CISA plans to strengthen corporate cybersecurity

— With help from Maggie Miller

—CISA kicks off the year with a focus on strengthening cybersecurity at the enterprise level. The head of the agency speaks to the MC.

Happy Monday and welcome to Morning Cybersecurity! Between the Sixers, the Phillies and the Eagles, the City of Brotherly Love is having a good time.

… This should infuriate me as a New Yorker. But between my editor (who is from Philadelphia) and my in-laws (ditto), I’m ready to praise the birds so that I don’t have to eat crows later. Fly, Eagles fly!

Any tips, feedback, or other commentary? Send them my way [email protected]You can also follow @POLITICO Pro When @Morning CyberSec on Twitter. Full contact information for the team is below.

Would you like to receive this newsletter every week?apply Politico ProYou can also receive daily policy news and other information you need to address the biggest news of the day.

There is nothing terabyte-sized on the agenda.

At the board level — The cybersecurity and infrastructure security agency’s top priority for 2023 is to persuade companies to better secure their networks. This includes a potential laundry list of what should be included.

Businesses need to embrace the idea of ​​”corporate cyber responsibility,” Kiersten Todt, CISA chief of staff, told POLITICO in an interview with POLITICO on Friday at the agency’s headquarters in Arlington, Virginia. .

“Vehicle innovation has been a great asset, but with it came the responsibility of keeping the vehicle safe and secure,” said Todd. “Similarly, cyber stands for technology and innovation that all businesses benefit from.”

— You cannot order here: Emphasizing that he was talking about voluntary action by companies, Todt said CISA is considering developing guidelines to support it. This could include CISA creating a “set of best practices” on cybersecurity for boards and senior officials, she said.

“What we’re doing now is researching, researching, researching what makes the most sense to be able to put it in an easy and accessible way, and that’s what I’m doing. It’s something we can build,” said Todt. She emphasized, “This is not meant to be ‘you have to do’, it means ‘we have to work together’.”

Todt said CISA plans to involve the industry in developing guidelines and has not set a specific deadline for the initiative at this time.

— Teamwork makes dreams come true: Todd said CISA can work with other agencies, such as the Small Business Administration, to prioritize corporate cybersecurity and help smaller organizations get involved. Officially, the Internet Security Alliance and the National Association of Corporate Directors join the program along with CISA.

– Light of hope: Businesses are taking more interest in cybersecurity after a year when CISA, as part of its “Shields Up” campaign, helped critical infrastructure groups pay attention to potential threats from Russia. Todt noted that the effort acted as a “catalyst” for boards to invest more in cybersecurity, and the industry told CISA that cybersecurity, in particular, was at risk underway. said it made it clear that it did not want to “shield down” due to the ransomware attack. of greatest concern to Americans.

“People are now accepting this heightened alert level without real fatigue, because this is part of what we have to do,” Todd said. “It’s an element of this corporate cyber responsibility that allows us to work more with the industry to help demystify what we know.”

read full story (For pros!) Here.

Republicans pull straws for home country — An up-and-coming cyber congressman will lead an influential House committee overseeing CISA and efforts to protect the nation’s critical infrastructure.

Republican Rep. Andrew Galbarino (RN.Y.) will take the gavel to the House Homeland Security Committee’s subcommittee on cybersecurity and infrastructure protection, Republican leadership announced Friday.

Resume creation — The second-term member of Congress has been an active voice on cybersecurity issues since joining Congress, sponsoring or co-sponsoring 14 bills on the topic.

more proactive monitoring — Although Garbarino was in the minority, he frequently lobbied DHS and White House cyber officials to be more transparent about the administration’s cyber activities and to wrestle with congressional priorities.

For example, late last year Garbarino and Rep. Mike Gallagher (R-Wisconsin) asked the White House about how the government would maintain “economic continuity” if CISA: Pressured to comply with new laws directing plans to be drafted. Large-scale cyber attack.

GOP depth issue? — The four other Republicans nominated to the subcommittee have no background in cyber policy. Also, all are freshmen on Capitol Hill, with the exception of Galbarino and Rep. Carlos Jimenez (R-Florida), who is also his second term in Congress.

Similarly, Commissioner Mark Greene (R-TN) named securing a “cyber border” as one of the Commission’s top priorities, but neither Greene nor Vice-Chairman Michael Guest (R-N) Until now, we have not been proactive in addressing cybersecurity issues. .

Transatlantic Cyber ​​Collaboration — The US and EU are eyeing closer cooperation on cybersecurity governance, but both are paving the way for new and possibly inconsistent regulatory regimes.

In a joint statement released late Thursday, the DHS and the European Commission’s Directorate General for Communications Networks, Content and Technology were organized around information sharing and crisis response, critical infrastructure protection and hardware security. announced the launch of two cyber policy “workstreams”. and software.

next step — The statement highlighted a number of projects prioritized by EU and US officials ahead of the next EU-US cyber dialogue scheduled for late 2023.

These projects include examining ways to protect civilian space systems, finalizing a “working agreement” between CISA and the EU’s equivalent ENISA, harmonizing incident reporting regimes, and strengthening transatlantic threat sharing. including program development.

Trouble ahead? — The EU has been more active than the US on cyber regulation, raising questions about whether some of these initiatives will soon run into transatlantic headwinds.

For example, the EU’s newly revised Network and Information Security Directive (NIS2) designates cloud providers as essential entities, something US lawmakers have so far avoided. We also have stricter and more robust incident reporting, corporate governance, and vulnerability disclosure rules than their US counterparts.

Grab your horse, MC! — NIS2 will not begin full-scale operations until the fall of 2024, when the Member States meet their implementation deadline. In the meantime, the White House is gearing up for the release of a new National Cyber ​​Strategy. US company.

Russia blocked access to the State Department’s Rewards for Justice website, hours after they requested information about the operators of the Hive ransomware group?