CISA Addresses ‘Cyber Poor’ Small Biz, Local Government

CISA Addresses 'Cyber Poor' Small Biz, Local Government

Every day, attackers are targeting US small businesses, election offices, local government agencies, hospitals, and K–12 school systems, but most such organizations do not have the funding — or the dedicated resources — to defend themselves or even to know whether they are being attacked. 

The US Cybersecurity and Infrastructure Security Agency (CISA) aims to help these “cyber poor” places both to shore up their defenses and respond more quickly to attacks, Jen Easterly, director of CISA, told attendees at the sixth annual Hack the Capitol event in McLean, Va. on May 10. While the agency continues to work with government, large companies, and technology vendors on improving security, CISA aims to see how much it can help smaller organization fend off cyber threats as well.

The goal is to understand their needs, what they need to be able to invest in security, and where CISA can help them defend their capabilities, Easterly said. 

“How do we help a school district, can we help a small hospital, or help a water facility using … free services, using assessments, using things like our cyber hygiene, [and] vulnerability scanning?” she said. “Can we help them reduce threats? So we’re trying to spend a whole year doing this, and at the end of the year, we will see if we have been able to make any difference.”

The focus on smaller organizations acknowledges that often SMBs, local government agencies, and schools have been overlooked and not included in the push to create more resilient organizations. The government’s efforts to create public-private partnerships have typically focused on large companies and critical industries, but attackers — especially ransomware gangs — have hunted for smaller groups who do not have deep cybersecurity resources. Those groups are numerous — 99% of all businesses in the US have 250 employees or less, according to US Census data.

“We really tried to shift the paradigm from decades of public-private partnerships, which, frankly, were episodic and unidirectional and not necessarily the right type of mechanism that we needed to defend the country,” Easterly said. The idea is that “the private sector, with international partners, with state and local partners, should come together to create a tapestry of visibility that would allow us to better understand the threats and take down risks to the nation.”

Time for a Simpler, Easier Cybersecurity Framework

While the Cybersecurity Framework published by the National Institute of Standards and Technology (NIST) is considered the gold standard for creating a cybersecurity plan for a business, the document is hard to understand and implementation is difficult, Easterly said. CISA has thus introduced Cybersecurity Performance Goals (CPGs), which aim to be lower cost and lower effort goals that organizations can take to improve the cybersecurity posture.

“You don’t know how to use the NIST Cybersecurity Framework and so [if] you want a much simpler guide, you can actually take the CPGs in a checklist format, and then characterize them by cost complexity and speed,” she said. “CPGs have really helped in terms of, again, an easier, simpler metric that these entities can use to help drive down risks.”

Ransomware is a particular focus, since many small organizations have been hit by ransomware in the past five years. CISA has already created a vulnerability-warning pilot that enables the agency to scan private systems and provide the owner with information on the vulnerabilities in those systems. 

“We get those tips and we … let them know, ‘Hey … you’ve got this ransomware, you got this bad stuff on your network,'” she said. “‘You need to do something about it ASAP.'”

True Threats Still Cloudy

Overall, what’s the level of the threat to the cyber poor? Perhaps, surprisingly, the government does not have the answer. The balkanized structure of the Internet — a mishmash of private, educational, and government networks — means that visibility is limited, and no one has a complete picture, Easterly said. 

“The big question is how do you actually measure reduction of risk, which is hard because … we don’t understand the universe of how many events there are,” she said. “It’s all anecdotal — whatever numbers are out there, whatever studies are out there, whatever vendor — it’s all really just a guess.”

As we rush into a world where artificial intelligence is used as a way to consume and filter data, the level of information could get worse, because of AI hallucinations — statements made by machine-learning systems, such as large language models (LLMs) and ChatGPT, which sound authoritative, but are wrong.

Easterly pointed out that the design of the Internet never accounted for most of the threats that we have today, and that our approach to AI needs to be better.

“So you had an Internet full of viruses, you had social media full of disinformation, and now we have AI, which is sort of like an infantry lieutenant — frequently wrong, never in doubt,” she said. “So I think we need to be very, very mindful of making some of the mistakes with artificial intelligence that we’ve made with other technology.”