The Cybersecurity and Infrastructure Security Agency (CISA)’s new Strategic Plan for 2024-2026 aligned with the National Cybersecurity Strategy provides some general indications about what federal agencies, civilian support agencies, and critical infrastructure companies can expect in the next three fiscal years.
As CISA forges ahead with its cybersecurity strategy it will be changing aspects of its operations for efficiency, expanding both foreign and domestic partnerships, and bolstering internal capabilities among other moves.
CISA retains lead role in National Cybersecurity Strategy, but with improved delegation of responsibility
At only about half a decade old, CISA has already become the country’s lead coordinator for matters of critical national defense in cyberspace. While the agency remains in a leadership role in the U.S. National Cybersecurity Strategy, its plans for the near future hinges on empowering a broader range of players and providing them with the tools and support to take greater shares of responsibility.
One of CISA’s immediate areas of concern are both government and civilian entities that are heavily targeted, but lacking in resources with which to defend themselves. This assistance looks to be taking several forms: government-funded support services, improved collaboration and intelligence-sharing programs, and implementation of scalable systems among them.
The strategic plan also seems to indicate that more “hacking back” and aggressive action can be expected against foreign threats. Numerous ransomware and data extortion groups have already been more actively targeted in this way, but it remains to be seen to what degree this will be applied to suspected nation-state attackers (particularly in the wake of the discovery that Chinese hackers may have planted malware throughout military systems in preparation for a possible armed conflict over Taiwan).
Ransomware, espionage and potential military conflicts are not the only things on the table; the strategic plan also calls for more research and investment into the impacts of quantum computing and climate change (both of which are expected to have effects that remain years out and very unclear). The cybersecurity strategy is also calling for further development of a digital identity ecosystem, likely tied into the federal push for “zero trust” architecture throughout agencies.
2024-2026 strategic plan calls for improved “security by design” in critical products, greater end user transparency
If a device manufacturer wants their products used in support of CISA’s National Critical Functions (NCFs), they will likely soon be facing greater pressure to bake in “security by design” principles and to be clearer about the software content and potential vulnerabilities of their offerings. A new smart device labeling program that has just been announced provides something of an example, though it is more consumer-focused than something specifically slated for the nation’s cybersecurity strategy.
CISA’s moves are not all about prodding other organizations and agencies into greater responsibility for the strategic plan, however. The agency looks to bolster its own role in the overall cybersecurity strategy by improving its analytics tools, methods and overall visibility into emerging threats. CISA’s budget request for 2024 is $3.1 billion, a 4.9% increase.