The Cybersecurity and Infrastructure Security Agency has made important strides in understanding cyber risks, collaborating with industry, and encouraging technology companies to make their products safer, according to Eric Goldstein, a retiring senior official at the Cybersecurity and Infrastructure Security Agency. He said he thinks the agency has more work to do. Things like implementing rules for collecting cyber incident data will need to be done.
Next month, Goldstein plans to step down from his position as CISA's chief of staff for cybersecurity, a job he has held since the start of the Biden administration. He spoke to CyberScoop on Thursday about his work at the agency and what's next.
“I think there’s really great momentum and wind in this agency,” he said.
On the personal front, Mr. Goldstein said he will soon join the private sector in “an industry cybersecurity leadership role,” but that role has not yet been announced.
There are three areas in which he is “particularly proud” of CISA's progress.
One is “the ability to actually understand cybersecurity risks and use that understanding to drive change,” and CyberSentry, a threat detection program in which CISA partners with critical infrastructure owners and operators, is the We list initiatives such as: “A few years ago, we couldn't be confident that we understood the risks and relative risks within government and across sectors,” he said.
The other is working with industry toward cooperation with more operational value, such as the Joint Cyber Defense Collaborative, he said. The program, which has sometimes been a source of criticism of CISA, “is the first thing I'd like to say publicly… it's an emerging thing and it's going to continue to mature,” Goldstein said, adding that it has no meaningful impact. He added that he believes he has made progress.
And third, our Secure-by-Design initiative. This seeks to place more of the cybersecurity burden on product developers rather than the organizations using the products. “I think we’ve really changed the perspective of the community in a way that drives real and lasting change,” Goldstein said.
He said CISA's position will be further strengthened if it fully implements the regulations that Congress has written under the Critical Infrastructure Cyber Incident Reporting Act of 2022.
“Having a set of generalizable cyber incident data for the first time to understand trends that not only help victims, but also more effectively share and drive investment will help the industry and the world in cybersecurity.” “It will be a huge change for us,” he said. Some in the industry and Congress are concerned that the program will impose excessive burdens on owners and operators of critical infrastructure. “The implementation of CIRCIA will be very important as expectations are very high.”
Other important work the agency must complete includes focusing on the safe development and deployment of artificial intelligence, he said.
One of the key lessons he learned upon leaving government was “the need to remain humble in our ability to anticipate and anticipate changes in technology and the threat environment,” and from the Russia-Ukraine conflict. It points out the unpredictability of the threats that arise.
Other factors include the need for cooperation and “the critical nature of people,” he said. While cyber is often thought of as technology-centric, Goldstein says, “Ultimately it's about the people who make the decisions, design the systems, implement the systems, and choose where to invest. ”
