In response to my post yesterday about the upcoming meeting of the CISA Cybersecurity Advisory Committee (CSAC), Vytautas Butrimas left the following comment on LinkedIn:
“Reading one of the bullets – ‘Protecting Critical Infrastructure from Misinformation and Disinformation Subcommittee’ - one may wonder what their definition of critical infrastructure is. Any room for safety and process control issues or will the focus be on email, websites and social media?”
The short and quick answer to the question looks like the target of this Subcommittee will be information system misinformation. I say this based upon the report from the first meeting of the CSAC. The page 3 discussion about this Subcommittee reads thus:
“On the topic of Protecting Critical Infrastructure from Misinformation & Disinformation, Dr. Kate Starbird, University of Washington, noted that the level of disinformation being spread across information systems has been increasing dramatically in recent years. She noted that it was used in 2020 to undermine the U.S. election system and that it has also made it difficult for Governments to address crisis events like the COVID-19 pandemic. She said that the solution to addressing this is to teach people to care about whether what they're sharing is true or false. Mr. Chesney noted that it might be very difficult to get people to unlearn bad behavior like that as, after a while, it becomes an entrenched cognitive bias. He suggested that working with the various social media platforms to address the problem might be the best approach. Mr. Stamos and Ms. Allison noted that Government agencies are very bad at using their authority and platforms to push back against disinformation. Ms. Allison suggested that CISA create a playbook for agencies to use in responding to the spread of disinformation.”
Truthfully, none of the subcommittees would seem to be specifically directed at operational technology cybersecurity issues. The closest we get is the Building Resilience and Reducing Systemic Risk to Critical Infrastructure Subcommittee. The summary of the discussion about that Subcommittee area give us this statement:
“Mr. Fanning stated that one of the biggest impediments to industry and Government working together to address systemic risk is identifying the truly critical elements in critical infrastructure. He said CISA can help develop solutions, but that industry will need to take the lead in working with the Government to address the problem. Mr. Fanning noted that there are a number of models that CISA and industry could build on, such as the Analysis and Resilience Center for Systemic Risk developed by the Finance and Energy sectors. He closed by stating that, because industry controls the vast majority of critical infrastructure in the United States, the end goal should be for the Government to provide industry the tools to defend themselves.”
While the overall statement is ambiguous as to the scope of coverage of control system security issues, the final sentence is a good reminder that we are unlikely to see much in the way specific help on OT security issues.
Having said that, it is early in the life of the CSAC and perhaps we can still influence the direction they will take as they move forward. The best way to do that would be to actively participate in the considerations of the Committee. The easiest way to do this would be to begin sending proposals for the Subcommittees to consider, targeting the reducing systemic risk subcommittee. I will start that process by proposing two activities to be considered.
Proposing the formal establishment of the NCCIC-ICS as the office within CISA that is responsible for receiving, coordinating and publishing reports of control system vulnerabilities.
Proposing that the subcommittee start work on developing the regulatory structure for setting up the recently passed cyber incident reporting requirement.
I’ll have more discussion about these two potential ideas in
future posts.
No comments:
Post a Comment