The United States government now has an official cybersecurity agency with the creation of the Cybersecurity and Infrastructure Security Agency (CISA). The bill that Trump signed into law on November 16th, 2018 changes the National Protection and Programs Directorate (NPPD) into a standalone agency, moving it out from under the Department of Homeland Security (DHS). The bottom line of this change is supposed to be a larger budget for the agency and more authority to help in enforcing the requirements they will begin continue to impose.
However, some fringe benefits are expected with the move as well. Members of the organization believe the new-found independence will help increase operational efficiency, assist in engagement with industry stakeholders, and improve their ability to recruit top cybersecurity talent. The additional budget and streamlined decision-making process alone make this seem like a good move for our national cybersecurity program in general, but unfortunately as an outsider looking in, the change seems incredibly superficial and seems unlikely to help meet those other stated goals.
The government desperately needs help recruiting top industry talent. And while this is not a new issue, it is one that the United States Government has historically struggled with. Many believe the difficulties in hiring and recruiting stem from the talent shortage in the security industry right now, which has led to extreme competition for employer’s looking to hire these security professionals. The United States government is not well-equipped to win these hiring battles, primarily due to their inability to meet the salaries and bonus structures being offered in the private sector. Additionally, the lack of performance-based rewards and related career advancement make it a poor fit for “star” performers. If the creation of CISA allows for some of these challenges to be met, then it may indeed have a profound impact on the national cybersecurity workforce.
Another interesting result of this move could be the increased focus on government-regulated security for certain industries. With an increased budget or greater autonomy, could this move better position the United States to take a more hands-on approach when it comes to levying security standards onto economic sectors?
The government has already started this process with government contractors when they rolled out cybersecurity requirements as a part of DFARS Clause 252.204-7012, which requires government contractors meet all of NIST 800-171’s security controls. With these new requirements being rolled out, however, no one has figured out how they are going to enforce these requirements. This has led to slow adoption and a general lack of urgency in compliance, as there has been no indication that there will be any negative effects for those contractors who are non-compliant. There’s a possibility that an increase in budget will help move programs like this forward and allow them to spread to other industries, such as the Payment Card Industry (PCI) and national utilities (electric, water, etc.).
Ultimately, only time will tell if this move makes any major differences in how our nation’s cybersecurity program operates. Most of the time, these changes are merely on-paper marketing fodder with no real differences in day-to-day operations or strategic goals. And while the move sounds great in theory, a healthy helping of skepticism should probably temper your excitement.