA) has committed to spending the next three years measuring the success of the government’s effort to protect both publicly and privately controlled critical infrastructure from cyberattacks.
CISA executive assistant director for cybersecurity Eric Goldstein told the Homeland Security Committee in the U.S. House of Representatives that precisely what the agency intends to measure will be shared next month.
Cybersecurity professionals, of course, have been trying to quantify the success of their efforts for decades with little to no success so there will undoubtedly be lots of interest in the CISA approach to one of the most vexing challenges in all of cybersecurity. As most cybersecurity professionals are all too aware, proving the value of cybersecurity is a challenge. Investments in cybersecurity are deemed worthwhile in the absence of a breach. In the event of a breach, however, the value of those investments is questioned no matter how many attacks have been thwarted.
Exactly how CISA plans to collect the data that would be required is also something of a mystery. Most of the critical infrastructure CISA is chartered to help protect is managed via public-private partnerships that are not always anxious to share information with perceived outsiders that might be obligated to publicly share that data.
In fact, the level of cybersecurity transparency that should be required is now a subject of an increasingly heated debate in Congress. Rep. Jim Langevin, D-R.I., has attached to the National Defense Authorization Act for 2023 a proposed 554 amendment that would require the Department of Homeland Security (DHS) to designate certain components of critical infrastructure as systemically important entities (SIEs). As such, operators of this infrastructure would be required to meet specific cybersecurity standards. The U.S. Chamber of Commerce along with 17 other industry associations sent a letter to Senate leaders opposing the amendment. Specifically, the letter claims the amendment would transform the relationship between CISA and operators of critical infrastructure from being a partnership to one where CISA is empowered to impose additional cybersecurity requirements on industry.
Regardless of the degree of oversight that CISA might be able to provide the devil is always going to be in the details measured. The simple truth is it may not be possible to measure the effectiveness of cybersecurity. In addition, there clearly needs to be more concern over how data might be shared with a federal agency that is required to make reports to Congress that are likely to be closely read by malicious actors around the world that have already shown a keen interest in compromising critical infrastructure. In all probability, whatever compromise is struck is not likely to satisfy anyone. The requirements agreed upon will not likely be stringent enough to be meaningful. All that might be accomplished is a lot of data that would otherwise be kept hidden is now being shared more widely.
As Ronald Reagan once note the most dangerous words in the English language are “I’m from the government and I’m here to help.” It’s not that government agencies intend to cause more harm than good, but the nature of the way federal agencies operate doesn’t always lead to the most optimal cybersecurity outcome possible.